Transcription
WHITE PAPERA LAYMAN’S GUIDE ON HOW TO OPERATEYOUR SIEM UNDER THE GDPR
WHITE PAPERSplunk invited Freddy Dezeure, former head of CERTEU, to provide advice on how to use Splunk as a SIEMAbout Freddy Dezeure:in compliance with the European Union General DataFreddy Dezeure graduated from the KUL inProtection Regulation (GDPR).Leuven, Belgium, with a Master of Science inINTRODUCTIONEngineering in 1982. He was CIO of ETAP NVfrom 1982 until 1987. He joined the EuropeanThe EU’s General Data Protection Regulation,Commission in 1987 where he held a varietyRegulation (EU) 2016/679, or “GDPR”, takes effect onof management positions in administrative,25 May 2018 without the need for EU Member Statesfinancial and operational areas, in particularto enact it into local law. The full text of the GDPR canin information technology. He set up the EUbe found here.Computer Emergency and Response TeamThis Guide provides an overview of portions of theGDPR most relevant to processing log data usingSplunk. The Guide has two parts: PART I provides a general introduction to the(CERT-EU) for the EU institutions, agencies andbodies in 2011 and made it into one of the mostmature and respected CERTs in Europe. Until May2017 he held the position of the Head of CERTEU. Presently, he is an independent managementGDPR, highlighting aspects that are the mostconsultant providing strategic advice in cyberrelevant to understanding the impact of the GDPRsecurity and cyber risk management and actingon log management.as Board Member and Advisory Board Member in PART II provides specific compliance guidance andseveral high-tech companies.use cases for network and information security logs.PART I: GENERAL INTRODUCTION TOTHE GDPRScope of the GDPRA controller is responsible for implementingappropriate and effective measures to complywith GDPR and must be able to demonstrate itscompliance. Controllers are responsible for verifyingThe GDPR covers the processing of personal data,that processors acting on their behalf similarlybroadly defined to include any information relatingcomply with the Regulation.to an identified or identifiable natural person,including such things as telephone numbers, emailaddresses, IP addresses, MAC addresses, cookies,RFIDs, credit cards, geolocation data, etc., if itidentifies a natural person directly or in combinationwith other information.The GDPR’s reach is expansive: it extends toorganizations regardless of whether or not they arelocated in the EU or their processing is taking placein the EU. It also applies to the processing of personaldata, even if it is done for free. This means that theGDPR impacts a large number of commercial andpublic organizations across the globe.Controllers and processors must maintain a record oftheir processing activities, documenting the kind ofdata being processed, the purpose of the processing,the parties with whom the data is shared, the dataretention limits for the processed data, and thesecurity measures taken to protect the data.Article 37 provides that the controller and theprocessor shall designate a data protection officer(DPO) in cases where processing is taking place ona large scale or involves sensitive categories of data,such as health data or criminal records. The DPOoversees compliance with GDPR. The DPO shouldbe properly resourced and report directly to theThe GDPR applies to “controllers” and “processors”highest management of the controller or processor.of personal data. A controller is the natural or legalThe role of a DPO can be combined with other tasksperson who determines the purposes and the meansand duties (like CISO or CSO) if they do not result inof processing personal data. A processor is a naturalconflicts of interests.or legal person which processes personal data onbehalf of a controller.A Layman’s Guide on How to Operate Your SIEM Under the GDPR2
WHITE PAPERSome general principlesA controller should notify the supervisory authorityThe GDPR is guided by fundamental principles thatof a personal data breach without delay and, wherepersonal data should be: Processed lawfully, fairly and transparently Collected for specific, explicit and legitimatepurposes and not further processed in a mannerincompatible with those purposes Processed only in so far as is necessary for thepurpose of the processing Accurate and not kept longer than necessary forthe purpose for which it is processed Processed in manner that ensures appropriatesecurity and confidentiality (Article 5)feasible, not later than 72 hours after having becomeaware of it if the data breach is likely to result in arisk to the rights and freedoms of natural persons.The risk to the right and freedoms can be minimizedor avoided by deploying techniques such aspseudonymization and encryption.Reference: Recital 85 and Article 33The controller should also communicate to the datasubject a personal data breach, without undue delay,where that personal data breach is likely to resultin a high risk to the rights and freedoms of naturalpersons. This communication should be coordinatedPersonal data can be lawfully processed under thewith the supervisory authority, which will carefullyGDPR if it is done with the data subject’s consent,examine the technical and organizational measureswhich must be explicitly given and based upon clearyou have in place to secure the data.and plain language regarding the purpose of theReference: Recital 86 and Article 34processing activity or based on other lawful grounds forthe processing, such as the performance of a contract,Non-compliance with the Regulation can in itself leadcompliance with a legal obligation, the protection ofto sanctions and penalties following a claim by a datathe vital interests of a natural person, the performancesubject with a supervisory body if he/she considersof a task carried out in the public interest or legitimatethat his/her rights are infringed. Recital 146 indicatesinterests of a controller/processor (Article 6).that the controller or processor “should compensateany damage a person may suffer” from processingData subjects have the right to access their data andthat infringes the Regulation. Infringements shall alsoto rectify, transfer and ask that it be removed whenbe subject to administrative fines up to 20million the data subject’s consent is withdrawn. This is knownor 4 percent of the worldwide annual turnover to beas the “right to be forgotten”.determined on a case by case basis, depending onConsequences of non-compliance with theregulationA personal data breach is defined as a securityincident leading to destruction, loss, alteration,the specific nature of the infringement as detailed inArticle 83. Member States are also able to lay downrules on criminal penalties for infringements as setforth in Article 84.unauthorized disclosure or access to personal data.The consequences of non-compliance with theSuch breaches may lead to obligations of notificationRegulation can therefore be a combination of damageand to sanctions and penalties.compensation to the victims, administrative fines andcriminal prosecution.A Layman’s Guide on How to Operate Your SIEM Under the GDPR3
