Many breaches go undetected for days or even months. Unauthorized access to the cardholder data environment can be identified and addressed proactively by regular log inspections by personnel or automated systems.
According to PCI DSS, the daily review process need not be manual. Using log collection, parsing, and alerting tools can help streamline the process by identifying log events that need review.
Companies that process credit card data or other types of payment card data understand the importance of complying with PCI Compliance requirements. PCI DSS states that the purpose of requirements 10 and 11.5 is to monitor and test networks regularly. PCI requirements include the following items for monitoring and logging:
PCI DSS Requirement 10 requires you to monitor all access to network resources and cardholder data. Logging mechanisms and the ability to monitor user activities are critical to preventing, detecting, or minimizing the impact of a data breach.
The availability of logs across all environments provides comprehensive monitoring, alerting, and analysis when something goes wrong. Without system activity logs, it is challenging, if not impossible, to determine the cause of a compromise.
PCI DSS Requirement 10.6 requires that you review all system components’ logs and security events to identify anomalies or suspicious activity. Log collection, parsing, and alerting tools can be used to meet PCI DSS requirement 10.6.
You must review the following at least once a day, according to PCI DSS requirement 10.6.1:
- All security events
- All system components that store, process, or transmit CHD or SAD should keep logs.
- Logs of all critical system components
- Logs of all servers and system components performing security functions
You should periodically review logs from all other system components based on policy and risk management strategy, as determined by the annual risk assessment per PCI DSS requirement 10.6.2.
You must follow up on exceptions and anomalies identified during the review process per PCI DSS requirement 10.6.3.
Change detection mechanisms, such as file integrity monitoring tools, are required by PCI DSS Requirement 11.5 to notify workers of unauthorized modification of essential system files, configuration files, or content files. File integrity monitoring software should be configured to perform critical file comparisons at least weekly. You must also implement a process for responding to alerts generated by the change detection solution.
What is the role of SIEM in PCI DSS compliance?
The main requirement of PCI DSS is continuous monitoring of the security controls built into the CDE. Organizations should deploy an existing SIEM solution or choose a new SIEM solution, but ensure that it can collect logs from all of the organization’s security controls.
PCI DSS Requirements 10 and 11.5 deal with regular monitoring of networks and implementing change detection mechanisms, respectively. PCI DSS emphasizes these two aspects so much because system logs are the only way to investigate and respond to security events such as data breaches.
With security auditing enabled on the required systems, security information and event management (SIEM) solutions can continuously monitor networks, which must meet PCI DSS requirements. A SIEM solution can generate the reports needed to periodically review audit information and trigger alerts for suspicious activity that poses a threat to data security.
It is important to note that your organization’s SIEM should never be configured to collect sensitive data in flat format. First, PCI DSS does not allow the storage of cardholder data in raw form.
Sensitive credit card data should always be stored in encrypted form. However, from a SIEM perspective, all sensitive data should be masked before logging into the SIEM solution as it has accessibility for all required users.
PCI DSS requires organizations to monitor all network connections and changes to firewall and router configurations. In addition, PCI DSS has taken into account the proper securing of the DMZ as it is frequented by all connections between the internal and untrusted networks. In addition, you need to monitor incoming traffic and outgoing traffic from the CDE to the Internet.
It would be best to collect logs from all perimeter security devices such as firewalls, routers, and IDS/IPS. It should then adopt the following practices to overcome the perimeter security requirements of PCI DSS:
- You need to develop SIEM use cases to detect all unauthorized network connections to and from your IT assets covered by PCI DSS.
- You need to monitor unsafe protocols, services, and ports opened on terminal devices.
- SIEM can be used to control how traffic flows between internal but publicly accessible services over the DMZ. You need to check inbound and outbound traffic that is not destined for legitimate servers by analyzing streaming data.
PCI DSS places great emphasis on managing users’ identities, such as adding, changing, and deleting user credentials. There should also be a monitoring control regarding access by terminated users. PCI DSS also requires you to monitor vendor IDs or guest accounts.
Monitoring users is the most overlooked by many organizations and, therefore, the most difficult to maintain. However, you can maintain user controls with SIEM as follows:
- You must develop a SIEM use case for any event that results in adding, deleting, and modifying user IDs, credentials, and other identifying objects.
- You must monitor all authentication events made by terminated users.
- You should monitor any activity access related to inactive accounts.
Endpoint security is a critical area that needs to be reexamined when monitoring PCI DSS. PCI DSS has some stringent requirements for endpoint host security. All unnecessary services, scripts should be disabled on the endpoint host.
In addition, PCI DSS emphasizes the use of antivirus solutions on the host. These solutions need not only be deployed but also maintained and fully patched. This may appear straightforward, but it can be difficult for enterprises to manage to owe to a lack of vital documentation, but SIEM can help with this:
- Ensure that the SIEM solution collects antivirus logs. Then look for “protection disabled” warnings in the logs.
- A reference list of all unsafe ports and services can be made while a call is running.
- Third-party feeds should be integrated, detecting all ports, protocols, and services known for security vulnerabilities.
PCI DSS has some control requirements that can also be achieved with SIEM solutions. When PCI DSS discusses control, the scope is limited to the cardholder environment. This includes creating and deleting system-level objects as well as checking for root or administrator privileges. More importantly, PCI DSS also looks for any interaction with the logs themselves. For these audit requirements, SIEM can assist by:
- System logs should be collected, and all access should be done by anyone with root or administrator privileges.
