Effective Daily Log Monitoring - PCI Security Standards
Standard: PCI Data Security Standard (PCI DSS)Version:1.0Date:May 2016Author:Effective Daily Log Monitoring Special Interest GroupPCI Security Standards CouncilInformation Supplement:Effective Daily Log Monitoring
Information Supplement Effective Daily Log Monitoring May 2016Document ChangesDateDocument VersionDescriptionPagesMay 20161.0Initial releaseAllThe intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.ii
Information Supplement Effective Daily Log Monitoring May 2016Table of Contents12345Introduction . 51.1Detective Measures in Information Systems. 51.2The Need for Log Monitoring . 61.3Log-Monitoring Challenges . 61.4Guidance in this Document . 71.5Assumptions . 8Log-Monitoring Requirements in PCI DSS . 92.1Key Terms . 92.2Requirement 10.6 . 112.3Other Important PCI DSS Requirements Related to Log Monitoring . 132.4Section Summary . 15Planning for Effective Log Monitoring . 163.1Determine Your Logging Requirements. 163.2Define the High-Level Activities You Wish to Monitor . 163.3Identify Potential Log Sources . 183.4Document Log Source Characteristics . 193.5Identify and Map System-Level Event Messages to High-Level Events . 213.6Prioritize Log Sources . 213.7Determine Who to Notify When Security Events Occur . 223.8Determine What Should Be Done in Response to Security Events . 233.9Document Logging Requirements . 23Preparing for Effective Log Monitoring . 254.1Identify the Tools & Resources to be Used for Log Management . 254.2Establish Central Repository for Log Data . 254.3Transport Logs to the Centralized Repository . 274.4Prepare Log Data for Processing . 27Performing Effective Log Monitoring . 295.1Collect and Analyze Activity Data . 305.2Establish a Baseline . 305.3Configure Automated Alerts . 315.4Respond to Alerts . 325.5Validate Events . 325.6Respond to Incidents . 335.7Collect and Analyze Incident Data . 335.8Report on Results . 335.9Perform Periodic Program Reviews . 345.10 Make Updates Where Necessary . 34The intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.iii
Information Supplement Effective Daily Log Monitoring May 20166Applying Effective Log Monitoring . 356.1Business-as-Usual Activities . 356.2Summary . 36Appendix A: Use Case Example . 38Acknowledgements . 40References . 41Additional Resources . 42About the PCI Security Standards Council . 43The intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.iv
Information Supplement Effective Daily Log Monitoring May 20161 IntroductionOne of the key tenets of almost any information security program is the concept of “defense in depth.”Defense in depth is a tactical strategy for preventing the loss or compromise of assets through theimplementation of an overlapping system of defenses consisting of multiple protective levels such that thefailure of any single defense would not cause the failure of the entire system of defenses.A defense-in-depth strategy typically involves a combination of preventive, detective, and corrective securitymeasures. A rudimentary example of how defense in depth has been employed historically is a combinationof fortress walls (preventative) with watchmen perched atop them at strategic points (detective). While thisstrategy has proven successful for thousands of years, history has also shown time and time again thatattacks and attackers are continuously evolving. At some point, adversaries will develop the capabilities todefeat almost any defensive measure. The ability to quickly detect such circumstances and to adaptdefensive tactics to counter attacks is paramount to the ongoing protection of assets. Successful detection ofevolving attack techniques is predicated on having actionable intelligence. Having actionable intelligencerequires that security defenses and the state of assets be continuously monitored. You would not buildfortress walls to keep out intruders and then leave the walls unmanned. If security defenses were notcontinuously monitored, how would one know if an attack had compromised them? If we do not know thestate of our defenses, how can we possibly know the status of our most valuable assets? Simply checking thevault to see whether the assets are still there is no longer sufficient, particularly in an age where a copy of anasset is as valuable as the asset itself, and the loss of the copy is as damaging as—if not more so than—theloss of the original.1.1Detective Measures in Information SystemsSince the advent of modern electronic computers, the concept of defense in depth has been widely employedin the protection of information systems. However, similar to the issues affecting historical assets, modernadversaries will eventually develop the capabilities to defeat some information system security defenses.Fortunately, in today’s world, detection capabilities are built into most information systems by default throughthe implementation of logging mechanisms, which can provide organizations the actionable intelligence theyneed to help defend against evolving attack techniques.Logging is functionality typically provided by things like operating systems, network devices, and softwareapplications, which generate computerized messages when specific events occur. Those messages arecaptured in what is generally referred to as a “log” and may reflect a variety of events including the use ofspecific system resources, system status changes, and general performance issues. Logs are valuablesources of information because they provide a chronological record of events and activities that have takenplace on information systems.Originally created for troubleshooting errors and performance issues, logs have evolved to become theprimary source of information on events related to information system security. System or applicationauthentication attempts, file or data accesses, security-policy changes, and user-account changes are allThe intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.5
