Secure your logs and achieve GDPR

Key Considerations of GDPR and security logs

  1. Purpose Limitation and Data Minimization: Security logs should only be collected for specific, explicit, and legitimate purposes (like ensuring network and information security) and should not be processed further in a manner incompatible with those purposes. Collect only the data that is strictly necessary for these purposes.

  2. Storage Limitation: Keep the logs only for as long as necessary for the purposes for which they are processed. The duration should be defined based on the purpose of the log data, and this timeframe should be documented.

  3. Data Protection by Design and by Default: Implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. This includes ensuring the security of the logs, preventing unauthorized access, and ensuring that the logs are not used for purposes other than those for which they were collected.

  4. Security of Processing: Ensure a level of security appropriate to the risk, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. This could involve encryption, regular security assessments, and other appropriate measures.

  5. Access Controls: Limit access to the logs to authorized personnel only. This is a key part of ensuring the security and confidentiality of the personal data contained in the logs.

  6. Record Keeping: Keep records of processing activities, including the purpose of processing, categories of data processed, and a general description of the security measures in place.

  7. Data Breach Notification: In the event of a data breach, GDPR requires timely notification to the relevant supervisory authority and, in some cases, to the affected individuals.

  8. Data Subject Rights: Ensure that data subjects' rights can be exercised in relation to the log data, including rights to access, rectification, erasure, and data portability.

  9. Data Transfer: If logs are transferred outside the European Union, ensure that appropriate safeguards are in place in compliance with GDPR.

  10. Data Protection Impact Assessment (DPIA): In cases where logging practices are likely to result in a high risk to the rights and freedoms of natural persons, a DPIA should be conducted.

Challenges with existing security controls

  1. Access control creep and the eventual compromise

  2. Encryption at rest, in flight doesn’t help with approved access

  3. Right to be forgotten on security log data where up to a petabyte of logs can be stored in large organisations is not possible to be done (by stripping out PII related information)

  4. Data breach notifications from compromise of security logs results in all customers or users being notified due to the inability to scope who actually access what log data

  5. Transferring of data between regions, countries and operating environments brings a level of risk from configuration drift and differences in security capabilities of providers

We have tried to wrap controls AROUND the logs versus applying controls TO the logs

Secure your logs and achieve GDPR compliance at the same time!

Through our Log Security tool, developed to enable Threat Detection Bounty Programs, you can maintain the value of your security log data while achieving your GDPR compliance at the same time.

This is a key challenge for Security Operations Teams (SOCs) in balancing the need for “all the logs” while also meeting the goals of GDRP.

Dec 13 15:24:02 admin-server sshd[9012]: Failed password for root from 192.168.1.102 port 12345 ssh2

Before

{ "CampaignId": "a0ai8000000hrbmmas-campaign",

  "LogType": "OpenSSH",

  "CollectedTimestamp": "Tue Sep  5 03:18:56 2023",

  "RawMsg": "Dec 13 15:24:02 T-device-1c421bd5ffec sshd[9012]: Failed password for T-user-4813494d137e from 192.168.1.102 port 12345 ssh2",

  "LogId": "c57d4c563ad0b41a2f4a0e73100bde86a028cf96b0f38d2bf51aeb9e120d90a1" }

After