PRIVACY IMPLICATIONS FOR NEXT GENERATION SIEMs AND OTHER META-SYSTEMS

Transcription

1 PRIVACY IMPLICATIONS FOR NEXT GENERATION SIEMs AND OTHER META-SYSTEMS Dr Andrew Hutchison T-Systems MAanagement of Security information and events in Service InFrastructures Workshop on Security and Privacy Services in the Horizon, 19 April 2013, Brussels Project funded by the European Commission ICT workprogramme 2009 (FP7-ICT )

2 Overview Goals of Security Information & Event Management (SIEM) The MASSIF project Scenarios Areas of enhancement Privacy implications of SIEMs and meta-systems Different modes for SIEM deployment Relevant EU privacy requirements (data protection guidelines) Implications of guidelines for SIEMs Strategies and approaches for dealing with the privacy implications Recommendations for next-generation SIEMs Conclusions 2

3 Security Information & Event Management SIEM technology provides two main capabilities: security information management (SIM) and security event management (SEM). SIM provides log management - the collection, reporting and analysis of log data - to support regulatory compliance reporting, internal threat management and resource access monitoring. SEM processes event data from security devices, network devices, systems and applications in real time to provide security monitoring, event correlation and incident response. The technology can be used to discover activity associated with a targeted attack or a security breach, and is also used to satisfy a wide variety of regulatory requirements. (Gartner: IT Glossary, April 2012) 3

4 MASSIF: overview Multi-domain parallel-running processes Highly-scalable, dependable and multi-level event collection Predictive security analysis Alert and reaction generation Actions and Countermeasures Olympic Games Trustworthy event collection Multi-level security event modeling Languages Mobile money transfer service EVENTS POLICIES RELATIONS REACTIONS Security analysis and notification CI Process Control (Dam) Multi-level event correlation Process and attack simulation Resilient framework architecture Security-aware processes Managed Enterprise Service Infrastructures Event and Information Collection Event, Process Models and Attack Models Scenarios Prototypes Resilient event processing and integration Advanced SIEM Framework 4

5 Olympic Games IT infrastructure Overview: Protect the Olympic Games IT infrastructure from misuse or uncontrolled phenomena. Protect recorded results and associated services.

6 Mobile phone based money transfer service Overview: Electronic money can be used to pay merchants or for transfer between users. Allows end users to convert cash to electronic money and vice versa. All transactions are made online and are authorized by operator Aim is to protect the money transfer service against fraud both by detection and application of countermeasures. Mobile phone based transfer service using electronic money

7 Managed Enterprise Service Infrastructures Anti-Virus Anti-Spam SOC Router Security Operations Centre Internet Cloud HIPS Anti-Virus Anti-Spyware (PKI Infrastructure) (Strong Authentication) Firewall & IPS Firewall & IPS Campus/Remote Site Internet Gateway Remote Authentication Server Local Novell IDS Server Spooler Software Update Server Proxy Server Site Router Internet Gateway Router URL Filtering Anti-Virus Firewall & IPS HIPS Anti-Virus Anti-Spyware Firewall & IPS Servers T-Systems MPLS Cloud Anti-Virus Anti-Spam Mail Server Monitoring Data Centre IDM Event Correlator Vulnerability Analysis Software Update Server Firewall & IPS Data Centre Router Firewall & IPS Overview: Protect an enterprise IT infrastructure from misuse & security breaches Use SIEM to obtain a consolidated view allowing powerful analysis 7

8 Critical infrastructure process control (dam). Overview: Protect a dam / CI environment by: recognizing real threats in the multitude of alerts per day. Assuring that data sources are reliable. Managing data coming from heterogeneous devices and networks (such as WSNs). Correlating highly heterogeneous data to identify threats. Making Total Cost of Ownership (TCO) affordable for a SME. 8

9 Consortium Scientific research... 9

10 Cross-layer event filtering, aggregation, correlation and abstraction at the edge Micro Events Application DBMS OS Network Physical Event Parsing GET Access Point Adaptable Parser Event Filtering Event Aggregation Event Pre-correlation Security Probe Security Event Tracker Event Finite State Machine Rule Alert Event Normalization MASSIF Events Handler GET Macro Events Significant reduction of the amount of data forwarded to the subsequent stages of the MASSIF framework. Pre-processing of events is provided ( normalisation ) Generic Event Dissemination 10

11 Security Information & Event Management Collection of security events by SIEMs is becoming more widespread Different SIEM deployment modes: Dedicated SIEM and Security Operations Centre (SOC) Shared SIEM service and SOC Security as a Service (SecaaS) Shared, cloud-based SIEM service and SOC