- You need to enable auditing in audit files and check access-related events.
- The SIEM solution should alert when system-level objects such as databases, tables, or stored procedures are created or deleted.
- Can issue alerts when audit services are stopped on the compliance host.
What are the features of SIEM that help PCI DSS compliance?
The increasing complexity of cyber attacks and the growing number of credit card breaches have made PCI DSS compliance more critical than ever. However, PCI DSS compliance should not be seen as a separate information security application. Instead, it should be embedded in an organization’s overall IT security strategy.
Organizations need to assess their current security posture and take steps to fill security gaps, which typically includes the implementation of security policies and the deployment of various solutions.
Proactive security monitoring controls are more important than ever. Log management is something IT security professionals have focused on for many years, and SIEM solutions have been around for a long time, even before large-scale cyber-attacks became commonplace.
Technical measures regarding log tracking features appear in all 12 PCI DSS requirements, including requirement 10 of PCI DSS, which speaks of implementing a well-defined log tracking process. The purpose of daily monitoring requirements is to ensure that organizations can discover and mitigate threats before they become victims.
For security teams, this can be effectively summed up as:
- You should review logs daily, ideally in near real-time.
- You should audit for changes that could compromise security.
- You must flag anomalies and suspicious activity.
- You need to investigate security incidents.
- You must ensure data integrity, including authorized accesses and modifications.
- You should securely archive the collected logs in case they are needed to conduct a forensic investigation in the future.
PCI DSS delves into the above log requirements and specifies several essential aspects of log management. In addition, PCI DSS sets the details that should be logged from log messages, which events generated a security event, the minimum time for logging, and more.
Although it is not necessary to be PCI DSS compliant, using a state-of-the-art SIEM solution will make your work in the PCI DSS compliance process much more manageable. The features of a SIEM solution that can help meet PCI DSS requirements are as follows:
- Log collection, analysis, and reporting
- Log archive
- File integrity monitoring (FIM)
- User behavior monitoring
- Change control
- Real-time alert
- Threat detection, response, and management
A SIEM solution can help you stay compliant with the PCI DSS in the long run.
SIEM is a comprehensive monitoring solution that can monitor security events occurring in a network in real-time. Most SIEM solutions provide security monitoring capabilities, including built-in reports and alert profiles required for PCI DSS requirements 10 and 11.5. SIEM features that help PCI DSS compliance include:
Central Daily Log Collection
Security teams must first identify the different systems in their environment that store or process cardholder data and then configure logging on them. Logging must be enabled for all network systems and devices covered by PCI DSS.
Logging of all resources allows IT security professionals to monitor accesses and other activities on network resources that deal with cardholder data. The SIEM solution can collect logs from all the different systems that store or process cardholder data. The SIEM solution collects log data from servers, databases, network devices, and other systems for practical analysis of audit information.
Continuous Log Review and Reporting
The SIEM solution can transform the collected raw log data into actionable information. Audit information is presented as intuitive charts and dashboards, making it easier to understand.
Security teams can also schedule reports on SIEM to review security events daily. Typically in SIEM solutions, reports for PCI DSS requirements 10 and 11.5 are readily available, which is automatically generated when log sources are added for monitoring. Reports systematically list PCI DSS sections and are matched to their respective subsections.
In addition, SIEM solutions’ advanced log search engine allows security personnel to select and analyze events of interest when investigating a security incident.
Log Retention and Archiving
Log data stored should be easily accessible when needed for forensic investigation. PCI DSS requires that collected log data be retained for at least one year. Most SIEM solutions can be configured to retain log data collected for any desired retention period.
If a forensic investigation is required, the archived log data can be easily uploaded back to the database, and it can perform search operations.
Attackers often try to modify audit logs so that their activity goes undetected. Therefore, PCI DSS expects log data to be protected and tamper-proof. The SIEM solution can encrypt archived log files to ensure security.
Additionally, the SIEM solution can increase log security by using techniques such as hashing and timestamping to ensure archived logs are not tampered with.
File Integrity Monitoring
According to PCI DSS, a change tracking tool, such as a file integrity monitoring (FIM) tool, should be utilized to notify security teams of unauthorized changes to critical system files.
If the SIEM system has FIM capabilities, security experts can centrally monitor changes made to sensitive files and folders, such as files and folders produced, accessed, read, deleted, edited, and renamed.
Ultimately, the FIM-capable SIEM solution will know who accessed an object, which object was accessed, when the operation was performed, and what an object’s new value is. This allows access and changes to data and maintains the integrity of cardholder data.
The SIEM solution can generate alerts for critical events that could compromise the security of systems that store or process payment card data. Alert profiles can be modified depending on thresholds and other criteria, and prepackaged PCI DSS alerts can be enabled.
Security teams can receive these alerts via email or SMS. Additionally, the SIEM solution can execute a custom script when an alert is triggered to automate threat responses.
User Activity Monitoring
Monitoring user activity is a must to keep internal threats under control. SIEM solutions can monitor users in real-time and provide a complete audit trail of all user activities with their reports.
Additionally, the SIEM solution can focus on monitoring the actions of privileged users, including critical changes they make to systems.