PCI DSS states that logging mechanisms to track user activities are critical. Learn how log management can help companies track, monitor and transform log data into actionable information. Identify security threats, monitor controls, conduct investigations, satisfy auditors, answer legal requests and manage security.
Achieving PCI Compliance with Log Management
TABLE OF CONTENTS Introduction ........................ Page 3 PCI DSS Requirement 10..................... Page 3 Log Management and PCI.................... Page 4 Data Collection........................ Page 5 Data Storage......................... Page 6 Analyzing the Data...................... Page 7 SenSage for PCI Compliance................... Page 8 Collecting the Data...................... Page 9 Storing the Data....................... Page 9 Analyzing the Data...................... Page 10 SenSage for PCI and the Total Cost of Ownership.......... Page 13
Achieving PCI Compliance with Log Management 2
Introduction Credit card theft and exposure incidents have risen sharply in the last several years, and the pace of these incidents continues to accelerate. The cost of financial fraud associated with these transgressions reaches into the millions of dollars, and the resulting identity theft victimizes millions of people annually. To decide how to protect customer account data when processing credit card transactions, a posse of major credit card companies gathered and issued the Payment Card Industry Data Security Standard ("PCI DSS"). The PCI Standard is comprised of 12 separate standards organized into six different control objectives. Basically, these objectives are to: 1. Build and maintain a secure network 2. Protect cardholder data 3. Manage ongoing vulnerabilities 4. Control access to cardholder data 5. Regularly monitor and test networks, and 6. Maintain an information security policy. In essence, the requirements demand that a number of security controls be implemented. However, simply deploying controls is not sufficient to reach compliance with PCI DSS. These controls must be monitored on a regular basis to ensure their continued effectiveness and to identify any potential threats to the cardholder processing environment. As a matter of fact, tracking and monitoring these security countermeasures is so important to the goal of securing the PCI environment that one of the 12 requirements addresses it directly. This white paper will review what is specifically called for in PCI DSS Requirement 10, explore the technical considerations of the requirement, and consider some different approaches to addressing the requirement. In addition, it will introduce SenSage for PCI Compliance and illustrate that it not only meets and exceeds PCI DSS Requirement 10, but can also effectively address additional PCI DSS requirements.
PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 10 states it is not enough to simply put the PCI controls in place and walk away. Rather, these controls must be monitored, and any anomalies investigated. PCI
Achieving PCI Compliance with Log Management 3 states that logging mechanisms to track user activities are critical. Instating logs in all environments permits thorough tracking and analysis if something does go wrong. In addition, determining the cause of a compromise is made possible by system activity logs. The logs referred to are the audit trails that each IT device in the cardholder processing environment generates to record user, system and network activity. As previously stated, the other 11 Requirements of the PCI Standard mandate the deployment and implementation of many security-related IT controls. Each of these controls, whether intrusion detection systems, networking equipment, operating systems on servers, or even the payment card business application itself, generate logs. Requirement 10 describes in detail how to manage the logs and how to extract the information in them to keep systems safe. While the necessary tracking and monitoring could conceivably be performed by individuals, this option poses a number of problems. The first is the cryptic nature of log records - each device has its own log format, organization, and content. Reviewers must be extremely familiar with the log format to understand the content. Even a senior technician has difficulty understanding more than one or two different log formats. The second problem with reviewing these logs manually is the sheer volume of data. Many sources, such as firewalls and servers, can generate millions of individual log entries. Clearly, i... [download for more]