Information Supplement Effective Daily Log Monitoring May 2016examples of events that are now captured in security logs1. In fact, because of the widespread deployment ofnetworked servers, workstations, and other computing devices, and the ever-increasing number of threatsagainst networks and systems, the number, volume, and variety of security logs have increased substantially(Kent & Souppaya, 2006). This provides organizations with a wealth of information relating to the state andeffectiveness of information security measures deployed to protect the organization’s information systems.1.2The Need for Log MonitoringHaving security logs and actively using them to monitor security-related activities within the environment aretwo distinctly different concepts. This sounds obvious, but many organizations confuse the former with thelatter. Logging system messages and events in security logs may prove helpful—even essential—during postbreach forensic investigations. But having security logs without procedures to actively review and analyzethem is of little use in the ongoing management of information security defenses, and is the modernequivalent of fortress walls without watchmen. For security logs to be useful in the defense of informationassets, they must be monitored and analyzed—in as close to real-time as possible—so that attacks can bedetected quickly and appropriate countermeasures deployed to augment existing defenses when and wherenecessary. This becomes increasingly important as attacks and attackers become more sophisticated.Without the active monitoring and analysis of security logs, the erosion of information security defenses bycapable adversaries will likely go undetected and will eventually result in the compromise of the very assetsthat require protection.1.3Log-Monitoring ChallengesAdvancements in technology have enabled those with malicious intentions to improve their craft. As attacksand attackers become more sophisticated and agile, it becomes increasingly important that we as securitypractitioners become more adept at maintaining and evolving effective measures to protect our informationassets. This includes improving our ability to detect attacks and security failures before they lead to databreaches. Unfortunately, we do not seem to be very capable of doing that at the moment, as statistics indicatethe time between system compromise and detection is averaging weeks and months when it should bemeasured in hours and days (Ponemon Institute, 2015). This situation is exacerbated by the glut ofvulnerabilities that exist in today’s information systems and the challenges associated with keeping systemsup-to-date on security patches. There are only so many security resources available to perform securityrelated activities and, in many organizations, other activities including vulnerability management take priorityover log monitoring (Black Hat, 2015).The number of systems generating log data is rapidly expanding as well. The growth in the use ofvirtualization technologies and the emergence of on-demand scalability of computing resources have allowedmany organizations to pack more systems and applications into increasingly smaller hardware architectures.Where there used to be a practical limit on the amount of physical space available to house informationsystems, virtualization—and cloud-based services in particular—have essentially nullified that issue. Therapid increase in system density has also resulted in exponential growth in the volume of log data that is1For the purposes of this document, the terms “security log,” “audit log,” and “audit trail” are used interchangeably exceptwhere otherwise noted.The intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.6
Information Supplement Effective Daily Log Monitoring May 2016produced. This, in turn, has put tremendous pressure on security teams to process increasing volumes ofinformation more quickly without additional resources to assist in the process. Additionally, logs do notnecessarily speak the same language. There is no universally adopted standard for structuring or formattinglog data. Logs can exist in numerous forms. Some systems and devices generate logs in the form of humanreadable text files, while other systems generate log data in machine-readable data files or within relationaldatabases. Some systems may even generate logs in proprietary formats. There is also no consistency inhow event information is articulated within log files. The same event occurring on two different systems maybe described completely differently by those two systems.As mentioned previously, these issues place a substantial burden on security practitioners. It’s no wonderthat—given the amount of overhead seemingly required to manage and analyze log data and the limitednumber of resources that are available to do this work—many organizations come to the conclusion that thebenefits of actively monitoring security logs do not outweigh the costs, and simply choose to devote resourceselsewhere. In order to become more effective at log monitoring, organizations need to adopt a structuredapproach for generating, transmitting, storing, and analyzing security log data in the most efficient mannerpossible. Log-management processes must align with the organization’s