Welcome!

Bill Roth, Ulitzer Editor-at-Large

Bill Roth

Subscribe to Bill Roth: eMailAlertsEmail Alerts
Get Bill Roth via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Blog Feed Post

Complete PCI DSS Log Review Procedures

This article is cross posted from Anton's blog simply because we think the more people that see it, the better. Thanks Anton.


By Anton Chuvakin.

Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company. As I am preparing to handle more of such engagements (including ones not focused on PCI DSS, but covering other compliance or purely security log reviews), I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged “PCI_Log_Review.”  It was written to be a complete and self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and  log analysis (a key requirement for this project – guidance was to be useful to such people) in order to enable them to do the job and then grow their skills. It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation (or without any compliance flavor – of course!)

This is the first post in the long, long series... prepare to see lots of process flow charts

A few tips on how you can use it in your organization:

  • If you need to establish log review practices to satisfy PCI DSS Requirement 10.6 “Review logs for all system components at least daily”, feel free to steal from this document and adapt it tor your environment. I can do that for you too.
  • There is a slight bias towards application and OS logging in this document (as per client request) – an you do need to review network and security device logs as well. The methods and practices apply to them as well.
  • This was created before PCI DSS 2.0 release, but has been checked to “comply” with the most recent standard (and Requirement 10 has not changed much in 2.0)
  • A QSA looked at it and liked it– but YMMV. Your QSA is always the ultimate authority in regards to what will “make you compliant”
  • Don’t forget to buy me a beer if you find it useful. Better – contract me to create something similar for your organization.  Are you doing a good job with log review today? Owning an expensive  SIEM product but not using it well does not magically make you compliant or secure (it can make you poor though ) – but then again, you already knew it….

And so we begin our journey.

Project Goals

The goal of this project is to create a comprehensive Log Review Procedures document for PCI DSS applications. Such document needs to cover log review procedures, tasks and practices and incorporate other systems in review workflow and  also document all stages of log review.  If implemented in operational practice, this Log Review Procedure document should satisfy PCI DSS requirements in select sections of PCI DSS Requirement 10 and 12 and should be adequate to pass PCI compliance validation[1].

Project Assumptions, Requirements and Precautions

These critical items are essential for a success of PCI logging, log management and log review project. It is assumed that the following requirements are satisfied before the Log Review Procedures are put into operational practice.

Requirements

A set of requirements needs to be in place before the operational procedures described in this document can be used effectively:

1. Logging policy is created to codify PCI DSS log-related requirements as well as other regulatory and operational logging requirements

2. Logging is enabled on the in-scope systems

3. Interruption or termination of logging is in itself logged and monitored

4. Events mandated in PCI DSS documentation are logged

5. Generated logs satisfy PCI DSS logging requirements (e.g. Req 10.3)

6. Time is synchronized across the in-scope systems and with the reliable time server (NTP or other as per PCI DSS Req 10.4)

7. Time zones of all logging systems are known and recorded and can be reviewed in conjunction with logs

Precautions

This additional precautions need to be taken in order to make logs useful for PCI DSS compliance, other regulations as well as security, forensics and operational requirement:

· Key precaution: the person whose actions are logged on a particular system cannot be the sole party responsible for log review on that same system.

· Key precaution: PCI DSS mandates log security measures (detailed below), all access to logs should be logged and monitored to identify attempts to terminate or otherwise affect the presence and quality of logging.


[1] No assurance or guarantee of PCI compliance or passing PCI validation with one or more PCI DSS requirements can be given in this document. Only each organization’s QSA can be the judge of compliant status, as per PCI Council guidelines.

Out-of-scope Items

The following items are not covered in the document despite the fact that they might be essential for becoming PCI DSS compliant:

Out-of-scope Item

Why out of scope?

What events to log for each application?

Scope of the project is defined to cover log review only. It is assumed that proper logging is already implemented as per corporate logging policy.

What details to log for each logged event for each application?

Scope of the project is defined to cover log review only. It is assumed that proper logging is already implemented as per corporate logging policy.

High-level logging and monitoring policy

It is known that such policy is already in place.

Log aggregation, rotation and retention policies and procedures

Even though PCI DSS prescribes log retention, such procedures are not covered in this document.

Security incident response process

Scope of the project is defined to cover log review only. Log review procedures sometimes call for initiation of a security incident response process and investigation

Application that are not in scope for PCI DSS

Scope of the project is defined to cover PCI DSS applications only

Network devices that are OR are not in scope for PCI DSS

Scope of the project is defined to cover PCI DSS applications only.

A.C. note when posting: make sure you do include network devices I your PCI logging project!

Access control to stored logs, protecting the confidentiality and integrity of log data

Even though PCI DSS prescribes access control guidelines for aggregated logs, such procedures are not covered in this document as per project definition.

Compensating controls when logging is not possible

Scope of the project is defined to cover log review only. Log review is always possible whenever logging is possible. However, situation where logging is not possible is not covered in this document

Real-time monitoring of central logging health, performance, etc

Scope of the project is defined to cover periodic log review only.

Any and all logging requirements in PCI DSS outside of Requirements 10 and 12.

Scope of the project is defined to cover log review procedures in PCI requirements 10 and 12 only. A brief overview of PCI logging requirements in other sections is provided, but no detailed operational guidance is given.

Guarantee of passing PCI DSS assessment

Only each organization QSA can provide such assurance or guarantee after the assessment.

Correlation rules for PCI monitoring

While correlation rules can be created to automate some of the items discussed in the document, the project is scoped to cover log review and not correlation

Log record preservation for forensic purposes

Log record preservation should be a part of a security incident response workflow.

Note that some or all of the above items may be mandatory for passing PCI compliance validation

Read the original blog entry...

More Stories By Bill Roth

Bill Roth is a Silicon Valley veteran with over 20 years in the industry. He has played numerous product marketing, product management and engineering roles at companies like BEA, Sun, Morgan Stanley, and EBay Enterprise. He was recently named one of the World's 30 Most Influential Cloud Bloggers.