PCI DSS Log Management & Monitoring

Analyzing logs and event data is required to pass PCI DSS Requirement 10: Track and Monitor All Access to Network Resources & Cardholder Data. AlienVault Unified Security Management (USM) combines log management and monitoring with all the essential security capabilities you need to demonstrate compliance – into a single, easy-to-use solution.

Are you trying to become PCI DSS compliant and staring at Requirement 10, wondering what to do?

You’re not the only one (by far), and you’re in the right place. This requirement presents some of the biggest challenges to organizations who are trying to become PCI compliant. According to Verizon, more than 90% of companies who have been breached fail to meet the requirements in this section. This guide will walk you through the easiest way to get compliant with requirement 10.

But first, why do I have to meet requirement 10?

It’s probably enough that you’re required to be compliant, but the reality is it’s simply a strong security practice to monitor events whether or not you need to be PCI compliant. Determining the cause of a breach is extremely difficult, if not impossible, without logs of system events. So if you can get it done in quickly and easily, it’s something you would want to do anyway.

That sounds simple enough. Where’s the ‘challenge’?

Requirement 10 basically means that you need to be able to show who was logged into a system at any given time, what they did on the system, and how they accessed it. This is done through auditing/logging, and this begins with having your systems generate logs, and sending them to another system to analyze as well as correlate with additional information, like vulnerabilities, asset configuration and more.

If you have more than a couple of systems generating logs, the only practical method for analyzing the logs is using technology to automate the process. The challenge appears when you have to (a) pay for that technology and (b) deploy and manage that technology when you’re not an expert with that technology.

Identify and Prioritize Event Log Data Sources

See How AlienVault™ Eases PCI Logging Requirements

AlienVault Unified Security Management™ (USM™) is the easiest, most cost effective solution to help you comply with Requirement 10, as well as the other nine technology related requirements. USM comes with out-of-box PCI dashboards and reports, and costs a fraction of competitive solutions. Keep reading to see a step-by-step guide on complying with Requirement 10.

Identify and Prioritize Event Log Data Sources

The first step in achieving the PCI Logging requirements is to find and identify the critical systems you'll need to import event logs from. Which devices process, store, or in some way "touch" cardholder data? You'll also need to import logs from the network infrastructure devices that provide and control access to these devices as well.

If you're not sure which devices are within the scope of your PCI audit, an automated asset discovery scan is a good place to start. AlienVault USM includes built-in asset discovery and inventory scanning which will identify all of the IP-enabled devices on your network, which services are listening, which network protocols are being deployed, and any known vulnerabilities associated with those services and protocols. For example, if there's a specific software application you use as part of your card transactional operations, AlienVault's asset inventory will enumerate the presence of that software. This characteristic can then be used as part of a host group, so you can then prioritize the receipt of log data via syslog, or one of our many supported plug-ins from those devices.

Using Log Data for Investigations

Using Log Data for Investigations One of the main use cases for log monitoring is to support incident response and investigations. And it's easy to understand why. Any access to cardholder data which results in a security breach will require in-depth follow-up, forensic analysis, in addition to remediation of the exposures that led to the breach. As a result, it's critical to assure that the raw log data is not altered in any way, through digital signatures, and the implementation of file integrity monitoring. In addition, it should be easy to search based on any variable to track down root causes of potential threats and exposures.

AlienVault USM™ includes built-in FIM (file integrity monitoring), and digitally signs each raw log message for secure storage in the AlienVault Logger. Additionally, you can use the simple Search feature within our web-based console to drill down on any aspect of the raw log data. This not only significantly enhances your incident response program, but it makes it that much easier to have the information you need to answer any questions from your PCI DSS assessor.

Correlate Log Data with Threat Intelligence

Correlate Log Data with Threat Intelligence Another key aspect of requirement 10 is to do daily log reviews. In fact, the standard specifies this for those servers that perform security functions like IDS, firewall, and authentication services. In addition to being extremely tedious, doing a manual and daily log review of your critical systems would leave you without any time to do any actual work. Plus without any context, you wouldn't know which events are significant or how events are related to each other. This is where automated event correlation delivers tremendous value.

In addition to providing the essential security functions like IDS, netflow analysis, and vulnerability assessment, AlienVault USM delivers over 2,000 event correlation rules so that you know which raw events matter - on their own, and within a global context. What's more, AlienVault Labs is tracking millions of malicious URLs, attacker techniques, tools, and profiles and delivering that intelligence directly into your USM platform. Essentially, we're transforming a tedious task of log review into an automated process of actionable intelligence. Your life will be easier, and your assessor will be impressed.