How to get your SIEM up to speed for GDPR

Security information and event management (SIEM) systems can play an important role in helping your organization comply with the requirements of the European Union's looming General Data Protection Regulations (GDPR).

But it's also important to understand and mitigate the risks of storing and processing logs containing protected data in SIEM systems. GDPR, which goes into effect May 25, requires any entity handling the personally identifiable information (PII) of EU residents to implement appropriate technical and process controls for protecting that data.

A robustly equipped SIEM system can validate your data security controls by centrally collecting, normalizing, and managing data from across your environment. It can correlate data and events by using rules and alerts that are mapped to or translated to GDPR requirements. Most importantly, a SIEM system can provide 24x7 visibility of security through the use of dashboards and visualizations, and gather and store evidence that proves you're in compliance with the many GDPR controls.

To get your SIEM system up to speed for GDPR, however, your team needs to fully understand and manage the implications of using a SIEM under this new regulation.

Here are the best practices that data protection experts recommend.

Gartner Magic Quadrant for Application Security Testing 2018

Tune your SIEM for GDPR

GDPR stresses the need for data protection by "design and default" (Article 25) via measures such as data pseudonymization, tokenization, encryption, and minimization. Importantly, GDPR gives EU residents the right to ask (Article 15) for a copy of any personal data of theirs that an organization might be holding or using and to request prompt rectification of any incorrect information.

SIEM systems have the fundamentals. As Mike Adler, vice president of product at RSA NetWitness, notes, "SIEM systems offer the threat-detection and investigation capabilities, as well as automated compliance reporting, needed to demonstrate effective security controls ensuring that PII is handled according to the demands of GDPR regulations."

And that enterprise-wide visibility is critical for GDPR compliance. "The true value of SIEM is providing the ability to monitor, detect, respond, and report against the controls of GDPR," says James Carder, CISO of LogRhythm. Also vital is its ability to automate many containment and remediation activities associated with violations of those controls, he says.

But SIEM tools are typically used from the perspective of securing the infrastructure and are designed to handle out-of-the-box machine data from network equipment such as firewalls, proxy servers, and operating systems.

Matthias Maier, a security evangelist at Splunk, says GDPR requires a shift in focus.  

"With data protection and GDPR, an organization needs to start with the business application first."
Matthias Maier

For example, if a new employee is hired or if a new customer signs up, the organization needs to understand which applications the data is processed through and the underlying components involved. "The SIEM needs to be flexible enough to onboard and process any kind of machine data generated by business application quickly," Maier says.

If the applications are developed in-house or are nonstandard, this type of unstructured data can grow to a huge volume. Flexibility and the speed with which you are able to collect and process machine data is the number-one factor under GDPR for ensuring that you know when something is happening and to whom, as well as when, where, why, what, and how, Maier says.

Know what's in your log data

EU residents also have the right to ask organizations holding their data to erase it (Article 17) or to have it transferred to another company if needed (Article 20). The mandate requires covered entities to obtain informed consent for almost all personal data collection and use. Businesses must maintain and provide upon request a complete copy of all personal data being processed, the purpose of the processing, how long data will be stored and details on all third parties with whom the data will be directly or indirectly shared.

When having a central collection point and management platform for GDPR compliance, you run a risk of sending PII to the SIEM and creating a massive repository of this data, says Carder.

The GDPR regulation actually takes these risks into account, he says, and addresses them in Article 17 and related articles, such as Article 6 ("Lawfulness of processing"), Article 9 ("Processing of special categories of personal data"), Article 21 ("Right to object"), and Article 70 ("Tasks of the Board"). These articles speak to the lawfulness of processing personal information with relation to their use for security or to address regulatory or legal requirements.

"As with many of the GDPR articles, they are up for interpretation and, as such, you should consider alternative options to storing, processing, or transmitting PII in the clear to any system or application, including SIEM."
James Carder 

GDPR protects any data elements that either individually or collectively can be used to identify an individual, including names, phone numbers, credit card data, and, in some situations, even IP addresses and MAC addresses. Businesses that fail to comply with the mandate can face penalties of up to 4% of their worldwide annual revenues, or €20 million (about $25 million).

In most cases, it is highly likely that your processing of data that contains PII through a SIEM qualifies as a "legitimate interest" (Article 6) under GDPR, says Daniel Kennedy, an analyst at 451 Group. In other words, the mere fact that your SIEM system contains a lot of personal data or is using a lot of it during processing does not put you at odds with the GDPR requirements.

In most cases, organizations won't need to have an individual's consent for collecting log data for security use. However, they still have to document the procedure and be transparent.

[ SEE RELATED: GDPR and Your Business: Achieve Transformation Through GDPR Compliance ]

Conduct a risk assessment

Once you have determined that you are allowed to collect log data, make sure to understand what the risks are to that data. The last thing you want is for an attacker who is already on your network to access your log data via the SIEM system, Maier says.

"[Having] a centralized system with strong authentication of users, role-based access on a need-to-know concept, and monitoring an audit trail of who accesses it should be considered industry-standard."
—Matthias Maier

Considerations such as anonymization and pseudonymization need to be reviewed in the context of a risk assessment in order to judge how much they reduce risks, against which scenarios they are effective, and where flexibility and speed are crucial to understanding a breach while not compromising the chain of evidence or prohibitively impacting the cost of maintaining the environment.

Develop a data-destruction policy

Have effective data-destruction policies to ensure that you don't keep protected data around for longer than necessary in your SIEM system, and stick to those policies, says Kennedy.

It's important to note that GDPR has a broader definition of what constitutes personal data than prior regulatory controls, notably the inclusion of identifying someone by reference to an identifier, including online identifiers, he says.

Some SIEM technologies include data masking, which could be an option for protecting PII. However, masking can impact your ability to respond to security incidents, so there are some limitations to that approach, Kennedy says.

"Even with data destruction, an organization must come to a practical conclusion on how long it generally takes to discover computer security incidents in past examples, and therefore how far data must go back to be able to discover the details of an incident."
Daniel Kennedy

Implement role-based access controls

Role-based access control is important for ensuring that only authorized individuals can access logs containing personal data for legitimate purposes, says Joseph Blankenship, an analyst at Forrester Research.

If personal data in log files is a concern, make sure your SIEM provider supports capabilities for anonymizing or pseudonymizing user data such as names, usernames, email addresses, and IP addresses. Your goal should be to make sure this information is accessible only by authorized individuals during an incident investigation, Blankenship says.

Consider limiting access to SIEM dashboards via a least-privilege policy to ensure that all employees' data access is strictly limited to whatever is required for them to do their jobs, adds Kennedy.

The state of GDPR compliance tools

SIEM is a useful tool for monitoring activity in a corporate environment. It can help to identify malicious behavior that can lead to personal data being breached and can provide useful information for incident response activities, to support the 72-hour reporting requirement for GDPR.

"No single security technology is a silver bullet for GDPR compliance."
Joseph Blankenship

Some SIEM vendors provide specific reporting and use cases for GDPR compliance. Blankenship says. "These features do not equal compliance, but can be useful to prove that appropriate monitoring is in place."

SIEM is inherently a tool for helping reduce risk, not add to it. While some log data may include what is defined as PII, there are ways to secure it while still retaining its value as a critical part of analysis and prioritization of potential threats, says RSA NetWitness' Adler.

"Not only can SIEM help define what is truly risky, but also ensure that your security processes align with your business operations and not disrupt the way people work."
Mike Adler



State of Security Operations 2018: Go Inside World SOCs
Topics: Security