In the ‘Goldilogs Zone’: using GDPR to get logging just right for incident response

andrew cormack
Andrew Cormack

Two of the most common complaints in cyber security incident response (IR) are that the volume of alerts makes it difficult to pinpoint ‘real’ incidents and that missing information hinders investigations.

A finger print scan is reflected in someone's glasses.

It seems that logging these alerts can be both too hot and too cold. But there is a way to make it to the Goldilocks Zone, or perhaps the Goldilogs Zone, where the level is just right.

The General Data Protection Regulation (GDPR) can help educational organisations reduce pressure on security functions and improve IR processes.

Incident response challenges

When an incident occurs, data often hasn’t been recorded that would help IR staff understand the nature of an attack.

There are many reasons for this: systems may have been incorrectly configured (or not configured at all); or logs are overwritten to save space; or retained logs don’t include all the right information, collecting the symptoms of an incursion, rather than its cause.

Systems aren’t always connected to a central security information and event management (SIEM) or other logging software, which means information that exists isn’t readily available, increasing the time to repair and complicating investigations.

This is a particular challenge in educational organisations, where multiple departments and silos make it even harder to access data.

Conversely, at institutions where systems are integrated, there may be an overwhelming amount of information to trawl through.

IT market intelligence provider IDC estimates (pdf) that every alert requires 32 minutes of investigation. Small security teams, which are common in the education sector, particularly in colleges, can become buried under a mountain of alerts with no way to prioritise.

Multi-stage attacks, which are increasingly common, generate alerts from many different systems. These need to be brought together to build a true picture of what is happening. This means cyber-security in education has never been so challenging.

Transient populations, diverse requirements and equipment, and low budgets for detection and remediation tools are particular challenges.

The National Cyber Security Centre (NCSC) has highlighted the increase in cyber-attacks on the education sector in the last two years. Transient populations, diverse requirements and equipment, and low budgets for detection and remediation tools are particular challenges.

The GDPR encourages IR as an essential way to protect people and data. It also provides a structure for designing effective and sustainable processes for detecting, investigating and mitigating security breaches.

Define your purpose and plan

The GDPR is led by a purpose: identifying why a particular action is needed, and what data is required to achieve it. For IR this means working out in advance which alerts to act on, and what to do with them.

Creating a response plan is valuable in many ways, but perhaps most important is breaking it down into a process which can then be reviewed and refined.

Creating a response plan is valuable in many ways, but perhaps most important is breaking it down into a process which can then be reviewed and refined.

This helps to pinpoint the basic areas of data to collect, identify the people to inform, set expectations for fixing the problem, and define how to evaluate the response and make process improvements.

Agreeing answers to these questions will better prepare IR staff for a rapid response.

Collect the necessary data or logs

The GDPR requires data minimisation: organisations should only collect and store what they need and no more. This principle can be used alongside a response plan to outline exactly what information will be necessary to investigate an incident.

This aligns data collection with need and builds a robust response to any incident. Reducing the data to explore after an attack can also make a world of difference to the time it takes to recover.

There are limits as to when it is no longer useful to collect data. For example, when external information or circumstances can no longer be recovered or when an attacker has had ample time to damage both the system and the information within it.

In both cases, there will be little benefit in investigating further, so the effort is better spent wiping the system and re-creating a secure replacement.

Ensure data security and integrity

Complying with security and confidentiality elements of the GDPR helps ensure processes are correct and fit for purpose, and that IR is based on reliable information.

Robust processes can support effective tabletop exercises or attack simulations, which are important to practice and refine as part of an overall cyber-security strategy.

Automate processes

The GDPR principle of minimising processing can highlight opportunities to automate simple, but time-consuming, tasks for humans. This will free IR staff to focus on tasks and alerts that require human intellect and flexibility. 

GDPR guides the process

By using the GDPR’s guiding principles as a framework, colleges and universities can create an IR process and logging strategy that aligns with the organisation’s needs, reduces time to repair and builds a lean data system.

This approach can also help cyber security professionals create the right data architecture for automation, reducing the pressure on their team, and speeding up responses.

Andrew Cormack will be speaking virtually at the Jisc security conference on 9 November 2022 about using the GDPR to help IR. Find out more about the security conference.

Get involved

Join our defend as one campaign and help us unite higher and further education in a common cause - to build robust defences across the sector. As a member, you can sign up to receive personalised instructions on how to improve your cyber security posture across your organisation.

About the author

andrew cormack
Andrew Cormack
Chief regulatory adviser, Jisc