Feature. Log Management: A Pragmatic Approach to PCI DSS

Transcription

1 Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who has experience in managing, designing and implementing critical IT infrastructure for enterprises. Tarun Verma is a senior associate consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Verma has several years of diversified experience in information security, information systems audits, compliance and regulations, IT service management, and risk management. Do you have something to say about this article? Visit the Journal pages of the ISACA web site ( org/journal), find the article, and choose the Comments tab to share your thoughts. Go directly to the article: Log Management: A Pragmatic Approach to PCI DSS Credit card fraud and its associated risks have risen sharply with the influx of online portals and financial transactions in the last few years, and the pace of the proportional incidents tied to the usage continues to grow exponentially. The cost of financial fraud associated with these transactions reaches into the millions, and the resulting identity theft victimizes millions of people annually. To decide how to safeguard customer account data when processing credit card information, a group of major credit card companies gathered and issued the Payment Card Industry Data Security Standard (PCI DSS). 1 PCI DSS is comprised of 12 separate requirements organized into six different control objectives. Basically, these objectives are to: 2 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy In essence, PCI DSS requirements demand that a number of security controls be implemented and governed. However, simply deploying controls is not sufficient to reach compliance with PCI DSS. These controls must be proactively monitored on a regular basis to ensure their ongoing effectiveness and to identify any potential threats and vulnerabilities to the IT infrastructure where the account information of credit card data is being processed. Tracking, and reviewing these security countermeasures is so important to the objective of securing the infrastructure landscape that one of the 12 requirements of PCI DSS addresses it directly. 3 This article provides information on how log management can play a pivotal role in addressing PCI DSS requirements, be a success factor and enabler for safeguarding cardholder transaction data, and provide a secure and vulnerability-free environment for cardholders. Log Management s Role in Meeting Compliance Requirements Today all credit card merchants, service providers and retailers that process, store and transmit credit-card-holder data are mandated to comply with PCI DSS requirements and log management can help organizations meet those requirements. A log management solution (LMS) automates the existing manual log review by collecting log data from enterprise systems regardless of the data s source, presenting the logs in a uniform and consistent manner and managing the state, location and efficient access to those logs. Compliance is a key driver: Many standards explicitly state that logging must be implemented and logs must be analyzed and stored for specific periods under specific conditions. Relevant compliance standards include PCI DSS, the US Health Insurance Portability and Accountability Act of 1996 (HIPAA), the US Sarbanes-Oxley Act of 2002, and the US Gramm- Leach-Bliley Act of 1999 (GLBA). Not complying with these requirements might result in fines, legal exposure and damage to the brand image of the entity. The benefits to organizations include improved operational efficiencies, reduced IT administration, reduced IT labor costs and greater IT productivity. Figure 1 highlights the necessity of logs for meeting the key requirements in compliance standards such as PCI DSS, HIPAA, Sarbanes- Oxley and GLBA. Life Cycle of Log Management Solution play a key role in discovering potential threats, exposing vulnerabilities, determining whether a data breach has occurred, and, in case there is a breach, determining how to mitigate and remediate it. Log management has taken center stage due to the changing threat in infrastructure landscape and stringent regulatory requirements., which by nature allow for tracking IT infrastructure activity, are the best 1

2 Figure 1 Compliance Requirements Set the Stage for Log Management PCI DSS Automation of audit trails Unauthorized modification log data Loss of credit card privileges HIPAA Regular audits log data for up to seven years Imprisonment to 10 years SARBANES-OXLEY System and user activity Identification and investigation of security breaches log data for up to five years Login and logoff GLBA Activity and system condition Incident activity and response reporting way to assess if, how, when and where a data breach has occurred. Management of these logs is the best way to assess what data have been accessed or stolen and who needs to be notified. In the new regulations, such as those from the US Federal Financial Institutions Examinations Council (FFIEC), logs are considered essential evidence for compliance and conformation to policy. 4 Today s regulated environment, combined with a new set of emerging attacks, makes log management an important component of the enterprise security of an organization. The inclusion of log management activities in major regulations such as Sarbanes-Oxley, HIPAA and PCI DSS highlights the significance these activities play in enterprise security and how they cater to risk management needs. There is a paradigm shift in the area of regulations and standards mandating the protection of information. A number of regulations explicitly call for the collection, storage, maintenance and review of logs, turning it into a must-do activity. PCI DSS mandates logging specific details and log review procedures to prevent credit card fraud and other related problems in companies that store, process or transmit credit card data. Even though logging is present in all PCI requirements, PCI DSS also contains Requirement 10, which is dedicated to logging and log management. Under this requirement, logs for all system components must be reviewed at least daily, and these log reviews must include servers that perform security functions such as intrusion detection systems, authentication, authorization and accounting protocol servers. 5 Since most organizations are subject to multiple regulations or audits of their information systems, logs must be collected in detail to enable an assessment and audit by the reviewer. Lack of log management competency is one of the major reasons for security breaches and data compromises. 6 To meet corporate governance and regulation needs, log retention policies must be in place to ensure that data are retrieved after a definite period of time as desired by various compliance standards. Moreover, log data, when retained for a long period of time, bring tremendous value in terms of saving noncompliance costs, such as fines and increasing audit efficiency. An LMS can apply intelligence to the logs it collects with correlation rules. When a series of events hits a threshold or violates an IT policy, the log solution provides alerts and automated notifications as a proactive response to serious activities before they emerge as a security risk. Figure 2 illustrates the steps involved in the life cycle of an LMS. 2

