Event Log Monitoring and the PCI DSS

Similar documents
THE HITECH ACT - THE TEETH AND CLAWS OF HIPAA

File Integrity Monitoring - The Last line of Defense in the PCI Data Security Standard

PCI DSS 101- The background you need for understanding the PCI DSS

PCI DSS File Integrity Monitoring

PCI Compliance in Ten Minutes A Day. Best Practices for Addressing System Hardening, File Integrity and Event Log Monitoring Requirements

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

File Integrity Monitoring - The Last line of Defense in the PCI Data Security Standard

The Comprehensive Guide to PCI Security Standards Compliance

CorreLog Alignment to PCI Security Standards Compliance

FairWarning Mapping to PCI DSS 3.0, Requirement 10

The Art of Layered Security - Data Protection in a Threatscape of Modern Malware

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

Teleran PCI Customer Case Study

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

March

PCI DSS Reporting WHITEPAPER

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Achieving PCI-Compliance through Cyberoam

Audit Logging. Overall Goals

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Navigate Your Way to NERC Compliance

Exporting IBM i Data to Syslog

Becoming PCI Compliant

74% 96 Action Items. Compliance

Navigate Your Way to PCI DSS Compliance

Did you know your security solution can help with PCI compliance too?

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Compliance Guide: PCI DSS

Secret Server Qualys Integration Guide

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PCI Requirements Coverage Summary Table

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI Compliance: Protection Against Data Breaches

GFI White Paper PCI-DSS compliance and GFI Software products

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Overcoming PCI Compliance Challenges

E-Guide Log management best practices: Six tips for success

File Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions

CorreLog: Mature SIEM Solution on Day One Paul Gozaloff, CISSP. Presentation for SC Congress esymposium CorreLog, Inc. Tuesday, August 5, 2014

NY/TB RUG: The Mainframe isn t Dead: Call the Doctor not the Undertaker with Real-time Enterprise Alert Correlation

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

A Rackspace White Paper Spring 2010

PCI DSS Requirements - Security Controls and Processes

Net Report s PCI DSS Version 1.1 Compliance Suite

The PCI Dilemma. COPYRIGHT TecForte

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

PCI Requirements Coverage Summary Table

Enforcive / Enterprise Security

White Paper: PCI DSS 3. New Standard but Same Problems?

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Payment Card Industry Data Security Standard

IBM Security QRadar Risk Manager

WHITE PAPER. Meeting the True Intent of File Integrity Monitoring

Compliance and Security Information Management for PCI DSS Requirement 10 and Beyond

Analyzing Logs For Security Information Event Management Whitepaper

Ecom Infotech. Page 1 of 6

Log Management as an Early Warning System

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

End-user Security Analytics Strengthens Protection with ArcSight

PCI DSS Top 10 Reports March 2011

Franchise Data Compromise Trends and Cardholder. December, 2010

Payment Card Industry Data Security Standard

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

IBM Security QRadar Risk Manager

Guideline on Auditing and Log Management

Workflow Templates Library

Feature. Log Management: A Pragmatic Approach to PCI DSS

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Achieving PCI Compliance with Log Management

SonicWALL PCI 1.1 Implementation Guide

Achieving PCI DSS Compliance with Cinxi

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

LogRhythm and PCI Compliance

PCI 3.0 Compliance for Power Systems Running IBM i

Nine Steps to Smart Security for Small Businesses

Analyzing Logs For Security Information Event Management Whitepaper

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

StratusLIVE for Fundraisers Cloud Operations

Boosting enterprise security with integrated log management

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

PCI White Paper Series. Compliance driven security

U.S. SECURITIES & EXCHANGE COMMISSION

Least Privilege in the Data Center

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

How To Manage Log Management

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

PCI and PA DSS Compliance Assurance with LogRhythm

Transcription:

Event Log Monitoring and the PCI DSS Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies www.nntws.com