WHITE PAPERPART II: WHAT’S THE RISK OFPROCESSING AND STORING LOG DATAIN THE CONTEXT OF GDPR?Do network and information security log filescontain personal data?In documenting the necessity and proportionality of theprocessing of data in network and information securitylogs, an organization should consider the severity andthe impact of incidents that are likely to be mitigatedby log recording, management and correlation.While CSIRTs/CERTs/SOCs might be able to detectCompromised computers are a threat to the privacybad behaviour via pseudonymized information orand security of users, customers, their organizationsvia automated behaviour correlations - at a specificand others. Depending on the case, consequencespoint where a detection becomes an incident you willcould range from exposing data to disruption or lossneed to know which technical user account mightof assets. Security analytics with Splunk relies on loghave been involved to further investigate and mitigatefiles to help mitigate these risks and quickly detectthe incident. This means in practice that machineincidents and remediate them before they harm ordata related to users and their behaviour recorded injeopardize your IT assets.network and information security log files containspersonal data.The GDPR requires that personal data be stored forWhat does this mean for compliance withGDPR? Does it limit the usefulness of Splunkand log monitoring in general?purpose. In the case of network and informationAs set forth above, the GDPR sets out in Article 6incident or other legal or regulatory record retentionlawful grounds for the processing of data. The mostrequirements. Therefore, consideration should berelevant to this Guide is the “legitimate interest”given to how long log files should be maintainedbasis, which provides that processing may beto give you the necessary audit trail securityperformed if necessary for the purpose of carryinginvestigations require, since many vulnerabilities goout the “legitimate interests” of the controllerundetected for long periods of time. You will alsoand where it does not outweigh the interests orhave to “look back” in your records to understand the“fundamental rights and freedoms” of the datascope of the risk created by the incident.subject.no longer than necessary to achieve the intendedsecurity, that may vary depending on the lengthof time needed to detect, scope or remediate anRecital 49 provides explanatory comments which helpPrecautions to take to comply and maintainvisibilityto interpret the “legitimate interest” basis and whichPreliminary analysis of logs, correlation and triageclarify that processing personal data “to the extentis increasingly automated. Human analysts onlystrictly necessary and proportionate” for “ensuringintervene when there is a need for human triage andnetwork and information security” constitutes aassessment, and typically, this involves only a small“legitimate interest” under the Regulation.subset of your security team. Therefore, the risk ofIt follows that consent from the data subject is notneeded for log management carried out for thehandling personal data contained in the log files maybe considered low.purpose of ensuring network and information securityDepending on the nature of the logs, the potentialwhere the processing is necessary and proportionate.risk of exposure may differ. Some things to consider:Obligations in terms of documentation andnotification Netflow, DNS and legacy firewall logs areUnder Article 30, you are required to document thepurpose and extent of the processing (including howyou meet the necessity and proportionality standards).frequently pseudonymized, but by combininginformation from different sources, links leadingto an identifiable person may nonetheless bemade. Accordingly, you may want to limit accessto these links in combination to those investigatingconfirmed security incidents;A Layman’s Guide on How to Operate Your SIEM Under the GDPR4
WHITE PAPER Host logs (Applocker, AV, host firewall) and Activeor exceptional risks and should be treated much theDirectory logs could also be pseudonymized, butsame way the organization manages other securityfrom a risk mitigation point of view, the risk of notrisks associated with its virtual assets.doing so may be low or acceptable because on When considering the risk of unauthorized accessbalance these logs do not contain much in the waywithin your organization, just as with otherof personal data;applications, networks and systems in your IT Proxy, next generation firewalls and applicationecosystem, role based monitoring can be deployedlogs usually contain user names so that individualto help prevent the use of the personal data storedbehaviour may be monitored where legitimatelyin logs from being used for unauthorized purposes.needed and proportional to the task, but theseLikewise, organizations should take appropriatepersonal identifiers could be separated frommeasures (organizational, security policies andthe logs or pseudonymized or their examinationsegmentation) in terms of access to the logs thatdeferred after initial triage of other log sources hashelp ensure that secondary uses of the personalindicated an increased risk of a security incident;data contained in them are prevented or conducted Email logs contain references to individual usersonly with knowledge and prior review and approval.and their