PCI 30 seconds newsletter #19 - Your PCI Logbook - What is required in terms of log management?

Blog Post created by dgodart on May 4, 2012



P>D+R is a well-known principle in security.


It's a principle that means that the Protective measures in place must be strong enough to resist longer than the time required to Detect something wrong is happening and then React.


For example, your door must be strong enough to prevent a malicious individual from getting in for at least the amount time required to detect the incident, alert the police, and have them arrive on site.


In this context, log management plays a specific role. It helps limit the risk of occurrence of incidents by detecting upstream suspicious activities.  They help with understanding the modus operandi of incidents by tracking back the activities.


A little story. Four guards are instructed to watch the perimeter fence of your organization. The first one falls rapidly asleep lulled by the silence of the night, the second one, a passionate writer, logs in his notebook every observation--including the presence of stars, clouds, the temperature and his state of mind. The third one, a bit stressed, rings the alarm bell every time he detects or hears "something."


Alert!! This is…oh..a rabbit. I'm so sorry guys!


The fourth and last guard, an instructed and skilled professional, writes down specific events he learned to classify and awakes the garrison only in case of emergency.


As illustrated through the above scenario, audit trails have their own problems. They are useless if too quiet or too talkative, and without adequate monitoring. In other words, monitoring is inefficient if too scarce, too permissive or too alarming. To be efficient, audit trails must be configured appropriately and constantly reviewed.


In this domain, PCI DSS specifies what events must be logged (10.2) as well as what data must be recorded for each events (10.3). PCI DSS also addresses the protection of the audit trails (10.5) and audit files retention (10.7).


In terms of review, PCI DSS requires audit trails to be reviewed on a daily basis (10.6)--which is more prescriptive than SANS Top 20 Critical Security Controls that suggests "biweekly reviews." However SANS goes further than PCI by suggesting the automation of this tedious process through the use of SIEM technology.


What is SIEM technology?

SIEM stands for "Security Information and Event Management."


It's the combination of SIM (Security Information Management) collecting information and doing some basic analysis and SEM (Security Event management) evaluating the collected information in search of defined security events.


What does SIEM technology do?

SIEM technology allows event logs to be automatically collected, centralized and managed (analyzed, filtered, classified and reported) such that security events are reported according to their level of risk. So a SIEM could be perceived as a kind of "intelligent" robot that would observe what is going on, detect signs of aggression, generate reports, and ring the alarm bells in case of emergencies (upon detection of critical anomalies).


Technically PCI doesn't require or prevent the use of such technology, which carries its own problems as well. Some organizations achieve compliance in regards to log management without a SIEM, while for others a SIEM technology is deemed necessary due to the high volume of logs.


How does QSA validate compliance?

To validate implementation, Qualified Security Assessors (QSA) are required to perform interviews, review the related policies and procedures and samples log files. Organizations subjected to compliance must confirm implementation of the requirements during the interviews and show the policies and procedures related to log management as well as samples of audit logs.




What are your concerns and recommendations in the context of Requirement 10: Track and monitor all access to network resources and cardholder data?

Are you using either SIM, SEM or SIEM to comply with this requirement?




Have you read the previous newsletter? Read it here: PCI 30 seconds newsletter #18 – What to do if compromised?