Bill Roth, Ulitzer Editor-at-Large

Bill Roth

Subscribe to Bill Roth: eMailAlertsEmail Alerts
Get Bill Roth via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Logging and PCI: Key Issues

Among other things, PCI DSS mandates creating system logs and reviewing them from all systems in scope for PCI compliance. One should always remember that log collection and review are also critical for good security operations and incident response. In this article, we will focus on operational aspects of logging and log management for PCI compliance.

Recent research indicates that logging and monitoring are the most challenging aspects of PCI DSS compliance. The reason for it is that unlike other prescribed controls and tasks, which are annual or quarterly, log review activities are explicitly prescribed to be done every single day. Specifically, PCI DSS Requirement 10.6 states that an organization must “review logs for all system components at least daily.” The DSS further clarifies that automated log management tools such as LogLogic can and should be used for that purpose: “Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6.”  What makes it even more challenging is that PCI DSS  prescribes “log review,” but does not explain what specific logs need to be looked at and how exactly such review should be undertaken. Each organization under PCI DSS needs to invest resources in figuring this out for themselves.

These challenges led many organization to not review logs. Recent Verizon Data Breach Report 2010 reveals that 86% of breached organizations had evidence of their damaging attacks in their logs – but never looked at the logs before the incident was investigated by the Verizon investigators.

Despite the challenges,  we will make it clear that logging is a perfect compliance technology! On a high-level, logging, and log management are used for two purposes in PCI DSS:

  • To directly satisfy logging and log management  requirements
  • To substantiate and enable other PCI DSS requirements such as user credentials and firewall rules  management

In light of this, logging is implied in all twelve PCI DSS requirements (as well as in most other regulations such as HIPAA, FISMA, ISO27001, ITIL, NERC and others), and specifically mandated in Requirement 10 that we mention above.

What PCI DSS Says About Logging

To summarize, for PCI DSS your organization must do the following with logs and log management:

  • You Must have good logs
  • You Must collect logs
  • You Must store logs for at least 1 year
  • You Must protect logs
  • You Must review logs daily.

Read the original blog entry...

More Stories By Bill Roth

Bill Roth is a Silicon Valley veteran with over 20 years in the industry. He has played numerous product marketing, product management and engineering roles at companies like BEA, Sun, Morgan Stanley, and EBay Enterprise. He was recently named one of the World's 30 Most Influential Cloud Bloggers.