Ever since the release of the PCI DSS version 3.0 change highlights by the PCI Security Standards Council (PCI SSC), stakeholders of payment card industry and security analysts have been busy interpreting the proposed regulations. While many of the sections explained in the change highlights document require clarity, one thing was crystal clear – v3.0 expects the stakeholders to focus their log-review efforts on ‘identifying suspicious activity’ and not merely collecting them religiously and performing a generic review.
Even in PCI 2.0, Requirement 10 is all about activity logs – collection, transmission, storage and daily review of logs from the devices and systems handling cardholder data. In general, log collection and analysis seeks to achieve two objectives:
- Vulnerability assessment – the ‘proactive’ part that helps identify suspicious activities and ultimately prevent breaches
- Forensic audits – the ‘reactive’ part that helps track ‘who’ did ‘what’ and ‘when’; find the root cause; understand the extent and impact of the attack and initiate corrective action
Of the two, the focus had largely been on forensics – when something goes wrong, logs help trace actions leading up to the problem. In PCI DSS 2.0, the focus was on collecting logs from all systems and applications connected with PCI, including those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS) – carrying out daily reviews.
Each device connected to payment processing can generate a few thousand logs a day. With so much log data, the focus of daily reviews often got diluted as PCI DSS managers had to analyze both critical as well as not-so-critical events.
In sharp contrast, in PCI DSS 3.0, the focus on daily log reviews is now shifting towards review of only ‘security relevant’ logs with a view to identify suspicious activities and to prevent breaches.
Requirement 10 in PCI DSS 3.0 change highlights states:
“To help entities focus log-review efforts on identifying suspicious activity and allow flexibility for review of less-critical log events, as defined by the entity’s risk management strategy.”
Clearly, the focus now is on the prevention aspect. PCI SSC expects the organizations to build their security-relevant log review strategy into their business-as-usual activities, so that they have the proper measures and mechanisms in place to identify, react to and mitigate risks and problem areas.
What should organizations do differently to comply with 3.0?
Organizations should continue to collect logs from all systems and applications that could impact the security of card payment data. Security relevant logs should be analyzed on a daily basis while the not-so-critical logs can be reviewed periodically.
With PCI SSC’s focus now shifting on identifying suspicious activity from ritualistic daily review of logs, PCI managers have a new challenge to tackle.
Perhaps the biggest challenge lies in identifying and segregating the security-relevant logs from the rest. In addition, individual pieces of logs cannot provide any meaningful information to pin-point any suspicious activity. Logs collected from various systems and applications need to be correlated to identify malicious activity.
Security breaches normally do not occur on a single day. Hackers meticulously carry out a targeted plan to find holes on perimeter security devices, web servers, applications and storage devices. Linking the logs/events collected from these devices during a specific time period would enable security administrators to identify the attack waiting to happen and thereby protect cardholder data.
Threat to information security does not always stem from outside the organization; it could germinate right inside. A malicious insider could cause more damage than an outside hacker. So, activities of privileged users should also be closely monitored.
PCI managers therefore would require a robust log management and SIEM solution like ManageEngine EventLog Analyzer that could help collect logs and store them in a centralized repository, analyze them, provide PCI compliance report out-of-the-box, correlate the logs, identify suspicious activities, provide real-time alerts on identifying anomalous behavior.
Well, the countdown has now begun for the publication of PCI-DSS 3.0 on November 7, 2013 and all the stakeholders are eagerly waiting for the official announcement of the new set of regulations. In the next post, we’ll analyze PCI DSS 3.0 and discuss the preparatory measures to be taken towards compliance. Stay tuned!
- PCI DSS 3.0: The ‘security path’ to compliance
- PCI DSS 3.0: The stress on password protection & security