Recommendations

As it stands, for SIEMs and other data systems alike, techniques like anonymisation provide proven limitations in their protection of user data. To enforce data privacy rights on these systems the need for regulatory compliance is required. The law can aid the global adherence to user protection as well as the method of approach in cross-border data transmission con-siderations. Where the boundaries of technology are reached in ensuring privacy, regulations need to play a role.

The managed enterprise scenario considered in this research is based on a managed IT out-source environment, where events from multiple out-sources are collected centrally. The collection of security events by SIEMs is becoming more widespread and can be identified under the

growing notion of a type of big data in the security field[1]. The challenge with shared SIEM services occurs where monitoring services may be provided by a third party organisation or in a different country. This requires levels of event information sharing, consolidation and aggregation.

There are many regulatory documents available to ensure various levels of privacy in systems, though none as such directed to SIEMs themselves as a whole but rather components. There-fore, in this section a privacy guideline is constructed based on existing approved benchmarks of privacy enforcing legislations. Addressing the concepts of data protection and privacy within this environment, relevant legislative documents are identified and summarised to rules that apply to SIEMs.

4.2.1 Legal Documents: The European Union

The European Commission plays a major role in the privacy battlefield, with countries such as Germany advocating the need for user protection in international data transfers and within the country itself through facilities such as anopt-in as opposed to theopt-out approach. The EU 2012 Privacy Regulation Proposal[9] COM 2012/0011, Personal Data transfer Sect 3.4.5 (V), Article 45, stipulates the conditions for information transfer to regulate the privacy rights in the movement of data.

The relevant documents introducing data protection principles to be applied to organistions, published by the Commission are;

• EU Data Privacy Directive 2009

• The proposed EU Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data Data Protection Directive 2012[15]

• Communication on ”Safeguarding Privacy in a Connected World - A European Data Protection Framework for the 21st Century” [10]

• EU 2012 Privacy Regulation Proposal[9]

The privacy requirements outlined in these documents need to be applied in the context of a SIEM framework. The process of ensuring privacy can be enforced throughout the framework by following a legislated standardisation. The implementation of the EU Directives varies and can be interpreted in alternate ways, the existing Data Protection Directive is imple-mented by member states in very different manners[30]. However, the same cannot be said of the legislative EU Regulation documents. This differentiation occurring from the aim of the respective documents, the purpose of an EU Regulation is to encourage a harmonisation among member states, needing the application to thus be followed precisely[30].

The proposed EU Directive[15] is currently in the European Parliament and is yet to be agreed on for adoption by the Parliament and Council. The guidelines set forth, are based on this document as a commencement of SIEM technologies in applying legislative structures

based on the most recent suggested privacy documentations. The EU legislative documents are widely considered the strongest approaches of enforcing privacy than any other legal doc-uments put forth in the areas of privacy preservation. A summarised overview is provided in Figure 4.1, indicating the general areas stipulated in the proposed EU Directive [15].

Figure 4.1: Categorical Overview of the EU Directive[30]

The sections highlighted in Level 3; Data Subject Rights, Data Security, Authorisation Con-trol and finally, Personal Data Transfer are discussed in their implications to SIEM manage-ment approaches and their responsibilities as handlers of sensitive data.

Data Subject Rights

The foremost specification requirement of this section, is the explicit definition of what infor-mation flowing with the SIEM is classified as “personal” data. As discussed earlier, failure to correctly classify all data types in their sensitivity can lead to serious breaches of user privacy.

The SIEM framework needs to consider the following[30]:

◦ The classification of personal data, applying to all data types and formats within the framework.

◦ The access and usage rights of the classified data. For example, IP addresses, RFID tags, cookies storing user information.

◦ The examination of data held within the framework and the levels of privacy assured to them depending on their classification.

◦ The need to store user identity information in cases where the data is simply mined for statistical evaluation (SIEM security reports) need to be evaluated.

The implementation of these requirements can be carried out through the construction of access rules which allow the use of information to be governed under various privacy levels.

Differential privacy can be implemented in the DBMS layers, or through the use of crypto-graphic keys at the various management levels[30].

