Abstract
Security Information and Event Management (SIEM) systems collect security information from multiple input systems, with a view to correlating and interpreting events so as to conduct security analysis and inference. Our analysis of large SIEM event sets has shown that in many instances the source events also contain personal information resulting from activities performed by users. The treatment of privacy in such ‘meta-systems’ is a challenging and, as yet, largely unaddressed consideration in privacy debates. This paper uses the 2012 EU Draft Data Protection Regulation as a basis to develop a view of its implications for SIEMs and other meta-systems. Providers of SIEM services have an obligation to ensure that their ‘meta-systems’ adhere to the same requirements as other systems, and the complexity can be compounded if the SIEM is not located in the same country as the originating events. Recommendations for role clarification, notification requirements, anonymisation and data protection officer oversight activities are presented – with respect to requirements of the associated privacy specifications. By adhering to these privacy specifications, security objectives can be achieved while ensuring that the rights of individuals and obligations, in terms of data privacy requirements, are met even when centralised security events and other types of meta-data, are collected.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This work was conducted as part of the European Union FP7 project MASSIF http://www.massif-project.eu
- 2.
Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee of the Regions Safeguarding Privacy in a Connected World A European Data Protection Framework for the 21st Century
- 3.
Articles 1-10 of Draft Regulation 2012/0011/EC
- 4.
- 5.
Article 7, Draft Regulation 2012/0011/EC
- 6.
Articles 11-21, Draft Regulation 2012/0011/EC
- 7.
Articles 30-32, Draft Regulation 2012/0011/EC
- 8.
Supervisory Authorities: Articles 39-49, 46-54, 55-63, Controller and Processor: Articles 22-29, Data Protection Officer: Articles 35-37 of the Draft Regulation 2012/0011/EC
- 9.
Articles 40-45, Draft Regulation 2012/0011/EC
- 10.
Section 3.4.7.2 Draft Regulation 2012/0011/EC
References
Birnhack, M.D.: The EU data protection directive: an engine of a global regime. Comput. Law Secur. Rev. 24(6), 508–520 (2008)
Biskup, J., Flegel, U.: Transaction-based pseudonyms in audit data for privacy respecting intrusion detection. In: Debar, H., Mé, L., Wu, F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 28–48. Springer, Heidelberg (2000)
European Commission: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Brussels, 24 Oct 1995
European Commission: Directive 95/46/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Brussels, 12 July 2002
European Commission: Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century, Brussels (2012)
European Commission: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 25 Jan 2012
European Commission: MEMO, Brussels, 8 Jan 2013
CRN: Siem: A market snapshot (2007). Accessed 10 June 2012
McSherry, F.: Privacy integrated queries: an extensible platform for privacy-preserving data analysis. Commun. ACM 53(9), 89–97 (2010) (ACM Press, New York)
Gellert, R., Gutwirth, S.: Beyond accountability, the return to privacy? In: Guagnin, D., Hempel, L., Ilten, C., Kroener, I., Neyland, D., Postigo, H. (eds.) Managing Privacy Through Accountability. Palgrave Macmillan, New York (2012)
Hoeren, T.: The new German Data Protection Act and its compatibility with the European Data Protection Directive. Comput. Law Secur. Rev. 25(4), 318–324 (2009)
Gehrke, J: Programming with differential privacy. Commun. ACM 53(9), 88 (2010) (ACM Press, New York)
Jenkins, S.: Learning to love SIEM. Netw. Secur. 2011(4), 18–19 (2011)
Steinke, G.: Data privacy approaches from US and EU perspectives. Telematics Inform. 19(2), 193–200 (2002) (Regulating the Internet: EU and US perspectives)
Acknowledgments
The authors would like to thank Joachim Hoenig, Director of the Deutsche Telekom AG, Brussels Representative Office in Belgium.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Khan, H., Hutchison, A. (2013). Data Privacy Implications for Security Information and Event Management Systems and Other Meta-Systems. In: Felici, M. (eds) Cyber Security and Privacy. CSP 2013. Communications in Computer and Information Science, vol 182. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41205-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-41205-9_7
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41204-2
Online ISBN: 978-3-642-41205-9
eBook Packages: Computer ScienceComputer Science (R0)