WIXLIB

Standard: PCI Data Security Standard (PCI DSS)Version:1.0Date:May 2016Author:Effective Daily Log Monitoring Special Interest GroupPCI Security Standards CouncilInformation Supplement:Effective Daily Log Monitoring

Information Supplement Effective Daily Log Monitoring May 2016Document ChangesDateDocument VersionDescriptionPagesMay 20161.0Initial releaseAllThe intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.ii

Information Supplement Effective Daily Log Monitoring May 2016Table of Contents12345Introduction . 51.1Detective Measures in Information Systems. 51.2The Need for Log Monitoring . 61.3Log-Monitoring Challenges . 61.4Guidance in this Document . 71.5Assumptions . 8Log-Monitoring Requirements in PCI DSS . 92.1Key Terms . 92.2Requirement 10.6 . 112.3Other Important PCI DSS Requirements Related to Log Monitoring . 132.4Section Summary . 15Planning for Effective Log Monitoring . 163.1Determine Your Logging Requirements. 163.2Define the High-Level Activities You Wish to Monitor . 163.3Identify Potential Log Sources . 183.4Document Log Source Characteristics . 193.5Identify and Map System-Level Event Messages to High-Level Events . 213.6Prioritize Log Sources . 213.7Determine Who to Notify When Security Events Occur . 223.8Determine What Should Be Done in Response to Security Events . 233.9Document Logging Requirements . 23Preparing for Effective Log Monitoring . 254.1Identify the Tools & Resources to be Used for Log Management . 254.2Establish Central Repository for Log Data . 254.3Transport Logs to the Centralized Repository . 274.4Prepare Log Data for Processing . 27Performing Effective Log Monitoring . 295.1Collect and Analyze Activity Data . 305.2Establish a Baseline . 305.3Configure Automated Alerts . 315.4Respond to Alerts . 325.5Validate Events . 325.6Respond to Incidents . 335.7Collect and Analyze Incident Data . 335.8Report on Results . 335.9Perform Periodic Program Reviews . 345.10 Make Updates Where Necessary . 34The intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.iii

Information Supplement Effective Daily Log Monitoring May 20166Applying Effective Log Monitoring . 356.1Business-as-Usual Activities . 356.2Summary . 36Appendix A: Use Case Example . 38Acknowledgements . 40References . 41Additional Resources . 42About the PCI Security Standards Council . 43The intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.iv

Information Supplement Effective Daily Log Monitoring May 20161 IntroductionOne of the key tenets of almost any information security program is the concept of “defense in depth.”Defense in depth is a tactical strategy for preventing the loss or compromise of assets through theimplementation of an overlapping system of defenses consisting of multiple protective levels such that thefailure of any single defense would not cause the failure of the entire system of defenses.A defense-in-depth strategy typically involves a combination of preventive, detective, and corrective securitymeasures. A rudimentary example of how defense in depth has been employed historically is a combinationof fortress walls (preventative) with watchmen perched atop them at strategic points (detective). While thisstrategy has proven successful for thousands of years, history has also shown time and time again thatattacks and attackers are continuously evolving. At some point, adversaries will develop the capabilities todefeat almost any defensive measure. The ability to quickly detect such circumstances and to adaptdefensive tactics to counter attacks is paramount to the ongoing protection of assets. Successful detection ofevolving attack techniques is predicated on having actionable intelligence. Having actionable intelligencerequires that security defenses and the state of assets be continuously monitored. You would not buildfortress walls to keep out intruders and then leave the walls unmanned. If security defenses were notcontinuously monitored, how would one know if an attack had compromised them? If we do not know thestate of our defenses, how can we possibly know the status of our most valuable assets? Simply checking thevault to see whether the assets are still there is no longer sufficient, particularly in an age where a copy of anasset is as valuable as the asset itself, and the loss of the copy is as damaging as—if not more so than—theloss of the original.1.1Detective Measures in Information SystemsSince the advent of modern electronic computers, the concept of defense in depth has been widely employedin the protection of information systems. However, similar to the issues affecting historical assets, modernadversaries will eventually develop the capabilities to defeat some information system security defenses.Fortunately, in today’s world, detection capabilities are built into most information systems by default throughthe implementation of logging mechanisms, which can provide organizations the actionable intelligence theyneed to help defend against evolving attack techniques.Logging is functionality typically provided by things like operating systems, network devices, and softwareapplications, which generate computerized messages when specific events occur. Those messages arecaptured in what is generally referred to as a “log” and may reflect a variety of events including the use ofspecific system resources, system status changes, and general performance issues. Logs are valuablesources of information because they provide a chronological record of events and activities that have takenplace on information systems.Originally created for troubleshooting errors and performance issues, logs have evolved to become theprimary source of information on events related to information system security. System or applicationauthentication attempts, file or data accesses, security-policy changes, and user-account changes are allThe intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.5

Information Supplement Effective Daily Log Monitoring May 2016examples of events that are now captured in security logs1. In fact, because of the widespread deployment ofnetworked servers, workstations, and other computing devices, and the ever-increasing number of threatsagainst networks and systems, the number, volume, and variety of security logs have increased substantially(Kent & Souppaya, 2006). This provides organizations with a wealth of information relating to the state andeffectiveness of information security measures deployed to protect the organization’s information systems.1.2The Need for Log MonitoringHaving security logs and actively using them to monitor security-related activities within the environment aretwo distinctly different concepts. This sounds obvious, but many organizations confuse the former with thelatter. Logging system messages and events in security logs may prove helpful—even essential—during postbreach forensic investigations. But having security logs without procedures to actively review and analyzethem is of little use in the ongoing management of information security defenses, and is the modernequivalent of fortress walls without watchmen. For security logs to be useful in the defense of informationassets, they must be monitored and analyzed—in as close to real-time as possible—so that attacks can bedetected quickly and appropriate countermeasures deployed to augment existing defenses when and wherenecessary. This becomes increasingly important as attacks and attackers become more sophisticated.Without the active monitoring and analysis of security logs, the erosion of information security defenses bycapable adversaries will likely go undetected and will eventually result in the compromise of the very assetsthat require protection.1.3Log-Monitoring ChallengesAdvancements in technology have enabled those with malicious intentions to improve their craft. As attacksand attackers become more sophisticated and agile, it becomes increasingly important that we as securitypractitioners become more adept at maintaining and evolving effective measures to protect our informationassets. This includes improving our ability to detect attacks and security failures before they lead to databreaches. Unfortunately, we do not seem to be very capable of doing that at the moment, as statistics indicatethe time between system compromise and detection is averaging weeks and months when it should bemeasured in hours and days (Ponemon Institute, 2015). This situation is exacerbated by the glut ofvulnerabilities that exist in today’s information systems and the challenges associated with keeping systemsup-to-date on security patches. There are only so many security resources available to perform securityrelated activities and, in many organizations, other activities including vulnerability management take priorityover log monitoring (Black Hat, 2015).The number of systems generating log data is rapidly expanding as well. The growth in the use ofvirtualization technologies and the emergence of on-demand scalability of computing resources have allowedmany organizations to pack more systems and applications into increasingly smaller hardware architectures.Where there used to be a practical limit on the amount of physical space available to house informationsystems, virtualization—and cloud-based services in particular—have essentially nullified that issue. Therapid increase in system density has also resulted in exponential growth in the volume of log data that is1For the purposes of this document, the terms “security log,” “audit log,” and “audit trail” are used interchangeably exceptwhere otherwise noted.The intent of this document is to provide supplemental information. Information provided here does notreplace or supersede requirements in any PCI SSC Standard.6