PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin

PCI DSS and Logging: What You Need To Know
Dr. Anton Chuvakin
SecurityWarrior LLC
www.securitywarriorconsulting.com
Author of “PCI Compliance”
PCI Workshop
Indianapolis, May 2011

Outline
PCI DSS and logging
PCI logging myths and mistakes
The hardest + important: log review
Setting up a review process
Conclusions and Actions Items
Q&A

The Requirements

The Key Piece: Requirement 10
In brief:
Must have good logs
Must collect logs
Must store logs for 1 year
Must protect logs
Must review logs daily
(using an automated system)
Requirement 10 for Logging is in SAQ D ONLY!

Verizon Reports on Logs
5

… This Year
“If there is one positive note that we can squeeze out of these statistics around active measures, it’s that discovery through log analysis and review has dwindled down to 0%.”
6

PCI DSS Requirement 10.1
What it is?
“Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.”
What it means?
This means that every log of user action should have a user name in it
What will QSA check for?
”Verify through observation and interviewing the system administrator, that audit trails are enabled and active for system components”
What you MUST do?
Log all admin access, actions; make sure logs are tied to user names

What it is?
“Implement automated audit trails for all system components”
What it means?
Make sure you log all PCI-mandated events on all in-scope systems
”Through interviews, examination of audit logs, and examination of audit log settings” verify that this is being done”
What you MUST do?
Enable logging on all PCI DSS scope systems

What it is?
“Secure audit trails so they cannot be altered.”
What it means?
Collected logs must be protected from changes and unauthorized viewing
”Interview system administrator and examine permissions to verify that audit trails are secured so that they cannot be altered”
What you MUST do?
Store logs on a secure system and log all access to logs

PCI DSS Requirement 10.5.3
What it is?
“Promptly back up audit trail files to a centralized log server or media that is difficult to alter.”
What it means?
Logs must be centrally collected
” Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter”
What you MUST do?
Deploy a log server to collect logs from all PCI systems

What it is?
“Review logs for all system components at least daily. Log reviews must include those servers that perform security functions…, authorization, and accounting protocol servers.”
What it means?
Collected logs must be reviewed daily
”Obtain and examine security policies … to verify that they include procedures to review … logs at least daily and that follow-up to exceptions is required. Through observation and interviews, verify that regular log reviews are performed for all system components.”
What you MUST do?
Establish a log review process and follow it

What it is?
“Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.”
What it means?
Collected logs must be stored for ONE YEAR.
”Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months’ logs for immediate analysis.”
What you MUST do?
Make sure that all PCI logs are stored for a year

Remember – You MUST Do This TODAY!
However …
…. while all of this sounds nice (?)
HOW to actually do it???

How NOT To Do it?
#4 PCI compliance = collecting logs
#3 You need to read every log every day?
#2 I can lie to a QSA about my daily review procedures

THE  “How NOT To Do It”
#1 Buy some kinda box (Log management, SIEM, etc) from a vendor and never touch it
15

So, How to Actually DO IT!?
How to actually
“WALK THE WALK”
from reading PCI DSS to having a compliance log management process
16

Log Policy
Adequate logging, that covers both logged event types and details
Log aggregation and retention (1 year)
Log protection
Log review
17

Log Policy Example
“Logs must have:
A timestamp
Protected data OR sensitive credential must never be included in a log”
“Logs produced by University IT resources must be examined on a regular basis in order to protect University IT resources and data. “
18

PCI Log Review
Log review practices, patterns and tasks – how to look? What to find?
Exception investigation and analysis – how to react when found?
Validation of these procedures and management reporting – how to prove?
19

Log Review At a Glance
20

Wait A Moment … Why?
Assure that card holder data has not been compromised by the attackers
Detect possible risks to cardholder data, as early as possible
Satisfy the explicit PCI DSS requirement for log review.
Maybe: help protect other data
21

Log Review Process
22

Example….
23

Baseline
Enable collection
Confirm message parsing
Select a baseline period: 90 days
Summarize messages by type over time
Remove known “bad messages”
Accept the baseline
24

Let’s Do It! Step 1
25

Baseline
Enable collection
Accept the baseline
26

Step 4
27

Baseline
Enable collection
Accept the baseline
28

Step 5 Known Bad EXAMPLES
Login and “access granted” log messages at unusual hour
Modifications log messages outside of a change window
Any log messages produced by expired user accounts
Reboot/restart messages outside of maintenance window
Backup/export of data outside of backup windows
Log data deletion
Logging termination on system or application
Any change to logging configuration
Any log message that has triggered any action in the past
29

Step 6
30

Investigations at a Glance
31

Review Log Entry
32

But Who Would Do That?
33

Escalate On Log Entry
34

Validation of PCI Log Compliance
Presence and adequacy of logging
Presence of log review processes and its implementation
Exception handling process and its implementation.
35

Project Plan
List of PCI in-scope systems AND applications
external, payment processing, others
Find out what logging is done on them
What events, what details
Close the gap between current and PCI-required levels
Plan log collection
Syslog, Windows, devices, databases, etc
Define retention period (1 year)
Create log review policies and procedures
Implement log review and other tasks – DO IT!

Conclusions
PCI and logs: log, collect, protect, review
A log box is NOT (not…not…not!) PCI compliance
Log policy is a tool to define what to log and how to look
Review process is the key part: think PURPOSE, not TOOLS
37

How To “Profit” From Compliance?
Everything you do for PCI compliance, MUST have security benefit for your organization!
Examples: log management, IDS/IPS, IdM, application security , etc

More Resources
Log reviews procedures and tasks: http://chuvakin.blogspot.com/search/label/PCI_Log_Review
Blog: www.securitywarrior.org
Podcast: look for “LogChat” on iTunes
Slides: http://www.slideshare.net/anton_chuvakin
Papers: www.info-secure.org and http://www.docstoc.com/profile/anton1chuvakin
Consulting: http://www.securitywarriorconsulting.com/

Want a PCI DSS Book?
“PCI Compliance” by Anton Chuvakin and Branden Williams
Useful reference for merchants, service providers, vendors – and everybody else in PCI DSS land!
http://www.pcicompliancebook.info

Questions?
Dr. Anton Chuvakin
Security Warrior Consulting
Log management , SIEM, PCI DSS
Email:anton@chuvakin.org
Site:http://www.chuvakin.org
Blog:http://www.securitywarrior.org
Twitter:@anton_chuvakin
Consulting:http://www.securitywarriorconsulting.com

More on Anton
Consultant: http://www.securitywarriorconsulting.com
Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
Standard developer: CEE, CVSS, OVAL, etc
Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

Security Warrior Consulting Services
Logging and log management strategy, procedures and practices
Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
Help integrate logging tools and processes into IT and business operations
SIEM and log management content development
Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com

Dead But Not Forgotten..
Every time you think “PCI DSS OR security,”
god kills a kitten!

PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin

by Anton Chuvakin

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 17

Statistics