Data Security

The articles specified under this section require the adherence in terms of automated data processing. Specifications regarding the various areas of concern are listed in the following areas:

(a) The control of access to all equipment (b) The control of data media handling (c) The control of storage access and changes

(d) The control of users utlising the SIEM framework. In this case, these are the security analysts and administrators.

(e) The control of access to data

(f) The control of communications within the system (g) The control of input feeds received by the system

(h) The control of transport of data, communication, and storage.

(i) A recovery control process.

(j) Measurable reliability and integrity

The SIEM framework is required to assess if all the above principles are enforced in a log system that records activity across all areas. This ensures the internal circulation of data maintains a privacy trail in all communications.

Authorisation Control

The articles categorised in the area of authorisation control consist of specifications regarding the person hierarchy to be implemented to oversee t he control systems specified within the Data Security specifications stated previously.

The control authorisation to be monitored should consist of the following members[30]:

◦ Controller, a Controller is defined in Article 3, with the related responsibilities stated in articles 18-24, with regards to rights and needs for process documentation.

◦ Processor, the definition of Processor is also defined in Article 3, and applicable re-quiremens in articles 18-24.

◦ Supervisory Bodies, A board of supervisors assigned for the SIEM framework need to be assigned; these members oversee the data Processors ensuring they don’t abuse their permissions and rights on data processing[18]. They also ensure the rights of data subject are heard and acccounted for. There may be more than one supervisory body assigned to different areas of framework (for example, incident detection supervisory and system analyst supervisory), if so the mutual assistance must be facilitated across all bodies. There can be more than one supervisory bodies to ensure collaboration between boards and if so they must ensure mutual assistance amongst themselves.

◦ Data Protection Officer (DPO), described with regulation requirements stated in articles 30 -32 needs to be assigned to ensure data protection and privacy with the SIEM framework[30].

The documenting of all processes and communications between these members need to be documented and recorded.

Personal Data Transfer

The definitions for personal data transfer concern the movement of data, within or external to the current environment. The following considerations are necessary with regards to the consistent application of privacy[30]:

◦ The Data Protection Officer assigned is particularly responsible to ensure the consistent application of data privacy, a global DPO can be assigned to check for the privacy is ensured through the transfer, receiving reports from all relevant officers in the transfer.

◦ The biggest concern is the harmonisation across different jurisdictions in terms of data privacy and handling. The approach of using a global DPO and where possible only providing the data that is necessary(required by the receiving end), can aid this consid-eration.

The most important concern stressed in the articles of this section is the harmonisation of data privacy internally and specifically with cross-border situations; a common occurence when overseeing very large enterprises, such as those typically monitored by a SIEM frame-work.

In summary, the explicit implications towards SIEM environments extracted from the data directive, are critical components in ensuring a privacy infrastructure support for an entire monitored enterprise.

The implementation of data protection and privacy is needed for Security Information and Event Management (SIEM) Frameworks, we need to make explicit the associated require-ments for an SIEM framework. In particular, roles need to be clearly defined for an SIEM system (for example processor, controller etc.) and the SIEM itself needs to be treated as a processing system of an organisation. This means that the data residing in the system needs to be made explicit, with the retention and storing or processing purposes made known and documented. A data protection officer should be assigned, with responsibility for the SIEM system in the same manner as other systems.

Given the potential sensitivity of data collected by a SIEM this needs to be done very carefully.

Techniques of full anonymisation or aggregation can also be enforced where applicable. Rules for processing jurisdiction could either be agreed contractually with SIEM providers, or there may be ways to embed such meta-information into the processing rules of cloud or other service providers so that Service Level Agreements can be implemented to guide and control how security processing is conducted.

Further requirements specified by the Regulation include the establishment of a European Data Board, enforcing the explicit consent of a data subject, possibly by existing methods such as ’opt-in’, enforcing consistency mechanisms, data protection certification, codes of conduct for the SIEM workforce, time limits for the processing of data, further authorised member documenting, identifying types of personal data and treating them with different levels of privacy and finally stricter enforcements of data subject rights.