Security information and event management (SIEM) software has become an essential element of modern network security because it provides a “single pane of glass” view of data from multiple security components. However, organizations must take steps to ensure that unified view doesn’t become a regulatory liability.
SIEM systems collect real-time log data from a wide range of network hardware and software resources such as antivirus software, intrusion detection systems, firewalls and servers. This data is then forwarded to a central console for inspection and analysis to identify any unusual patterns that could signal a security threat.
Many organizations also use SIEM tools to comply with requirements of increasingly stringent data privacy regulations, including the European Union's General Data Protection Regulations (GDPR) and California Consumer Privacy Act (CCPA). These regulations require organizations to conduct regular audits to validate security controls. SIEM tools aids in that process by collating events and logs and to generate reports that meet specific compliance requirements.
However, SIEM can itself create privacy issues. Log data often includes personally identifiable information (PII) such as names, addresses, Social Security numbers and biometric data — the kind of data that GDPR and CCPA requirements are specifically intended to protect. Both mandate that companies know exactly where every instance of someone’s personal information is located. They also establish a “right to erasure” that requires businesses to act on requests from individuals to have their data purged if it is no longer relevant or necessary.
Here are three steps you should take to ensure that your SIEM solution effectively safeguards PII:
Anonymize the data. Anonymization is the process of erasing or encrypting identifiers that connect stored data to a specific individual. There are several techniques for doing this. Data masking replaces words or characters with random symbols. Generalization removes some data to make it less identifiable. Data swapping rearranges some data values so they don’t correspond with the original records. The GDPR permits companies to collect anonymized data without consent, use it for any purpose and store it for an indefinite period.
Create a data-destruction policy. Such a policy ensures that sensitive data is permanently destroyed or disposed of when it is no longer needed for business use. The policy should detail the processes to be used and the specific destruction methods for all data types. Simply deleting a file is not sufficient because it can be recovered. Instead, use data destruction software to overwrite the file with random data until it is considered irretrievable.
Limit access. Use multifactor authentication (MFA) and role-based access controls to restrict SIEM access to only those who need it to do their jobs. Many solutions have pre-defined account roles that can be customized. SIEM tools usually integrate with external directories such as Lightweight Directory Access Protocol (LDAP) for authentication. When a user attempts to log in, the username and password are sent to the LDAP directory to verify whether the credentials are correct.
Organizations lacking the staff or resources to implement such measures may want to consider working with a managed services provider to handle the setup, monitoring and ongoing management of a SIEM solution. With our Managed SIEM Service, RMM Solutions monitors all your crucial network security devices to detect suspicious activity. What’s more, our service is compliant with GDPR, CCPA and many other regulatory requirements.
Give us a call to learn more about using Managed SIEM to secure your environment and reduce your compliance workload.