Data Privacy: Configure the Recommended Data Privacy Solution

Document created by RSA Information Design and Development on Jul 26, 2016
Version 1Show Document
  • View in full screen mode
 

These are the basic steps to follow to configure the Security Analytics system to identify sensitive data and determine who can see the sensitive data. The recommended configuration generates obfuscated values of certain original meta keys and then persists both the original and obfuscated data so that it is available to users assigned privileged role access.

This configuration has several parts:

  1. Create two users with different levels of permissions. One user (the data privacy officer) can view all meta data and another user (an analyst) is restricted from seeing certain meta data and content with associated meta data.
  2. Set up two transforms using a salt and hash to create an obfuscated version of original username and ip.src meta keys.
  3. Configure data retention on the Decoder and Concentrator services.

Prerequisites

The following conditions are required in order to complete this procedure:

  • Concentrator and Decoder must be added to the Security Analytics server using trusted connections.
  • The SA Server version must be 10.5.
  • The Security Analytics Core services must be 10.5.
  • Aggregation must use Aggregators accounts on all Security Analytics Core services.

Configure Meta and Content Restrictions on Brokers, Concentrators, and Decoders

To restrict the meta and raw content that users can view, you must enable SDK system roles to allow more granular controls by configuring meta and content restrictions on each service in the Services Security view.

  1. In the Security Analytics menu, select, Administration > Services.
  2. Select a service and then ic-actns.png > View > Security.
  3. Click the Settings tab.
    SerSecSet.png
  4. In the SDK Meta Role Permissions field, select Blacklist meta and content. Click Apply.
    This allows the administrator to blacklist individual meta keys so that only the data privacy officer can see the meta keys and content. New roles per meta key are added to the Roles tab.
  5. Click the Roles tab.
    sdkroles.png
  6. In the Roles tab,
    1. Select the meta keys that you do not want analysts to see, for example, select sdk.meta.username and sdk.meta.ip.src.
      This restricts the analyst from seeing the privacy-sensitive meta keys username and ip.src as well as any content for any session that contains that meta within it.
    2. De-select sdk.packet This removes the analysts ability to bulk export raw packets and logs.
    3. Click Apply.
  7. In the Roles tab, ensure that the Data_Privacy_Officers role has no sdk.meta.values selected. Click Apply.
    A DPO can view any meta and any session.
  8. In the Roles tab, ensure that the Aggregation role has the following permissions.
    AggRole.png

Add Data Privacy Officer and Analyst Accounts on the Security Analytics Server

You must add two new user accounts in Security Analytics at the system level to depict a privileged data privacy officer and a typical analyst. If the environment is configured using the default trusted connections, you do not need to create the new user accounts on the Security Analytics Core services (Brokers, Concentrators, and Decoders). When a user is created in the Security Analytics Server, that user can log on to the services.

Note: The role name is required to exist on both the server and the services, and the role name must be identical. If you create a new custom role on the Security Analytics Server, make sure to add it to all Security Analytics Core services as well.

  1. Create a new user account for the data privacy officer:
    1. In the Security Analytics menu, select Administration > Security. In the Users tab toolbar, click ic-add.png.
      The Add User dialog is displayed.
      adduserdpo.png
    2. Create the new account with the following credentials.
      Username = <new user name for logon, for example, DPOadmin>
      Email = <new user's email, for example, DPOadmin@rsa.com>
      Password = <new user's password for logging on, for example, RSAprivacy!@>
      Full Name = <new user's full name, for example, DPO Administrator>
    3. In the Roles and Attributes section, click the Roles tab, ic-add.png, and select the Data_Privacy_Officers role for the new user.
    4. Select Save.
  2. Create a new user account for the analyst with limited privileges:
    1. In the Security Analytics menu, select Administration > Security. In the Users tab toolbar, click ic-add.png.
      The Add User dialog is displayed.
    2. Create the new account with the following credentials:
      Username = <new user name for logon, for example, NonprivAnalyst>
      Email = <new user's email, for example, NonprivAnalyst@rsa.com>
      Password = <new user's password for logging on, for example, RSAprivacy!@>
      Full Name = <new user's full name, for example, Nonprivileged Analyst>
    3. In the Roles and Attributes section, click the Roles tab, ic-add.png, and select the Analysts role for the new user.
    4. Select Save.
      105dposysrol.png

Configure Obfuscated Data on Decoders and Concentrators

This procedure creates the obfuscated values to provide to users who do not have access to the original values.

