Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin


Published on

PCI DSS and Logging: What YOU Need To Know by Dr Anton Chuvakin

Logging is a critical element in your security program, and it features prominently in PCI. Many merchants, including Higher Ed institutions, can have difficulty implementing all the requirements. In this session one of the leading Logging and SEIM experts will map the PCI DSS logging requirements to a set of actionable procedures and tasks that you can use to achieve and maintain compliance. Bring your questions!

Published in: Technology, Business
  • Be the first to comment

PCI DSS and Logging: What You Need To Know by Dr. Anton Chuvakin

  1. 1. PCI DSS and Logging: What You Need To Know<br />Dr. Anton Chuvakin<br />SecurityWarrior LLC<br /><br />Author of “PCI Compliance” <br />PCI Workshop<br />Indianapolis, May 2011<br />
  2. 2. Outline<br />PCI DSS and logging<br />PCI logging myths and mistakes<br />The hardest + important: log review<br />Setting up a review process<br />Conclusions and Actions Items<br />Q&A<br />
  3. 3. The Requirements<br />
  4. 4. The Key Piece: Requirement 10<br />In brief:<br /> Must have good logs<br /> Must collect logs<br /> Must store logs for 1 year<br /> Must protect logs<br /> Must review logs daily<br /> (using an automated system)<br />Requirement 10 for Logging is in SAQ D ONLY!<br />
  5. 5. Verizon Reports on Logs<br />5<br />
  6. 6. … This Year<br />“If there is one positive note that we can squeeze out of these statistics around active measures, it’s that discovery through log analysis and review has dwindled down to 0%.”<br />6<br />
  7. 7. PCI DSS Requirement 10.1<br />What it is?<br />“Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.”<br />What it means?<br />This means that every log of user action should have a user name in it<br />What will QSA check for?<br />”Verify through observation and interviewing the system administrator, that audit trails are enabled and active for system components”<br />What you MUST do?<br />Log all admin access, actions; make sure logs are tied to user names<br />
  8. 8. PCI DSS Requirement 10.2<br />What it is?<br />“Implement automated audit trails for all system components”<br />What it means?<br />Make sure you log all PCI-mandated events on all in-scope systems<br />What will QSA check for?<br />”Through interviews, examination of audit logs, and examination of audit log settings” verify that this is being done”<br />What you MUST do?<br />Enable logging on all PCI DSS scope systems<br />
  9. 9. PCI DSS Requirement 10.5<br />What it is?<br />“Secure audit trails so they cannot be altered.”<br />What it means?<br />Collected logs must be protected from changes and unauthorized viewing<br />What will QSA check for?<br />”Interview system administrator and examine permissions to verify that audit trails are secured so that they cannot be altered”<br />What you MUST do?<br />Store logs on a secure system and log all access to logs<br />
  10. 10. PCI DSS Requirement 10.5.3<br />What it is?<br />“Promptly back up audit trail files to a centralized log server or media that is difficult to alter.”<br />What it means?<br />Logs must be centrally collected<br />What will QSA check for?<br />” Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter”<br />What you MUST do?<br />Deploy a log server to collect logs from all PCI systems<br />
  11. 11. PCI DSS Requirement 10.6<br />What it is?<br />“Review logs for all system components at least daily. Log reviews must include those servers that perform security functions…, authorization, and accounting protocol servers.”<br />What it means?<br />Collected logs must be reviewed daily<br />What will QSA check for?<br />”Obtain and examine security policies … to verify that they include procedures to review … logs at least daily and that follow-up to exceptions is required. Through observation and interviews, verify that regular log reviews are performed for all system components.”<br />What you MUST do?<br />Establish a log review process and follow it<br />
  12. 12. PCI DSS Requirement 10.7<br />What it is?<br />“Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.”<br />What it means?<br />Collected logs must be stored for ONE YEAR.<br />What will QSA check for?<br />”Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months’ logs for immediate analysis.”<br />What you MUST do?<br />Make sure that all PCI logs are stored for a year<br />
  13. 13. Remember – You MUST Do This TODAY!<br />However …<br />…. while all of this sounds nice (?)<br />HOW to actually do it???<br />
  14. 14. How NOT To Do it?<br />#4 PCI compliance = collecting logs<br />#3 You need to read every log every day? <br />#2 I can lie to a QSA about my daily review procedures<br />
  15. 15. THE  “How NOT To Do It”<br />#1 Buy some kinda box (Log management, SIEM, etc) from a vendor and never touch it<br />15<br />
  16. 16. So, How to Actually DO IT!?<br />How to actually <br />“WALK THE WALK”<br />from reading PCI DSS to having a compliance log management process<br />16<br />
