Log Management in PCI Compliance

Security professionals have come to realize that ensuring data security and integrity is critical to business continuity and risk mitigation. However, with increasing amounts of data flooding our ever more complex networks, the risk of stolen or lost – with you unable to prove that it was not stolen – information continues to rise. Online merchant networks are particularly at risk from both classic computer attacks and more insidious fraud. At the same time, the more customer data is collected, the more dangerous the situation becomes. In response to this trend and to prodding from major credit card companies, new security measures are being implemented by merchants and other businesses to protect the data their customers trust them with (or don’t even know they have).

Today, all credit card merchants, service providers and retailers who process, store and transmit cardholder data have a responsibility to protect that data and must comply with a diverse range of regulations and industry mandates as well as a growing list of voluntary “best practices” frameworks. These include the venerous Sarbanes-Oxley bill (better known as SOX or SarbOx), the Payment Card Industry (PCI) data security standard, the Gramm-Leach-Bliley Act of 1999 and even HIPAA (healthcare providers take credit cards too!). Not complying with the above might result in fines, legal exposure, or both, although it is widely known that the regulation differ wildly in regards to their “teeth.” For instance, it was reported that nobody was ever fined for being out of compliance with HIPAA.

But this is easier said than done. Immense volumes of log data are being generated on such payment networks, necessitating more efficient ways of managing, storing and searching through log data, both reactively – after a suspected incident – and proactively – in search of potential risks. For example, a typical retailer generates hundreds of thousands of log messages per day amounting to many terabytes per year. An online merchant can generate upwards of 500,000 log messages every day. One of America’s largest retailers has more than 60 terabytes of log data on their systems at any given time. At the same time, unlike other companies, the retailed often have no option of not caring for logging.

The importance of effective and efficient log data management in payment networks cannot be under emphasized. In fact, the result of data mismanagement can be devastating. Retail Ventures Inc., for example, lost personal customer information from 108 stores in its DSW Shoe Warehouse subsidiary, an incident that involved 1.4 million credit cards used to make purchases. The lost data consisted of account numbers, names, and transaction amounts. Similarly, CardSystems was sued in a series of class action cases alleging it failed to adequately protect the personal information of 40 million consumers. At an individual cost of $30 per consumer the costs of repairing the damage could be as high as $1.2 billion. What is interesting is that in a latter case, only a smaller number of cards was “confirmed stolen”, while the rest were not “confirmed safe,” since there were no logs to prove that they were not.

Addressing PCI not only protects businesses and merchants from cardholder fraud, but also satisfies a broader mandate for information protection and security. Several retailed stated that complying with PCI makes them automatically compliance with SOX, due to more stringent and more specific requirements described in the PCI standard. Additional benefits include improved operational efficiencies through broad compliance (even likely with future regulations!), reduced IT administration and maintenance costs, reduced IT labor costs and greater IT productivity. At the same time, some see complying with PCI as another compliance burden for companies, especially if IT resources are limited and focused on a day-to-day grind of “firefighting.” To cost-effectively and efficiently comply with PCI, companies should look at log management and intelligence (LMI) solutions to simplify the process of collecting, storing and managing log data to both satisfy the reporting and monitoring requirements, audit log collection requirements as well as enable better incident response and forensics.

PCI Compliance Combats Fraud and Improves Security
In most cases, when a customer clicks the “buy” button on a web site, a number of things happen on the backend. An application server connects to a database, multiple records are updated and sometimes a connection to a separate payment application is initiated. All those activities generate log files in various places: on the servers, applications, databases as well as on network and security infrastructure components. At the same time, the attackers know that there might be vulnerabilities in these processes and technologies that leave data unprotected. Internal threats such as insider misuse are of even greater concern in this case, since there are no perimeter defenses stopping such attackers.