Striking a Balance Between Compliance Obligations and Resource Costs... Getting the balance right between the need to meet your mandatory obligations for PCI DSS, and the imperative of minimizing costs of ownership, is a challenge. Requirement 10: Track and monitor all access to network resources and cardholder data https://www.pcisecuritystandards.org/ Section 10.2 of the PCI DSS states Implement automated audit trails for all system components... and there are typically two concerns that we always discuss What is the best way to gather and centralize event logs? What do we need to do with the event logs once we have them stored centrally? (and how will we cope with the volume!?) To the letter of the PCI DSS, you are obliged to make use of event and audit logs in order to track user activity for any device within scope of PCI i.e. all devices which either touch cardholder data or have access to cardholder data processing systems. The full heading of the Log Tracking section of the PCI DSS is as follows Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are critical in detecting and preventing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Put simply - determining the cause of a compromise is impossible without system activity logs. Promptly back up audit trail files to a centralized log server or media that is difficult to alter https://www.pcisecuritystandards.org/ Given that many PCI DSS estates will be geographically widespread it is always a good idea to use some means of centralizing log messages, however, you are obliged to take this route anyway if you read section 10.5.3 of the PCI DSS - Promptly back up audit trail files to a centralized log server or media that is difficult to alter While Unix and Linux hosts can forward audit trail and system events using syslog, Windows servers do not have an in-built mechanism for forwarding Windows Events and it is therefore necessary to use an agent to convert Windows Event Logs to syslog. The Windows Events can then be collected centrally using your audit log server. Similarly, applications using Oracle/SQL Server, or bespoke/non-standard applications, do not use syslog to forward events so it will also be necessary to use an agent to forward events. Finally, if you are using an IBM z/os mainframe or AS/400 system you will need further agent technology to centralize event and audit log messages. Of course, Firewalls and Intrusion Protection/Detection System (IPS/IDS), as well as the majority of switches and routers all natively generate syslog messages. Once assembled, the Audit trail history must be securely stored in order to prevent retrospective editing or any tampering. Traditionally, write-once media has been used to ensure event histories cannot be altered but most centralized log server solutions now employ file-integrity monitoring for the log backup files so that any modifications can be detected and alerted. So in terms of our two initial questions, we have fully covered the first, but what about the next logical question of What do we do with and how do we cope with the event logs gathered? www.nntws.com page 2

Now - What Am I Going To Do With All These Logs...?! 10.6 Review logs for all system components at least daily This is the part of the standard that causes most concern. If you consider the volume of event logs that may be generated by a typical firewall this can be significant, but if you are managing a retail estate of, say, 800 stores with 8,000 devices within scope of the PCI DSS, the task of reviewing logs from devices is going to be impossible to achieve. This may be a good time to consider the potential benefits of automation of the event log analysis process...? Figure 1 - NNT Log Tracker meets all PCI DSS requirements all event logs from all platforms are centrally backed-up secure, tamper-proof log repository archives all events in line with PCI DSS retention periods automated keyword indexing of all event logs ensures fast access to user audit trails, for instance, all activity related to a named user is available out of the box automated keyword indexing with pattern-matching and correlation technology ensures only key security events are highlighted www.nntws.com page3

Now - What Am I Going To Do With All These Logs...?! contd. The Security Information and Event Management, or SIEM market as defined by Gartner, covers the advanced generation of solutions that not only harvest audit logs and provide centralized log server functions, but parse event log messages e.g. store events by device, event type and severity, and analyze the details within event logs as they are stored. In fact, the PCI DSS recognizes the potential value of this kind of technology Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6 of the PCI DSS Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6 of the PCI DSS https://www.pcisecuritystandards.org/ SIEM technology allows event logs to be automatically and intelligently managed such that only genuinely serious security events are alerted. The best SIEM technology can distinguish between true hacker activity running a brute force attack and a user who has simply forgotten their password and is repeatedly trying to access their account. Naturally there is an amount of customization required for each environment as every organization s network, systems, applications and usage patterns are unique as are the corresponding event log volumes and types. The PCI Event log management process can be approached in three stages, ensuring that there is a straightforward progression through becoming compliant with the PCI DSS standard and becoming fully in control of your PCI Estate. The three phases will assist you in understanding how your PCI Estate functions normally and, as a result, placing all genuine security threats into the spotlight. 1. GATHER - Implement the SIEM system and gather all event logs centrally the SIEM technology will provide a keyword index of all events, reported by device type, event severity and even with just the basic, pre-defined rules applied, the volumes of logs by type can be established. You need to get familiar with the types of event log messages being collected and what good looks like for your estate. 2. PROFILE - Refinement of event type identification and thresholds once an initial baselining period has been completed we can then customize rules and thresholds to meet the profile of your estate, with the aim of establishing a profiled, steady-state view of event types and volumes. Even though all logs must be gathered and retained for the PCI DSS, there is a large proportion of events which aren t significant on a day-to-day basis and the aim is to de-emphasize these in order to promote focus on those events which are significant. 3. FOCUS correlate and pattern-match combinations and sequences of events - simple thresholding for event types is adequate for some significant security events, such as anti-virus alerts or IPS signature detections, but for other security events it is necessary to correlate and pattern-match combinations and sequences of event. SIEM only becomes valuable when it is notifying you of a manageable number of significant security events. It is important to note that even when certain events are being de-emphasized, these are still being retained in line with the PCI DSS guidelines which are to retain logs for 12 months. At least 3 months of event logs must be in an on-line, searchable format for at least 3 months, and archived for 12 months. Again, the archived and on-line log repositories must be protected from any editing or tampering so write-once media and file integrity monitoring must be used to preserve log file integrity. www.nntws.com page 4