risk management strategy so thatresources can be best utilized in the most effective and cost efficient manner. The approach must becustomized to the organization’s specific business mission, and support the culture and technology unique tothe organization.1.4Guidance in this DocumentThere are many valuable resources available both in print and on the Internet to help organizations addressthe challenges of maintaining effective log-management processes. This document seeks to address thesechallenges by explaining the intent behind PCI DSS Requirements for log monitoring, and providing guidanceon the planning, implementation, and application of effective log-monitoring and management practices.However, the primary focus of this document is log monitoring within the context of PCI DSS, and alldiscussions are intended to provide those with PCI DSS compliance obligations guidance on improvingcompliance with PCI DSS log-monitoring requirements. Those looking for more general guidance on the topicof logging and log management, please refer to the “References” section at the end of this document for a listof resources that should be considered for further reading.This document is not intended to be a step-by-step guide for performing log monitoring and management, nordoes it guarantee that the implementation of the tools and techniques mentioned herein will result in PCI DSScompliance. This document is intended to provide an overview of the key activities that comprise an effectivelog-monitoring program. The information in this document is intended as supplemental guidance and does notsupersede, replace, or extend PCI DSS requirements.The intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.7
Information Supplement Effective Daily Log Monitoring May 20161.5AssumptionsThe guidance in this document assumes readers are familiar with PCI DSS requirements, testing procedures,and scoping guidance, and possess an understanding of computer information systems, networktechnologies, and general IT principles and terminology. This document also assumes readers have someexperience with security log monitoring as well as popular logging platforms such as Syslog or WindowsEvent Log.The intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.8
Information Supplement Effective Daily Log Monitoring May 20162 Log-Monitoring Requirements in PCI DSSThe Payment Card Industry Data Security Standard (PCI DSS) is based on the concept of defense in depthand includes a variety of preventive, detective, and corrective information security measures (also called“security controls”). Moreover, PCI DSS includes requirements devoted to the use of log monitoring in theongoing protection of information assets, addressing the need for proactive monitoring of security logs inRequirement 10.6:10.6 Review logs and security events for all system components to identify anomaliesor suspicious activityThe key elements of PC
Standard: PCI Data Security Standard (PCI DSS) Version: 1.0 Date: May 2016 Author: Effective Daily Log Monitoring Special Interest Group PCI Security Standards Council Information Supplement: Effective Daily Log Monitoring
PCI Flexmörtel bzw. PCI Flexmörtel-Schnell, PCI Nanolight oder PCI Flexmörtel S1 Flott nach den Re - geln der Technik mit einer 4-mm- oder 6-mm- Zahnung aufkämmen. 3 Innerhalb der klebeoffenen Zeit (bei PCI Flexmörtel und PCI Nanolight ca. 30 Minuten, bei PCI Flexmörtel-Schnell ca. 20 Minuten) die PCI Pecilastic-W-
Bus type mini-tower computer: 3 PCI 2.3 5v desktop computer: 4 PCI 2.3 5v one PCI Express x16 up to 150W one PCI Express x1 eight USB 2.0 (2 front, 6 back) Bus speed PCI: 33 MHz PCI Express: x1 slot bidirectional speed - 500 MB/s x16 slot bidirectional speed - 8 GB/s PCI connectors mini-t
PCI Express Formerly known as 3GIO . PCI 2.3 system no longer supports 5V-only adapters . Introduction to the PCI Interface. Introduction to the PCI Interface PCI Technology Overview PCI-X 1.0 Based on existing
February 2003 Page 8 PCI-X 1.0 Based on existing PCI architecture 64-Bit slots with support for 3.3V and Universal PCI ¾No support for 5V-only boards ! Fully backwards-compatible ¾Conventional 33/66 MHz PCI adapters can be used in PCI-X slots ¾PCI-X adapters can be used in conventional PCI slots Provides two speed grades: 66 MHz and
as part of a validated P2PE solution listed by PCI SSC. This SAQ is for use with PCI DSS v2.0. February 2014 3.0 To align content with PCI DSS v3.0 requirements and testing procedures and incorporate additional response options. April 2015 3.1 Updated to align with PCI DSS v3.1. For details of PCI DSS changes,
This Quick Reference Guide to the PCI Data Security Standard (PCI DSS) is provided by the PCI Security Standards Council (PCI SSC) to inform and educate merchants and other entities involved in payment card processing. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org.
This document is intended for use with version 3.0 of the PCI Data Security Standard. July 2014 PCI DSS 3.0, Revision 1.1 Errata - Minor edits made to address typos and general errors, slight addition of content April 2015 PCI DSS 3.1, Revision1.0 Revision to align with changes from PCI DSS 3.0 to PCI DSS 3.1 (see PCI DSS - Summary of
2 API R. ECOMMENDED. P. RACTICE. 500. 1.2.4. Section 9 is applicable to locations in which flammable petroleum gases and vapors and volatile flammable liquids are processed, stored, loaded, unloaded, or otherwise handled in petroleum refineries. 1.2.5 . Section 10 is applicable to location s surrounding oil and gas drilling and workover rigs and production facilities on land and on marine .