According to recent FBI survey, financial fraud is the second-largest category of hacking events on the Internet today. Similarly, Gartner estimates that 20-30% of Global 1000 companies suffer losses due to mismanagement of private and confidential information. The costs to recover from these mistakes could reach up to $5-20 million per company, as it happened in a few recent cases affecting both commercial and government entities. Additionally, it is well known. brand damage results from waning consumer trust.

PCI Requirements Center on Security and Authorized Access
Complying with PCI, merchants and service providers not only meet their obligations to the payment system but create a culture of security that benefits everyone, including the top executives. The security requirements of PCI extend to all system components that are connected to the cardholder data environment:

  • Network components: firewalls, switches, routers, intrusion prevention and detection systems, proxies and content filters, wireless access points as well as other network and security appliances.
  • Servers: web, database, authentication, domain name service (DNS), mail, network time protocol (NTP), directory and others.
  • Applications: all purchased and custom apps, internally and externally facing web applications, Intranet applications, etc.

What is even more important is that companies must be able to verify and demonstrate their compliance status and to do so rapidly, whenever an audit takes place. Such proof of compliance is a fundamental and critical function that identifies and corrects potential pitfalls in the network, and ensures that appropriate levels of cardholder information security are maintained.

PCI requirements revolve around the following goals:

  • Build and maintain a secure network
  • Protect cardholder data in transit and at rest
  • Maintain a vulnerability management program
  • Implement strong access control measures and audit them on a regular basis
  • Continuously monitor networks and systems
  • Maintain an information security policy
  • Maintain audit trails of all of the above activities.

Log data plays a central role in meeting several of these goals. Specifically, without log data, companies cannot verify and audit access controls, other security safeguards and policies or even monitor their networks and systems as well as conduct incident response activities.

The PCI specification highlights the necessity of log data collection and management for meeting the key requirements. For example, Requirement 10 specifies that companies should “track and monitor all access to network resources and cardholder data.” The requirement specifies that companies “implement automated audit trails to reconstruct events for all system components.” These events include user access, actions taken, invalid logical access attempts, use of identification and authentication mechanisms, initialization of audit logs and creation or deletion of system-level objects. It also recommends recording audit trail entries for each event, including user ID, type of event, date and time, success or failure, origination of event, and the identity of the affected data or component.

The PCI standard goes on to say that companies should “review logs for all system components at least daily,” and the review should include servers that handle intrusion detection, authentication, authorization and accounting. The interesting thing is that, in the mind of many retailers, “review logs daily” does not mean that a person would be poring through the logs every single day. An automated system can do this just as well, and in fact better. In case of such “automated review,” alerts would be generated in case traces of malicious, suspicious or fraudulent activity are seen in logs. At the same time, a human analyst might review reports and alerts that highlight such activity as needed.

In addition, PCI specifies that “an audit trail should be retained for a period consistent with its effective use, as well as legal regulations,” and that the “audit history usually covers a period of a t least one year, with a minimum of 3 months available online.” Thus there are also log data retention (and the corresponding log data destruction requirements!) requirements.

One should not that log data is implicitly present in many other PCI requirements, not only the directly relevant Requirement 10. For instance, just about every claim that is made to satisfy the requirements, such as data encryption or anti-virus updates, requires log files to actually substantiate it. So, even the requirement to “use and regularly update anti-virus software” will likely generate requires for log data during the audit, since the information is present in anti-virus audit logs. It is also well-known that failed anti-virus updates, also reflected in logs, expose the company the malware risks, since anti-virus without the latest signature updates only creates a false sense of security and undermine the compliance effort.

Similarly, the requirement to “establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations” is unthinkable to satisfy without effective collection and timely review of log data.

Thus, logs value to PCI program goes much beyond Requirement 10. Only through careful log data collection and management can companies meet the broad requirements of PCI. Such detailed log data management requires embedded intelligence in the log management solution to make the data secure, accessible and easy to organize and to automate many of the required tasks, such as monitoring, analysis and retention.