12 Security Information & Event Management Challenge occurs where monitoring service / location may be provided by a 3 rd party organisation or in a different country Levels of event information sharing / consolidation / aggregation Opportunity for international security view(s) to be enhanced through sharing of real-time security related information Challenge with all shared SIEM services and even more so with international

13 The key privacy issue While privacy requirements and approaches are well described for primary systems, it is less clear how these principles should be extrapolated to meta-systems Is it reasonable for a user to opt out of having personally identifiable information collected by a SIEM or other meta-system? What would the implications of such a decision be for system and security administrators Are organisations treating SIEMs, management systems etc. with the same rigorousness / scrutiny as primary systems with respect to privacy? 13

14 Data privacy implications around security and SIEMs

15 Data privacy implications around security and SIEMs

16 Anonymisation One of the means to anonymise is generalization; i.e replacing the values with subsets of values, so that every entry Ri ( j ), 1 i n, 1 j r, which is an element of Aj, is replaced by a subset of Aj that includes that element. The process of anonymising is relatively simple and easy to implement, it typically involves generalizing entries and thus can incur a loss of relevant information. Example of anonymisation is K- anonymity A k anonymized dataset has the property that each record is indistinguishable from at least (k - 1) other records within the dataset. The larger the value of k, the greater the implied privacy. This algorithm is further enhanced to a technique known as optimal k anonymity.

17 Pseudonymisation Pseudonymisation is a particular type of anonymisation that can be defined as a process of masking the identities of individuals so that information relating to them can be handled without knowing to whom the information relates It ensures that a user acting under multiple pseudonyms can use a resource without his identity being disclosed. It still enables the linkage of data associated to the pseudo-identities (pseudo IDs) helping retain the consistency of the internal data There are two types of pseudonyms: One-way, which cannot be reversed Reversible, which allow re-identification of the individual. Very useful technique for data collection of large amounts from various sources

18 Recommendations for next generation SIEMs Source: MASSIF Project Documentation, EU FP7 Project,

19 Conclusions (1/2) Preserving data privacy is a continuous trade off between strengthening the protection of data & maintaining a good level of data usefulness, to avoid the data losing its effectiveness. A method must be chosen that does not compromise the actual productivity of meta-systems such as SIEMs To achieve the proactive protection goals of organisations such as ENISA, security event data sharing needs to be expanded within the controls and context of regulations and directives on data privacy NRAs should also be involved in setting these policies

20 Conclusions (2/2) International & European legislation is concerned with protecting personal data Meta-systems such as SIEMs do not currently incorporate methods to ensure personal data privacy resulting in a privacy risk (potentially also cross-border) Technical solutions such as anonymisation and pseudonymisation (possibly through the MASSIF GET framework) are available to help implement privacy in applications such as SIEMs Privacy techniques and approaches need to be seriously considered and implemented across this class of system

21 References Tassa,T; Batya K, A practical approximation algorithm for optimal k-anonymity Data Mining and Knowledge Discovery,2012,Springer NetherLands,vol 25, pp , doi: /s URL: Bayardo, R.J.; Rakesh Agrawal;, "Data privacy through optimal k-anonymization," Data Engineering, ICDE Proceedings. 21st International Conference on, vol., no., pp , 5-8 April 2005 doi: /ICDE URL: Tinabo, R.; Mtenzi, F.; O'driscoll, C.; O'Shea, B.;, "Solving the problem of balancing data usefulness and protection of personal identifiable information using multiple anonymisation techniques," Networked Digital Technologies, NDT '09. First International Conference on, vol., no., pp.37-42, July 2009 doi: /NDT URL: Tinabo, R.; Mtenzi, F.; O'Shea, B.;, "Anonymisation vs. Pseudonymisation: Which one is most useful for both privacy protection and usefulness of e-healthcare data," Internet Technology and Secured Transactions, ICITST International Conference for, vol., no., pp.1-6, 9-12 Nov URL: Rakesh Agrawal, Christopher Johnson, Securing electronic health records without impeding the flow of information, International Journal of Medical Informatics, Volume 76, Issues 5 6, May June 2007, Pages , ISSN , /j.ijmedinf ( Keywords: Security; Privacy; Electronic health record; Auditing; Anonymization; Data mining

22 MASSIF facts MAanagement of Security information and events in Service InFrastructures IP project funded by the European Union FP7 Information Society and Media. ID: ICT Call 5: Objective ICT : Trustworthy ICT Project start: October 2010 Duration: 36 months Overall budget: ~ 6 Mio. Project Coordinator: Atos 12 different organisations from 7 countries. South Africa 22