3 Figure 2 Log Management Life Cycle Proactive Response and Remediation Enterprisewide Collection Long-term Event Investigation Real-time Event Correlation Logging has emerged as one of the essential components for protecting information and establishing a security program. Logging can no longer be ignored if the organization wants to meet regulatory requirements and legal obligations to protect information. Log retention technique requirements are now driven by the need to have the right information on hand to meet security audits and must be kept on hold over the long term to meet legal requirements. Log Management: The Solution An LMS offered by various vendors in the industry provides a broad range of capabilities such as strong reporting for compliance, user activity and centralized aggregation of logs. Selecting, planning and deploying an LMS can help organizations proactively detect threats, breaches and policy violations. It involves the careful assessment of an organization s needs in terms of its compliance, security and reporting before selecting the vendor. Vendor selection also depends on the number of log generation sources and the number of logs to be stored and tracked by an organization. Figure 3 highlights the LMS needed to address the large volumes of data generated through a central repository for access and analysis. An LMS is important to address regulatory compliance and security goals. It creates a central repository for easy access and analysis, and can go a long way in addressing customer concerns for transparency. It can also aid in Discuss and collaborate on PCI DSS in the Knowledge Center. forensic analysis and improve IT efficiency and security. An LMS mandates reduction in resources that are required to integrate solutions such as compliance management, database activity, and security change and configuration management. Log retention requirements must be implemented to meet PCI DSS requirements for the audit trail and to control access to sensitive data. Compliance regulations have resulted in an LMS focusing on storage and reporting. The solutions need to have capabilities that are powerful and flexible not limited to select data sources. This will ensure that compliance is maintained and not just validated at a point in time. An LMS can do drill-down for databases, applications and incident management. To reduce cost overheads and efficiently comply with PCI DSS, log management and intelligence solutions incorporate a broader mandate for information security. The Promise of the Next Generation: Security Information and Event Management Regulatory and compliance initiatives have driven the need for an emerging technology security information and event management (SIEM), which is positioned to provide a much broader view of threats by collecting forensic data. SIEM solutions can collect logs from various platforms, data centers and customer-specific devices to a centralized security management solution that provides an easy-to-review aggregation point for all security events. 7 Effective management of log data is essential to reducing the cost and complexity of demonstrating security process and to ensuring that measures comply with external and internal requirements. SIEM solutions provide automation in policies and their enforcement. They streamline workflow and simplify a complex environment. Figure 4 illustrates the collection of logs from all log sources and highlights the reports for Sarbanes-Oxley, HIPAA, PCI DSS and GLBA. 3

4 Figure 3 The Log Management Solution User s Organization Infrastructure Log Collection Appliance Storage Retention and Disposal GUI Analysis What is essential at this point is one way to implement the diverse solutions for log management and SIEM and even configuration management and file integrity. Log management stands out at capturing and retaining considerable amounts of log data, while SIEM provides a means for analysis and event correlation. PCI DSS is at an important juncture. Compliance levels are up, but the rising cost of compliance due to inefficiencies in terms of strict adherence to and completeness of all requirements and controls as defined by PCI DSS results in cost overheads and an increased time window to ensure compliance. At the same time, the growing number of incidents, as well as the cost and variety of security breaches, remain unchecked. SIEM is positioned to provide a much broader view of threats by collecting forensic data, analysis, reporting and correlation of events. provide a readily available and massive source of information that can be controlled to introduce significant efficiencies into compliance projects for PCI DSS and other mandates. SIEM solutions have been widely used to unleash this value, overcome the many challenges of log infrastructures, and bring efficiency and visibility to the IT security arena. Reporting PCI DSS HIPAA Sarbanes-Oxley GLBA System Figure 4 Umbrella View of SIEM Application Security Information and Event Management Event Management Real-time Incident management Response Alerting Log Management Audit Database Log Analysis Automated User-driven Device Conclusion PCI DSS compliance has now become the immediate need of all organizations that handle, process and store cardholder data. To ensure network and system security and meet PCI-DSS-compliance deadlines, companies must give up on manual event log management and implement automated solutions for log management. 4

5 The reason behind such a requirement is the need for organizations to protect themselves from threats, rather than react to them after the damage has been done. Effective management of log data is essential to bring down the cost and complexity of demonstrating the security process and to ensure that measures comply with external and internal requirements. Automation of log management helps businesses in cost-effectively collecting, normalizing and reporting on enterprisewide security-related data that are necessary for compliance and security investigations. show system-user activity and administration changes made by employees who manage critical production systems, illuminate the health of the IT environment, and capture evidence of policy violations and malicious activity. The massive volume and complexity of security and audit data that record IT activities in different formats make log analysis a challenging task. Log management is turning out to be a key enabler for successful implementation of PCI DSS. Endnotes 1 Payment Card Industry (PCI) Security Standards Council, Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures, Version 2.0, USA, 2010, pci_dss_v2.pdf 2 PCICompliance/PhoneFactor, What are the PCI DSS Requirements?, 3 Op cit, PCI Security Standards Council 4 GFI Software, Automated Event Log Management for PCI DSS Compliance, USA, 2009, automated-event-log-management-for-pci-dss.pdf 5 Op cit, PCI Security Standards Council 6 Op cit, GFI Software 7 Nicolet, Mark; The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing With Targeted Attacks, Gartner, 13 May 2010, content/ / /june_30_security_information_ mnicolett.pdf The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal. Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors content ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN ( ), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. 5