  1. Configure a salt so that the obfuscated value becomes unique. Different companies may have analysts of the same first name and potentially the same login username, and using a salt limits the possibility of someone outside your organization determining your obfuscation mechanism. In this example, you use a simple salt and SHA-256, but the salt is configurable and the hash algorithm can be changed. For additional information, see Configure Data Obfuscation.
    1. To define the salt and hash algorithm in the Security Analytics menu, select Administration > Services.
    2. Select a Decoder and ic-actns.png > View > config.
    3. Click the Data Privacy tab, and select hash algorithm (SHA-256). In the Salt field, type a hash, for example, rsasecurity and click Apply.
  2. Define the transforms, including the hash format, between the original meta key and obfuscated meta key on the Decoder. The default hash format is binary, but the recommended configuration calls for using the text/string format.
    1. Click the Files tab, and in the drop-down menu select index-decoder-custom.xml. (You can apply this same configuration to the Log Decoder in the index-logdecoder-custom.xml file.)
    2. Enter the following lines in the available input area:
      <?xml version="1.0" encoding="utf-8"?>
      <language level="IndexNone" defaultAction="Auto">
      <key name="username" description="Username" format="Text" protected="true"><transform destination="username.hash"/></key>
      <key name="username.hash" description="Username Hash" format="Text"/>
      <key name="ip.src" description="Source IP Address" format="IPv4" protected="true"><transform destination="ip.src.hash"/></key>
      <key name="ip.src.hash" description="Source IP Address Hash" format="Text"/>
      </language>
    3. To restart the Decoder service, in the toolbar, select System in the View drop-down menu (currently labeled Config). In the Services System view, select Shutdown Service. The service should automatically restart.
  3. Define the meta keys on the Concentrator in the index-concentrator-custom.xml file:
    1. Click the Files tab, and in the drop-down menu select index-concentrator-custom.xml
    2. Enter the following lines in the available input area:
      <?xml version="1.0" encoding="utf-8"?>
      <language level="IndexValues" defaultAction="Auto">
      <key name="username" description="Username" format="Text" level="IndexValues" protected="true"/>
      <key name="username.hash" description="Username Hash" format="Text" level="IndexValues" token="true"/>
      <key name="ip.src" description="Source IP Address" format="IPv4" level="IndexValues" protected="true"/>
      <key name="ip.src.hash" description="Source IP Address Hash" format="Text" level="IndexValues" token="true"/>
      </language>
    3. To restart the Concentrator service, in the toolbar, select System in the View drop-down menu (currently labeled Config). In the Services System view, select Shutdown Service. The service should automatically restart.

Configure Data Retention on Concentrators and Decoders

Data retention configuration ensures that the data residing in the Security Analytics Core components is deleted after a certain time. Configuring data retention on Concentrators and Decoders is not required for all environments, but it may be necessary to be in compliance with applicable laws and regulations. It is important to evaluate an appropriate retention period for your environment. The Data Retention Scheduler settings that you set apply to ALL data on a Concentrator or Decoder.

In the following example, Security Analytics is configured to execute a check every 15 minutes to determine if the duration threshold has been met. If the threshold is met, Security Analytics deletes data older than 90 days in the relevant databases.

Caution: The 90 day retention period is just an example. Adjust your rollover criteria depending on the location of the data and the applicable laws. In a strict data privacy environment, such as in Europe where laws require that Personally Identifiable Information (PII) not be saved or removed frequently, you may need to adjust the time.

This procedure is optional. If you do not set a time retention limit, the system automatically deletes the oldest data when the hard drive space is full.

(Optional) For each Concentrator and Decoder:

  1. Navigate to the Services Config view > Data Retention Scheduler tab.
    105DRtabArch.png
  2. Define the data retention period. For example, set the Threshold to Duration, and in the Days field, type 90.

  3. Define how often the scheduler checks to see if the threshold has been met. For example, set the runtime to Interval and in the Minutes field, select 15.

  4. To save the configuration, click Apply.

Validate Data Privacy Protection

At this point, users have been added with roles that have permissions around specific types of meta data. The next step is to make sure the restricted user (the analyst) cannot view what the unrestricted user (the DPO) can. Also you need to ensure that the data retention configuration is limiting how long data is kept on the systems.

  1. View role-based obfuscation in action:
    1. Log on as the unrestricted user (DPOadmin) and make sure this user can see all the data including the protected sensitive data username and ip.src along with any session that contains that meta.
    2. Log off and the back on as the DPO user.
    3. For each Decoder and Log Decoder, import a PCAP or logfile into the Services System view.  Use the Upload Packet File  option to upload a PCAP file that contains username and ip.src meta data.
    4. When the import is complete, look at the meta data in the Investigation > Navigate view, choosing the Concentrator connected to the Decoder to which the data was just imported.
    5. Scroll down to make sure the username and ip.src meta keys and corresponding values are visible.
    6. Click one of the green numbers next to a username or ip.src value and verify that the session loads in the Events view.
    7. Make a note of the session ID to check when logging on as the restricted user.
    8. Log off and log on as the restricted user (NonprivAnalyst).
    9. Repeat steps c through f to verify that the user cannot see any username or ip.src meta or sessions with that meta including the one previously mentioned. 
    10. To jump to a specific session navigate to the Investigation > Navigate view. in the Actions menu, select Go to Event and enter the session ID.
  2. Validate that the data retained in the database falls within the retention time configured in the Data Retention Scheduler.
    1. Log off and log on as the unrestricted user (DPOadmin).
    2. On the Concentrator, navigate to the Services > Explore view.
    3. In the node tree, select the database node and then stats.
    4. Observe the meta.oldest.file.time value and verify that this is not older then the threshold put on the data retention scheduler.
    5. Change the service to the Decoder and repeat steps b through d, check for stats meta.oldest.file.time and packet.oldest.file.time.
You are here: Quick Start Procedures > Configure the Recommended Data Privacy Solution

Attachments

    Outcomes