GDPR-compliant open-source SIEM

This work aims to implement the open-source SIEM prototype and create a tool for analyzing and detecting threats in real-time that, at the same time, want to guarantee a performance according to GDPR compliance.

The following image is the result of documental research and the implementation of some practical scenarios, it intends to contribute to a SIEM solution where it is possible to pseudonymize the logs without losing the ability to identify threats and attacks.

Table - List of fields to pseudonymize

Depending on the beat type, personal data maps to distinct fields. The table illustrates the SIEM fields that may contain personal data.

Algorithm - Log pseudonymization

Through a test environment for Windows and Linux operating systems, a survey was carried out of the fields to pseudonymize for each Beat, which allowed the creation of the algorithm illustrated in the following image.

The following link illustrates the algorithm in the server Logstash configuration file for the pipeline:

• https://github.com/AnaVazao/SIEM_GDPR/blob/main/prototype/Server_Logstash/beats.conf

The following link illustrates the algorithm in the server Logstash configuration file for the pipeline in scenario Metrics:

• https://github.com/AnaVazao/SIEM_GDPR/blob/main/Pipeline_Metricas/beats_VF.conf

Video

Video illustrating an attack executed on a machine, the situation anomalous it is identifying, and it's possible to look for the key to identifying the anonymized data.

https://user-images.githubusercontent.com/130701154/232077023-f736cac3-3978-41e1-ac3e-21451cba904e.mp4

Future Work

• perform complex analyses using machine learning;
• ensure real-time updating of threats; #

  To cite this work, please use:

Ana Paula Vazão, Leonel Santos, Rogério Luís de C. Costa, Carlos Rabadão. (2023). Implementing and evaluating a GDPR-compliant open-source SIEM solution. Journal of Information Security and Applications, 75, 103509. DOI: https://doi.org/10.1016/j.jisa.2023.103509