Despite the widespread adoption of logging as part of operational security practices, organizations have continued to be challenged in harnessing the value of effective log monitoring. Statistics indicate the average elapsed time between the first intrusion to detection of the compromise is a whopping 167 days. Improvements in technology have allowed malicious individuals to vastly improve their craft. As attackers become more advanced and agile, the importance of early detection and quick counter measures ensures that organizations can better protect their information assets. While logging and log monitoring has always been a requirement under PCI DSS, we see organizations continue to struggle with effective log monitoring, alerting and response
Continue reading for everything you need to know about PCI Effective Daily Log Monitoring or contact us now and let us guide you through PCI Compliance.
PCI Information Supplement: Effective Daily Log Monitoring
Fortunately, in May 2016, the PCI Security Standards Council released a helpful information supplement entitled “Effective Daily Log Monitoring”. The document is essentially a “how to” guide to not only implementing effective log-monitoring and management practices, but also provides suggestions on effectively operationalizing log monitoring to provide impactful results. The document provides guidance and insight into key areas that pose a significant challenge to many organizations.
Planning for Effective Log Monitoring
The first of these crucial areas is planning. Effective log-monitoring practices should start by determining logging requirements by including legal, regulatory, business, and operational requirements into your security monitoring program. By creating a comprehensive understanding of what your organization needs to accomplish, your IT organization can begin to define – at a high level – the types of activities to track as potential indicators of malicious or anomalous behaviour. The guide provides examples of common activities, as well as a foundation of knowledge allowing you to brainstorm.
Identify Potential Log Sources & Mapping to High-Level Events
The next step is to identify your potential log sources. Examples include: operating systems, web servers, network devices, tokenization systems, custom software applications, etc. As you determine the sources, documenting log source characteristics is essential as many systems and vendors do not conform to a standardized log format. Furthermore, for each system-level event, a high-level or summary event should be mapped in order to recognize, alert and action them.
Prioritize Log Sources & Who to Notify
Now that you know what to log, you need to prioritize your logs so that the most significant and high-risk targets are granted the appropriate level of visibility. As part of the process, you can determine which individuals and/or teams you will notify, should events occur, as well as account for the appropriate response procedures (such as your incident response plans) that the designated personnel should abide by.
Document Logging Requirements
In the final step of the planning phase, its advised that you review your logging policy and identified use-cases to ensure the documentation defines business, regulatory, compliance, and/or security requirements for log monitoring and that it is communicated to your key personnel.
Performing Effective Log Monitoring
Rather than developing log-monitoring methods as a tool or as technology, you should treat your log-monitoring program as a process that requires continuous improvement where tools and technology support the process. The PCI guidance provides a high-level methodology on creating an effective log-monitoring process. The key to effective analysis is to examine your log data within a specific time frame, as too large of a window will exhaust your resources, and too little a window may not provide enough data for analysis.
Establish a Baseline, Alerting & Response
Next, establish a baseline. Through recognizing patterns, considering other data sources to baseline, and defining common activity constraints and rules, you will start to evolve your logging program. Once operational baselines have been established, automated alerts can be created to notify appropriate personnel of behaviour that deviates from the baseline. Alerts must be responded to in a timely manner in order for their efficacy to be actualized. If your alerts are not investigated and validated in a timely manner, a malicious event could be missed, or a false anomaly could create chaos.
Respond to Incidents, Analyze Results & Continually Improve
Once you have confirmed a threat, incident response must be deployed as quickly as possible to isolate or halt the activity in order to mitigate the threat. After the event is resolved, you should be collect and analyze incident feedback in order to account for lessons learned. Based on the feedback, a formal report should be produced to establish a record of transpired events for future consultation. You can then incorporate findings from your incident review and evolve your log-monitoring program. Following these recommended steps can greatly aid your organization in creating effective processes which can turn in to material results.
The “Effective Daily Log Monitoring” information supplement provides strategies for organizations to consider when developing or reviewing their log monitoring, and supporting processes. As today’s information technology environments increase in complexity, this informational aid could not have been announced at a better time. By leveraging the new guide from the council, an organization will hope to reduce the challenges that surround logging. However, if your organization continues to struggle with effective log monitoring or any other areas of PCI, Control Gap is happy to help you reach your compliance goals.
Becoming PCI Compliant can be difficult, let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada.