The requirements of the Payment Card Industry Data Security Standard (PCI DSS) can be complex. However, taking a deeper look into some of its parts, particularly event log management, can help clarify some terms.
Many companies believe that logging is specified in PCI DSS so that they can discover threats to their networks. While this may be an ancillary benefit, logging was put into PCI for the benefit of the card brands. In the early years of credit card security, card brands put significant effort into determining the attack vectors of credit card breaches. Unfortunately, when they sent teams into retailers to find the root cause of breaches, they discovered only meager evidence to use in tracing attacks. Therefore, the brands introduced logging requirements into their individual cardholder protection efforts so they could find out what happened when a breach occurred. Eventually these requirements found their way into the PCI DSS. Understanding this as the intent of the logging requirements can help companies understand how to implement event log management to best meet PCI DSS compliance requirements.
What must be logged to meet PCI DSS compliance requirements?
Just a few years ago, it was unusual to see an environment where logs were checked on a regular basis. Logs were stored on syslog servers until an event occurred that required attention, such as an attack or a network issue, but there were so many events that information overload made log reviews unproductive. In order to reduce the logging burden, PCI focused on who did what and when they did it.
Therefore, the primary component of PCI logging involves logging user activity in a cardholder environment, and making an audit trail of that activity available. Mandating user activity logging and audit log reviews allowed the PCI Security Standards Council (SSC) to provide critical information to forensic investigators and create a sense of situational awareness within the PCI community.
Additionally, PCI mandates that the data be available for auditing and forensic purposes, which requires that one year of data be accessible to auditors or investigators. Be sure to regularly test and review offline log data to ensure the data is available on demand for auditors or investigators.
Effective log management for PCI DSS
To create an effective event log management system to support a PCI DSS compliance initiative, identify the systems that must forward logs. This requires creating a list of assets and then mapping those assets to your PCI scope. Eliminate all assets that are out of scope, and then review the remaining assets to determine if they should have logging enabled.
A minimum baseline of PCI logging compliance must be a priority, but many organizations acquire a full security information management (SIM) product to provide parsing and reporting on other important security information. Others will choose to outsource PCI log management -- an excellent option for companies with limited IT or security staff.
Once the company determines how it will implement log management for PCI, configure the devices that are being logged to send logs to the central log server.
Remediating log compliance issues
Since the PCI DSS log management requirements were designed with the forensic investigator in mind, try to think like one: If you were sent to your company to investigate a credit card breach, what would you want to see in the logs? This will shift the company's paradigm from logging threat events to logging user access events, which is paramount in PCI.
Look at logging as a process and design a workflow around that process. Too often logging is done ad hoc, with engineers enabling the log functionality without consideration as to how this information can be used to have a positive effect on the business.
Maintaining log compliance with PCI DSS
Many organizations underestimate the vast amount of storage capacity necessary to meet PCI. Estimate the volume of log data generated per logged device per day, and then get more storage than anticipated. Logs are always bigger than you think they will be.
The cost of storage can be an important factor when considering an outsourcing or Software as a Service (SaaS) model for log management, since service providers and data centers are designed to add capacity seamlessly. Also, the three most important elements of the log management process -- reviewing logs on a daily basis, archiving them for the right amount of time, and pulling the reports for your QSA as needed -- all lend themselves to outsourcing.
Over time, it will become tempting to ignore the logs; other priorities will leap past log reviews. You can, however, guarantee a more effective logging operation if you put a reporting structure in place that not only requires logs be viewed regularly, but also generates and delivers daily reports to key executives.
About the author:
John Kindervag, CISSP, CEH, former QSA, CPISM and CCNA, is a senior analyst with Cambridge, Mass.-based research firm Forrester Research. A 25-year veteran of the tech industry, his focus areas include network and wireless security, security information management and PCI DSS data security. John will be speaking at Forrester's Security Forum, Sept. 10-11, in San Diego, Calif.
This was first published in September 2009