With the Law on the Protection of Personal Data (KVKK) No. 6698, it has become necessary to take a number of technical measures in the security infrastructure of enterprises. Logging with KVKK is now inevitable in businesses where the 5651 Internet law requires logging. SIEM, Security Information and Event Management, generally referred to as Information Security Threat and Event Management. With these products, which can be much more than a log, it is now possible to establish a powerful preventive mechanism in operation.

In the framework of KVKK, it is expected that the inventory of personal data and access will be controlled by the authority matrix. As such, logging access to personal data is an important issue. However, another issue is that these logs should be evaluated as preventive and systems should be set up to warn the managers to take the necessary actions. Here are the products that produce meaning from logs with strong correlation feature. Although SIEM management can not be understood by log collection, the use of SIEM for KVKK is an important issue.

Laws, regulations, board decisions and even published technical guidelines are the sources to be considered within the scope of KVKK. Log management in the relevant technical guidelines is one of the headings at the beginning of the technical measures. SIEM is a passive preventive system which stimulates and directs information system administrators by establishing meaningful relationships between logs according to defined rules over logs collected from all devices in the system room (Firewall, IDS, IPS, active device logs, system logs, application logs etc).

Intrusion Detection Systems (IDS) understands only Packets, Protocols and IP Addresses. End-user security systems (Endpoint Security) see files, user names, and hosts. Your service logs show user entries, service activity, and configuration changes. Asset Management systems see applications, business processes, and owners. However, none of these systems can tell you what your business is in terms of ensuring the continuity of your own business processes ... But these aggregated logs are synonymous with SIEM.

The difference in SIEM correlation analysis with a log record is very obvious. For example, a log record such as:


"16:19 8/7/2018 User JaneDoe Successful Auth to 10.10.20.109 from 10.10.8.212"
With SIEM you can get the following meaning:
"In a day that no one should be in the office, an Account belonging to the Marketing Department of the Office System established a link"