General Data Protection Regulation and D...

General Data Protection Regulation and Deception Solutions

The GDPR is the European Union’s General Data Protection Regulation. Its main objective is to protect EU residents’ data privacy, by homogenizing data privacy laws across Europe and changing the way organizations around the world approach data privacy for EU residents. Since the GDPR came into effect on 25 May 2018, it is more important than ever for organizations around the world to demonstrate compliance.

Cymmetria’s deception products give organizations the ability to detect lateral movement inside the perimeter, automate incident response, and mitigate attacks. Using Cymmetria’s MazeRunner, organizations can detect, identify, and respond to malicious activity and potential data breaches inside their network. This post outlines how Cymmetria’s MazeRunner and ActiveSOC can help organizations demonstrate compliance with the GDPR, detailing specific GDPR mandates and providing explanations of how Cymmetria’s deception solutions address these needs.

  1. Detection (Articles 33-34; Recital 85) – Under the GDPR, organizations must address personal data breaches in an appropriate and timely manner. MazeRunner detects and alerts on attacker activity inside the network once an attacker has engaged with a MazeRunner decoy. MazeRunner decoys can be customized to look and act like operational machines in the network without endangering real data. By creating decoys customized to look like machines that contain personal data, attackers can be tricked into thinking they’ve stumbled upon valuable information, when in reality they are being distracted from obtaining said information. MazeRunner alerts may indicate that personal data has been breached, and should be investigated. In addition to the tools MazeRunner provides for investigation and incident response, Cymmetria’s ActiveSOC allows organizations to automate key aspects of incident response in the SOC, which further helps organizations respond to threats and/or breaches in a timely manner.
  2. Investigation & mitigation (Articles 31-34, 83; Recitals 83-87) – Under the GDPR, organizations must be able to characterize the nature of a personal data breach and describe the likely consequences of the breach, along with the steps that were taken to mitigate the damage caused. Cymmetria’s cyber deception products help organizations to demonstrate GDPR compliance in these areas by allowing them to:
    • Deny the attacker access to additional personal data by containing the threat and preventing further infection of the system;
    • Help prevent a recurrence of the breach/intrusion event, as well as provide actionable intelligence to the relevant Data Protection Authority in cases of reportable data breaches, by running live forensic tools on compromised and suspicious endpoints to recover information regarding the attackers’ toolset;
    • Track the origin of an attack using various deception elements, such as HoneyDocs, which can track the origin of a potential data leak.
  3.  Effectiveness of measures (Articles 25, 32; Recitals 74, 78) – Under the GDPR, organizations must employ effective measures to protect personal data, preferably those that implement security-by-design. MazeRunner provides frictionless security throughout the entire network using deception-based security, adding non-intrusive deceptive elements to the network to lure and expose attackers without interfering with existing operational systems. A well-crafted deception campaign will include breadcrumbs (passive data used to lure attackers) deployed throughout the entire network, while remaining hidden from typical users. MazeRunner’s effectiveness is demonstrated by the fact that, to date, it is the only commercially available deception solution that has caught 5 nation-state APTs.


Not yet a customer? Ask to see a demo. Also, feel free to check out the free Community Edition of MazeRunner.


Mor Avraham (Adv.), Strategic Project Management Officer

Mor is a Strategic Project Management Officer at Cymmetria, specializing in compliance and regulation. Certified GDPR F by the International Board for IT Governance Qualifications, he also holds an LLM and is a certified member of the Israeli Bar Association. Previously, Mor worked at Ernst & Young, as well as the Israeli State Comptroller’s office.