  17. 17. Log Policy<br />Adequate logging, that covers both logged event types and details<br />Log aggregation and retention (1 year)<br />Log protection<br />Log review<br />17<br />
  18. 18. Log Policy Example<br />“Logs must have:<br />A timestamp<br />Protected data OR sensitive credential must never be included in a log”<br />“Logs produced by University IT resources must be examined on a regular basis in order to protect University IT resources and data. “<br />18<br />
  19. 19. PCI Log Review<br />Log review practices, patterns and tasks – how to look? What to find?<br />Exception investigation and analysis – how to react when found?<br />Validation of these procedures and management reporting – how to prove?<br />19<br />
  20. 20. Log Review At a Glance<br />20<br />
  21. 21. Wait A Moment … Why? <br />Assure that card holder data has not been compromised by the attackers<br />Detect possible risks to cardholder data, as early as possible<br />Satisfy the explicit PCI DSS requirement for log review.<br />Maybe: help protect other data<br />21<br />
  22. 22. Log Review Process<br />22<br />
  23. 23. Example….<br />23<br />
  24. 24. Baseline<br />Enable collection<br />Confirm message parsing<br />Select a baseline period: 90 days<br />Summarize messages by type over time<br />Remove known “bad messages”<br />Accept the baseline<br />24<br />
  25. 25. Let’s Do It! Step 1<br />25<br />
  26. 26. Baseline<br />Enable collection<br />Confirm message parsing<br />Select a baseline period: 90 days<br />Summarize messages by type over time<br />Remove known “bad messages”<br />Accept the baseline<br />26<br />
  27. 27. Step 4<br />27<br />
  28. 28. Baseline<br />Enable collection<br />Confirm message parsing<br />Select a baseline period: 90 days<br />Summarize messages by type over time<br />Remove known “bad messages”<br />Accept the baseline<br />28<br />
  29. 29. Step 5 Known Bad EXAMPLES<br />Login and “access granted” log messages at unusual hour<br />Modifications log messages outside of a change window<br />Any log messages produced by expired user accounts<br />Reboot/restart messages outside of maintenance window<br />Backup/export of data outside of backup windows <br />Log data deletion<br />Logging termination on system or application <br />Any change to logging configuration<br />Any log message that has triggered any action in the past<br />29<br />
  30. 30. Step 6<br />30<br />
  31. 31. Investigations at a Glance<br />31<br />
  32. 32. Review Log Entry<br />32<br />
  33. 33. But Who Would Do That?<br />33<br />
  34. 34. Escalate On Log Entry<br />34<br />
  35. 35. Validation of PCI Log Compliance<br />Presence and adequacy of logging <br />Presence of log review processes and its implementation<br />Exception handling process and its implementation.<br />35<br />
  36. 36. Project Plan<br />List of PCI in-scope systems AND applications<br />external, payment processing, others<br />Find out what logging is done on them <br />What events, what details<br />Close the gap between current and PCI-required levels<br />Plan log collection<br />Syslog, Windows, devices, databases, etc<br />Define retention period (1 year)<br />Create log review policies and procedures<br />Implement log review and other tasks – DO IT!<br />
  37. 37. Conclusions<br />PCI and logs: log, collect, protect, review<br />A log box is NOT (not…not…not!) PCI compliance<br />Log policy is a tool to define what to log and how to look<br />Review process is the key part: think PURPOSE, not TOOLS<br />37<br />
  38. 38. How To “Profit” From Compliance?<br />Everything you do for PCI compliance, MUST have security benefit for your organization!<br />Examples: log management, IDS/IPS, IdM, application security , etc<br />
  39. 39. More Resources<br />Log reviews procedures and tasks:<br />Blog:<br />Podcast: look for “LogChat” on iTunes<br />Slides:<br />Papers: and<br />Consulting:<br />
  40. 40. Want a PCI DSS Book?<br />“PCI Compliance” by Anton Chuvakin and Branden Williams<br />Useful reference for merchants, service providers, vendors – and everybody else in PCI DSS land!<br /><br />
  41. 41. Questions?<br />Dr. Anton Chuvakin <br />Security Warrior Consulting<br />Log management , SIEM, PCI DSS<br /><br />Site:<br />Blog:<br />Twitter:@anton_chuvakin<br />Consulting:<br />
  42. 42. More on Anton<br />Consultant:<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />
  43. 43. Security Warrior Consulting Services<br />Logging and log management strategy, procedures and practices<br />Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems <br />Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation<br />Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations<br />Help integrate logging tools and processes into IT and business operations<br />SIEM and log management content development<br />Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs<br />Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations<br />More at<br />
  44. 44. Dead But Not Forgotten..<br />Every time you think “PCI DSS OR security,” <br />god kills a kitten!<br />