Log Management & Digital Forensics in Data Protection

dataprotection

Enterprise data protection and information security programs often clash over two issues: log management and digital forensics in case of information security incidents and data breaches.

In many ways 2020 was an exceptional year. Apart from numerous restrictions and obstacles, great progress has been made in the field of digitization – above all, a widespread shift of the world of work to the digital world and to the home office.

Companies have faced numerous challenges in handling sensitive data in a secure and privacy-compliant manner and these two requirements often seem to be at odds with each other. Especially enterprise data protection and information security programs clash over two issues: log management and digital forensics in case of information security incidents and data breaches.

In this article, we first take a general look at this area of tension followed by an individual examination of the two topics. We conclude with overarching recommendations for companies and organizations.

Data Protection vs. Information Security

Although data protection and information security have been increasingly in the public spotlight in recent years, these fields are still often blurred. However, the two areas can be distinguished by their individual objectives:

  1. Data Protection aims to protect the rights and freedoms of natural persons in the context of processing of their personal data. Here, the primary protection goal is the right of the respective individuals to be able to determine for themselves how and by whom the personal data are processed.
  2. Information Security, on the other hand, aims to protect the company or organization by safeguarding sensitive information – whether personal or not – from risks that violate its confidentiality, integrity or availability.

This distinction is reflected in the varied structure of the companies. Nevertheless, the underlying interests behind both points should be considered equally. While data protection efforts focus on the rights of the effected persons, information security requirements serve the interests of responsible organizations in their valuable corporate data.

In many cases, these different interests lead to tension, most of the time within these two: Log Management and Security Incidents & Digital Forensics

How to handle Log Management?

One topic that is often the subject of heated discussions between data protection and information security experts is the handling of log data, e.g., web server logs, audit logs and activity histories. The core issue is always how far the collection, storage and evaluation of log data at system or user level may go. After all, data protection always talks about protecting the privacy of the individual, while security-optimized logging wants to record all user activities as comprehensively, in detail and for as long as possible.

While at first glance this gives the impression that data protection and information security interests are incompatible in that subject matter, in practice this is not always necessarily the case. Rather, data protection is often even dependent on comprehensive and advanced logging in the company – at least this is how every data protection officer will see it once a reportable data breach has occurred in accordance with Article 33 of the GDPR.

 

At the same time, however, there must be clear limits to the logging and monitoring of user and system activities in accordance with the basic rules of data protection law. In other words, the company's data protection program must establish guidelines for handling log data in the company. In doing so, it must be ensured that the following aspects are regulated:

  1. Which activities may be logged in any case or not at all
    1. In consultation with technical experts, essential events should be identified that are required for effective processing in the event of an information security incident, for example, access to sensitive personal data, logins and logouts, and software changes.
  2. Privacy-compliant design of automated user evaluation and profiling
  3. Establishing justified criteria for manual viewing and evaluation of log data
  4. Security of log data during storage and evaluation
  5. Compliance with data protection principles

What data protection does not regulate, however, is the precise design of the individual logs. This decision is up to the system administrators and the Infosec team, which has knowledge of the individual applications and events. For example, the data protection officer does not need to know that logging on Windows clients can be usefully extended by Sysmon – this knowledge resides with the company's Security Operations Center and interacts with the workstation administrators to implement it in a meaningful way.

Finally, the following principle should be considered when balancing privacy and information security aspects of log management:

Though the crucial thing is not whether logging takes place, but how the logs are used​!

It must always be clear that only a middle course resulting from a balancing of interests can be the goal - neither must a company's need to protect and control valuable company data be ignored and made impossible by the personal concerns of those affected. Nor must it lead, for example, to employees giving up their privacy in highly personal situations. Additional data protection measures such as the use of pseudonymization or encryption, or the integration of additional control bodies (dual control principle) can provide a remedy.

The Principles of Digital Forensics

Another aspect that is often perceived as an area of tension in data protection involves digital forensics in connection with information security incidents.

Digital forensics means examining devices and information systems for digital traces in order to clarify the history of an incident. This can answer questions such as "Has this server been compromised by a hacker, and if so, what data did he access?" or "Did an employee who recently left the company copy extensive data files?"

Again, some perceived conflicts of interest with traditional information security objectives arise. After all, the forensic analysis and processing of security incidents essentially involves the most comprehensive possible inspection and evaluation of all data inventories on systems as well as relevant user activities. At first glance, it seems obvious that this conflicts with various data protection principles.

 

But again, it ultimately comes down to the rationale and concrete approach underlying the conduct of forensic activities. Careful, forensic processing of data privacy violations in the context of an information security incident is in the interest of data privacy and the persons affected. After all, this often helps to limit the subsequent damage to affected persons and companies or to take suitable remedial measures to protect affected persons at an early stage.

Of course, as in the case of log management, there are some key principles that must be considered in digital forensics from a privacy perspective. We would like to highlight three principles:

  1. The rights and freedoms of employees (and other affected subjects) must also be protected in the context of forensic analyses of personal devices and storage locations (e.g. home drives).
    1. In this context, responsible companies in particular should ensure the transparency of data processing, the establishment of an appropriate legal basis, and the protection of collected data.
  2. If personal areas of employees are the subject of forensic analyses, it is often necessary to involve the works council and the organization's data protection officer or to obtain their approval.
  3. If the company is confronted with criminal offences (e.g., in connection with illegal content or unlawful access to computer systems), legal experts should be involved in the incident handling process at an early stage. This is particularly advisable regarding properly obtaining and securing evidence.

In light of these points, companies should consider establishing uniform guidelines and procedures for the systematic execution of forensic activities in advance. After all, these can drastically reduce the time and effort required in connection with the above-mentioned considerations in the event of an emergency – time that is usually urgently needed for the actual mitigation.
 

Concluding Considerations

The data protection-compliant design of log management or activities in the area of digital forensics often bring certain tension regarding the company's information security. However, a closer look quickly shows that these areas should rather complement and support instead of contradicting each other.

Only if internal security measures are designed to comply with data protection requirements, all involved parties as well as external stakeholder will trust these, which is a prerequisite for effective information security within the company.

 

SEC Consult can support you in designing your incident management also regarding data protection aspects. We often start by determining the Incident Response Maturity to establish a base for a successful handling of security incidents and hacking attacks. We supplement this with simulation games such as Pen & Paper Exercises or even Red Teaming Assessments to put defence capabilities to the test. Where necessary, we also provide technical advice or help to improve information security management.

In any case, it is advisable to always focus on a holistic awareness of data privacy and information security. Only when an appropriate understanding of both fields, their commonalities and differences is established in the company, data privacy and information security will work.

More On The Topic

About the author

David Rieger
SEC Consult Group
Data Protection Officer

Dipl.-Ing. David Rieger is the data protection officer of the SEC Consult Group and also advises numerous companies as a security consultant in the implementation of extensive and complex information security and data protection requirements. His focus is on the development of information security management systems according to ISO/IEC 27001:2013, risk management, data privacy impact assessments, implementation of data security compliance programs, as well as support and operational consulting in dealing with information security incidents and data breaches.