Daily log monitoring is one of the most exasperating challenges facing enterprise information security pros, and ineffective log watching remains a consistent reason why large-scale payment card breaches succeed.
Organizations that must comply with the Payment Card Industry Data Security Standard are acutely aware of the challenges surrounding log monitoring efforts, which is why easing those burdens will be the mission of one of two new PCI Special Interest Groups (SIGs).
The PCI Security Standards Council late last week announced the results of its election to choose two SIG projects that will be undertaken in 2015. The two topics, covering daily log monitoring and determining shared responsibilities between customers and third-party service providers, were chosen by PCI participating organizations and will be researched by working groups starting early next year.
PCI Special Interest Groups are community-driven initiatives that endeavor to provide advice and best practices to either support PCI standards compliance or ease pain points related to compliance. The SSC's 2013 SIGs, which were delayed due to the publication of PCI DSS 3.0, focused on third-party security assurance and maintaining PCI compliance; the findings of the 2014 SIG covering security awareness were released last month, while the final report from the 2014 SIG on penetration testing has been delayed until early 2015.
"Special Interest Groups continue to be an excellent vehicle for leveraging their expertise in the work we're doing to increase payment card security globally," said Ella Nevill, vice president of stakeholder engagement with the PCI SSC, in a statement.
Daily log monitoring: Key to spotting breaches
The daily log monitoring SIG was proposed by John Harmon, director of PCI and EI3PA compliance services for Sword & Shield Enterprise Security Inc., a consulting firm based in Knoxville, Tenn.
John Harmondirector of PCI and EI3PA services, Sword & Shield Enterprise Security Inc .
Harmon said many organizations attempt to review their logs on a daily basis, but few know how to identify indicators of compromise.
For example, Harmon said a number of merchants have struggled to contend with reccurring issues related to the recent Heartbleed OpenSSL vulnerability. While attempts to exploit Heartbleed do show up in system logs, many organizations aren't aware of what to look for. He added that this same scenario plays out time and again in major retail breaches.
"All the companies I've seen, as well as looking at the reports from the companies that have suffered breaches, they're all doing some kind of log monitoring, yet they still miss the breach," Harmon said. "So that tells me that they're following the requirements, but maybe we need to fine-tune that a little bit."
Adding to the complexity is the sheer volume of logs most large enterprises accrue on a minute-to-minute basis. Harmon said some of his largest customers accumulate 50,000 new log events per second.
"That's hard to sift through," Harmon said, "if you don't have very specific targets that you're looking for."
Daily log monitoring: Is it overkill?
Interestingly, while the new daily log monitoring SIG would seem to indicate participating organizations' need for additional help and guidance on dealing with logs, the PCI DSS itself recently loosened the reins on organizations when it comes to log reviews.
In contrast to the previous version of the standard, PCI DSS 3.0 added new language to Requirement 10 clarifying that daily log reviews are only necessary for logs that play an important role in spotting suspicious activity, while less-critical logs -- as determined by the organization's risk management policy -- could be reviewed on a more flexible basis.
Renowned log management expert Anton Chuvakin, a research vice president with Gartner Inc.'s Gartner for Technology Professionals group, based in Stamford, Conn., has long been an advocate of a more flexible PCI DSS log review policy and was pleased with the changes made in PCI DSS 3.0.
"I simply hate such 'insta-fail' policies that are known to be violated at the moment the ink is dry on the policy document," Chuvakin said via email. "Reviewing key logs daily and reviewing others as needed makes much more sense and is more realistic."
Harmon was quick to clarify that the goal of the new daily log review SIG isn't to renew the focus on analyzing all logs daily, but to find ways to more quickly and easily identify indicators of compromise in log data, and then to share those findings with other organizations.
"I think there needs to be better filtering and usage of filtering tools," Harmon said, "and that's where I hope we can get some useful guidance from the companies that build log management tools in terms of how to better use the tools."
Troy Leach, chief technology officer of the PCI SSC, said the daily log monitoring SIG represents a great opportunity to provide practical advice about what organizations should be looking for and how they can adequately monitor their logs.
"While the group is still in the beginning stages of determining the scope of the guidance," Leach said, "I'd expect part of the conversation to include managing massive volumes of data and the manual response necessary to react to notifications."
One possible outcome of the SIG, Harmon said, may be a set of rules that can be used to create a log data equivalent to an antivirus signature. For example, when an organization reviews a firewall or IDS/IPS log and identifies a confirmed indicator of compromise, there is no standardized way for that organization to share that log data with others so they can automate the process of scanning their logs for the same indicator.
"If that sort of [log] data can be put out in a certain form where people can key that into their log filters," Harmon said, "then that could stop attacks from happening elsewhere much more quickly."
Harmon hopes that log management vendors will be among those who step forward to participate in the daily log monitoring SIG. PCI participating organizations and QSAs interested in participating in either of the 2015 SIGs can apply via the SIG page on the SSC's website beginning in early December.
Shared responsibilities SIG to secure 'pyramid of services'
According to the SSC, the SIG on shared responsibilities, which was proposed by Paul Brennecker, principal QSA with UK-based Security Risk Management Ltd., will seek to provide guidance on how to determine the security and compliance-related obligations of a merchant and its third-party service providers. "As part of our PCI assessment work, we see many cases where various aspects of the cardholder data environment have been outsourced to a PCI-certified third party, and managing and keeping control of these environments can be difficult," Brennecker said via email. "Through this new SIG, we hope to be able to establish a framework to be used to ensure that no PCI requirements 'fall down the cracks' and introduce security weaknesses by not fully understanding what services are provided by each third party."
Though it's unclear exactly how the SIG may ultimately complement or overlap with the efforts of the 2013 third-party assurance SIG, its selection by the participating organizations is a sign that collaboration with business partners and service providers on PCI DSS remains a stumbling block for merchants.
Brennecker said the 2013 third-party assurance SIG will serve as a foundation for the 2015 shared responsibilities SIG.
"We are aiming to be able to provide some further guidance on how to ensure that shared responsibilities between assessed entities are properly identified, documented and managed throughout the life of each contract," Brennecker said. "This is particularly important as merchant customers tend to outsource more payment-related functions to PCI certified third parties in order to make their own compliance programs easier to manage.
"We have seen through analysis of data compromises that incorrectly scoped services and provision of services -- that may not be meeting the requirements that the merchant thought they were meeting -- is an area where there is a significant exposure to risk," Brennecker added. "This SIG aims to reduce that exposure and ensure that the 'pyramid of services' overlaps where necessary and doesn't leave gaps for any PCI requirements to fall down."
Learn more about the new requirements in PCI DSS 3.0 covering penetration testing and service providers.
Expert Ed Moyle analyzes the five most important chances in PCI DSS 3.0.