by Anton Chuvakin | August 3, 2016 | Comments Off on PCI Council Log Monitoring Supplement
As I was gracefuly reminded, PCI Council has released a new (and MUCH neeed) document, “Information Supplement: Effective Daily Log Monitoring.” A lot of research (example) reveals that Requrement 10 in general and log review in particular are extremely hard for many organizations, large and small.
Some of my favorite quotes follow below:
- “Having security logs and actively using them to monitor security-related activities within the environment are two distinctly different concepts” [emphasis by A.C.]
- “While a 24-hour window was intended to accommodate less capable organizations, many organizations– including those with mature information security strategies—still struggle to meet the stated “daily” log review frequency.” [so “NO, reading your logs 1/year before the QSA visit does NOT work!”]
- “Requirement 10.6.3 is one of the most important requirements in all of PCI DSS for the ongoing protection of cardholder data, and is an often-overlooked element of log-monitoring processes. It requires follow-up on all exceptions and anomalies identified during the review processes identified” [this means, if you found something iffy, you MUST triage that, not just note down that ‘there was this alert’… ]
- “Requirement 12.10.3 ensures that personnel are available 24/7 to respond to security events and to initiate formal response procedures when required.” [this of course does not mean your employees, it can be an MSSP]
- “Now that you have identified the key requirements for logging and log monitoring, you need to document them in a Logging Policy. A Logging Policy generally describes the business, regulatory, compliance, and/or security requirements for logging and log monitoring.” [and this is both important and commonly missed]
- “Another helpful method for tracking log-monitoring and management requirements is through documentation of event “use cases.”” [love it, love it, love it!!!]
- The document (page 30) contains a bunch of useful log metrics to baseline for better threat detection such as “Avg # of user logins to a specific IP per day”, “Avg # failed logins per user per day per source IP” or ”Avg bytes of data transferred per source IP per day.”
All in al, lots of useful details there, and not just for PCI DSS log monitoring. Finally, while I loved the document, here is my token negative comment: 43 pages? You can say most of this stuff in a much more concise manner…
Really, go read the whole thing.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.