communications. Access to the entries in Limit the risk of unauthorized or unnecessary use ofthese logs could be limited to those investigatingthe personal data in log files by allowing only selectconfirmed security incidents.individuals with your organization who have a pre-During an incident, the handling of personal data ofthe impacted users will need to be exposed to thedefined “need to know” to access them, such as thesecurity team investigating security incidents.security team. In such cases, both the individual userIn most cases the security measures your securityand the organization have an interest in the problemteam has already put in place to protect your ITbeing resolved.infrastructure will suffice to mitigate the risk ofHowever, the exposure of personal data can beexternal breaches presented by the use of log files.minimized and the risks reduced by limiting access toPseudonymization and encryption optionsthe members of the security response team involvedIf your risk assessment suggests the need forin the handling of the specific incident. If you areheightened security measures around log files toprocessing logs that contain sensitive data sets undermitigate risk, there are other options to consider.Article 35 (Data Protection Impact Assessment) thelimited pool of people with access to the data can beOne of the measures the regulation highlights toused to help demonstrate the “proportionality” of themitigate risks is pseudonymization, a techniqueprocessing operations.which, if properly implemented, can reduce the riskRisk of log file data breachesthat data can be attributed to a specific personwithout additional information that is storedAppropriate security measures should be put in placeseparately. In the case of network and security logs,to mitigate the risk of breaches of the personal datathis means splitting off certain data (usernamesstored in the logs. These measures should take intoin proxy logs, recipient address in email logs) inaccount the level of security appropriate to the risk ofprocessing the log files or in the access proceduresdisclosure, modification or loss of the data.and making them only accessible on demand (in caseWhen balancing the appropriate security measuresagainst the potential risks, it’s helpful to keep in mindthe following: When considering the risk of unauthorized exposureof log files to third parties outside an organization,it’s important to note that log files present no newof a confirmed security incident). Encryption may alsohelp, but of course, is of limited use if the legitimatecredential access control is breached.Splunk can facilitate the implementation of theseoptions. Different techniques and their advantagesand drawbacks are described here.A Layman’s Guide on How to Operate Your SIEM Under the GDPR5
WHITE PAPERSpecific risk reduction use cases2. Pseudonymize personal data in log filesLeveraging machine data for security analytics withAs indicated in this guide, Splunk supportsthe Splunk platform helps support many key GDPRpseudonymization of personal data in log filessecurity requirements. Here are some examples:at different layers to provide an additional1. Centralize log files and indexes and secure themLog files and machine data generated by theorganisation’s IT infrastructure and applications arelevel of protection where needed. Two possiblepseudonymization methods are described here: By event duplication: sort log files into differentindexes; one with pseudonyms accessible forstored in Splunk in a way that allows you to securedetection and triage; one with the full data setand control access to the data within Splunk. Byaccessible for incident response combined withcentralizing the log repository and organizing itsprotection, the organization helps fulfil the mandateof set out in Article 32 (Security of processing) ofaccess control procedures; By transforming the search index into apseudonymized index and using the latter forthe GDPR to “implement appropriate technical anddetection and triage and the former for incidentorganizational measures to ensure a level of securityresponse.appropriate to the risk”.Using Splunk, you can: Install the operating systems and software in asecure manner and harden its controls; Secure log forwarding by encrypting thecommunication with signed certificates andmonitoring the proper functioning of theforwarders;Log management and correlation in support ofGDPRSplunk is a platform to store, manage and correlatemachine data and can be used to support acomprehensive information security risk managementsystem by fostering early detection and correlatingsuch findings with key information to support databreach impact assessments. Three real world scenario’s, Deploy role-based access control and two-factorauthentication;what they mean under GDPR and how machine datahelps with can be found in Splunk’s white paper “How Secure browser configurations and encrypt webcommunications; Monitor the use of Splunk and detect anomalies asyou would with any other critical service.Machine Data Supports GDPR Compliance”.The design and implementation of a system thatprovides early detection and data breach scopingby correlating events in log files is an “appropriatetechnical and organisational measure” designed toensure a level of security appropriate to the risk,which is what the GDPR security standard is all about.Want to learn more about operating your SIEM solution under the GDPR?Listen to our webinar “A Day in the Life of a GDPR Breach.” Or read our white paper “How Machine Data SupportsGDPR Compliance” and discover how to be prepared come May 2018.Learn more: www.splunk.com/asksales 2017 Splunk Inc. All rights reserved. Splunk, Splunk , Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Lightand SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names, or trademarks belong to their respective owners.www.splunk.comWP-Splunk-Layman's Guide-Operate-SIEM-Under-GDPR-101
Splunk invited Freddy Dezeure, former head of CERT-EU, to provide advice on how to use Splunk as a SIEM in compliance with the European Union General Data Protection Regulation (GDPR). INTRODUCTION The EU's General Data Protection Regulation, Regulation (EU) 2016/679, or "GDPR", takes effect on 25 May 2018 without the need for EU Member .