LMI for PCI Compliance
A comprehensive LMI solution that can collect, aggregate and centrally store all data from these network entities is essential to meet the goals of the PCI standard. LMI enables satisfying the audit, monitoring, data protection, log data collection and retention, identity access and change management cited in PCI requirement documents.

Let’s look at some of the above requirements in more detail.

Data Protection
To provide the necessary data protection measures, companies should implement an LMI solution that enables administrators to set alerts on and report on all applications, devices, and systems. This enables them to provide evidence that infrastructure has been configured properly and are misconfigured systems are not providing a backdoor for intruders – or a front door to insiders through which vital information can leak. Alerts can provide administrators with early warning of misuse and attacks, allowing them to isolate and fix the problem before damage occurs or data is lost. And, of various data access policies and processes not being followed.

Crucial to any implementation of LMI is securing the log data itself, both at rest and in transit. This not only serves to reduce the risk of this vital information leaking, but also prevents it from being altered or lost thereby reducing its relevance, immutability and forensic quality.

Identity access and change management
Access and change management are critical to meeting PCI compliance as well as other regulations and IT governance frameworks, such as ITIL, COBIT or ISO. Strong access and change control measures ensure that only authorized users can access or take action on critical data. The PCI standard mandates that companies maintain a complete record of access (both failed and successful), activity, and configuration changes for applications, servers and network devices. Such log data allows IT to set up alerts to unusual or suspicious network behavior and provide information to auditors with complete and accurate validation of security policy enforcement and segregation of duties.

LMI allows administrators to monitor who has permission to access or make changes to devices and applications in the network. It also enables administrators to create a complete audit trail across devices and protect network resources from unauthorized access or modifications. An effective LMI solution will support centralized, automated storage of collected data allows for faster, more reliable data retrieval during an audit or while investigating suspicious behavior.

Network and System Monitoring
PCI compliance necessitates ongoing monitoring of network activity to validate that processes and policies for security, change and access management, and user validation are in place and up to date.

Logging and monitoring allow for fast problem isolation and thorough analysis when something goes or is about to go wrong. With the automated monitoring capabilities delivered by an LMI solution, companies can better mitigate risk and reduce downtime, because they can address data critical for problem resolution and threat mitigation rapidly, before damage spreads. Ongoing and automated monitoring gives administrators greater insight into the payment network at all times so that unusual user activity, unauthorized access or even risky insider behavior can be identified—and stopped—immediately.

Components of an Effective LMI Solution
To use log data to unleash its full value for compliance, operations excellency and security, companies should implement a log management solution that provides the following critical capabilities:

  • Collection and aggregation 100% of all log data from enterprise data sources including firewalls, VPN concentrators, web proxies, IDS systems, email servers and all of the other systems and applications mentioned in the PCI standard.
  • Creation of reports that organize the log data quickly and automatically, so that administrators can deliver detailed network activity information and proof of compliance to auditors.
  • Setting of alerts based on changes to individual devices, groups of devices or the network, to minimize network downtime and loss of data due to malicious attacks, security breeches, insider misuse or performance issues.
  • Fast data retrieval from securely stored, unaltered raw log files. Immutable logs are critical in litigation and attestation.
  • Integration with existing network management and security solutions to reduce maintenance and administration and leverage existing architecture.
  • The ability to contextualize log data (comparing application, network and database logs) when undertaking forensics and other operational tasks.

By now the reader should be convinced that it is impossible to comply with PCI requirements without log data management processes and technologies in place. Complete log data is needed to prove that security, change management, access control and other required processes and policies are in use, up to date and are being adhered to. In addition, when managed well, log data can protect companies when legal issues arise; for example, when processes and procedures are in question or when an ediscovery process is initiated as a part of an ongoing investigation. Not only does log data enable compliance, but it allows companies to prove that they are implementing and continuously monitoring the processes outlined by the requirements. In fact, that is the ONLY way to prove it!