Security Information and Event Management - NNT Log Tracker As discussed earlier, the right event log management technology not only makes it easy to gather all events, but will automate the analysis and interpretation of events so that you can meet PCI DSS requirements for log retention and review of logs but without any unnecessary burden of sifting through unimportant messages. Implement the SIEM system and gather all event logs centrally Refinement of event type identification and thresholds Correlate and pattern-match events, ensure only genuine security threats are alerted Figure 2: NNT Log Tracker technology will take you through a 3 phase process for gathering events, profiling events through analysis of thresholds of common events, before finally using powerful correlation and pattern-matching to ensure only genuine security events are highlighted. www.nntws.com page 5

Conclusion - The NNT View The PCI DSS is still confusing for many, and seen as too expensive in terms of resource and budget requirements. As a result, many merchants are delaying the implementation of essential measures, leaving their customers payment card details, and their organization s reputation, at risk. NNT can help using NNT Log Tracker will provide everything that a Payment Card merchant needs to become, and remain, PCI DSS compliant. NNT Log Tracker is provided as a stand-alone SIEM solution or as part of the integrated NNT Compliance Management Suite, comprising NNT Change Tracker and NNT Log Tracker. NNT PCI DSS Compliance solutions cover the following About NNT configuration hardening change management event log correlation NNT build the world s best solutions for tracking and managing change, managing and protecting users, maintaining system performance and ensuring availability across the entire enterprise. file integrity monitoring NNT Change Tracker and Log Tracker Enterprise - Compliance Clarified Audit Configuration Settings - The core function of NNT Change Tracker Enterprise is to first understand how your IT estate is configured Understanding and managing the day to day changes within your environment is critical to establishing and maintaining reliable service. NNT Solutions are affordable and easy to use. NNT help you establish and maintain a known and compliant state for your IT systems. Including: PC, Network, Software, Host Machine and Database. www.nntws.com 2010 New Net Technologies UK Office - Spectrum House, Dunstable Road, Redbourn, AL3 7PR Tel: +44 8456 585 005 Compare Audited Settings Against Policy - Configuration settings are assessed for compliance with any policy or standard relevant to your organization and deviations highlighted Continuously Monitor Configuration Settings - Configuration attributes are then monitored continuously for all changes, both from a compliance standpoint and from a general change management/control standpoint Change Management Process Underpinned - Authorized changes which have been approved via the formal change management process are reconciled with the original RFC to ensure the correct changes were implemented accurately The Change Management Safety Net - All unplanned changes are flagged up for review immediately to mitigate security integrity or service delivery performance SIEM Event Log Correlation - Centralize and correlate event logs messages from all windows, unix/linux, firewall and IPS systems US Office - 5633 Strand Blvd, Suite 306, Naples Florida 34110 Tel: +1 239 592 9638 TO REQUEST A FREE TRIAL OR DISCUSS ANY AREA COVERED IN THIS WHITEPAPER, PLEASE CONTACT US AT info@nntws.com www.nntws.com page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information