Exceeding PCI Requirements to Detect & Respond to Threats

Meet & Exceed Your PCI Requirements By Detecting & Responding To Threats

Security technologies such as firewalls are meant to prevent data security breaches, or at least detect them before they get out of hand. But in some cases, organizations have been complacent. In the infamous Target data breach of 2013, hackers were roaming their system and stealing data for two weeks before the breach was even detected. In the equally egregious breach of Heartland Payment Systems five years earlier, hackers were stealing data for several weeks before the invasion was discovered. Ironically, both Heartland and Target were PCI-compliant, but the time lag between system compromise and detection was unnecessarily long. Unfortunately, they’re not alone in this regard.

So, is security log monitoring the answer? It can be, provided the logs are monitored regularly and in as close to real time as possible. It does no good to log the suspicious activity if the logs themselves aren’t being monitored and analyzed. Today’s data thieves are becoming more and more sophisticated, and unless the holders of information assets meet the increased challenges the thieves pose, they risk catastrophic erosion of their information security defenses and the resultant consequences.

Log-monitoring is essential for PCI compliance standards

In the time since the two breaches mentioned above, PCI DSS compliance standards have come a long way. With regard to log monitoring, they can be briefly summarized as follows:

1. Proactive monitoring of security logs is essential to the detection of breaches and the protection of information assets.
2. Log reviews of critical systems must be conducted on a daily basis.
3. Non-critical systems can be monitored less frequently based on the judgment of the data custodian.
4. When a security event is detected, it must be investigated further to confirm or refute the occurrence of malicious activity.
5. Formal response procedures must be in place to respond to any such malicious activity.
6. Appropriate personnel must be assigned to monitor alerts and to respond to security events on a 24/7 basis.
7. Incident response procedures should include guidance on handling instances of known malicious behavior.

By requiring organizations to adhere to these requirements, PCI hopes that they will be able to detect and defend against data breaches, and to minimize the harm that these breaches cause. But this brings up another issue: How does an organization plan for effective daily log monitoring?

In its May 2016 Information Supplement on Log Monitoring, The PCI Security Standards Council states the following:

“Effective log-monitoring practices start with effective planning of log-monitoring needs and activities. To be most effective at log-monitoring (and to meet the intent of PCI DSS Requirements for log monitoring), organizations must have a thorough understanding of their legal, regulatory, business, and operational requirements. In addition, they must understand the technical capabilities of the systems that need to be monitored, the technologies available to assist with monitoring processes, and the technical capabilities of other individuals and teams within the organization who can assist in developing effective and efficient log monitoring practices.”  

The Council enumerates what they mean in the following recommendations. Organizations should, they urge:

1. Determine their logging requirements.
2. Define the high-level activities to be monitored.
3. Identify all potential log sources.
4. Document log source characteristics.
5. Identify and map system-level event messages to high-level messages.
6. Prioritize their log sources.
7. Determine who to notify when security events occur.
8. Define procedures to respond to security events.
9. Document logging requirements, including logging policy and use cases.

Detailed log management at an affordable cost 

For most IT teams, log monitoring can be a daunting task, especially when resources are scarce. When it comes to log-management, most tools will drown you out in alerts and false positives that distract you from real threats. And when threats are detected, traditional SIEM + SOC cybersecurity systems require the deployment of extra IT agents to manage and mitigate threats. Overall, the total cost of ownership for this kind of security upkeep can be overwhelming and still leave your data vulnerable.

Luckily, there are other options that provide high-level cybersecurity at an affordable cost, and the best part is, you don’t have to try to resolve the challenges posed by daily log monitoring all by yourself. Blumira is a cyber threat detection and disruption platform that was developed to follow PCI DSS compliance standards well beyond daily log monitoring. Unlike most SIEMs that drown IT teams with false directions, Blumira’s powerful DAG-based modular threat detection framework distills 10 million events to one action item, so your team has clear, actionable guidance for disrupting threats quickly and efficiently.

In addition, Blumira provides ongoing detection and automates your workflow to facilitate fast disruption, which effectively limits damage. Compare this to other systems that merely focus on log management, producing extraneous data that buries threats and leaves you vulnerable to hacks.

The takeaway

Daily log monitoring is a mandatory component of PCI DSS compliance, and that compliance is all-important to your credibility and success. Beyond that,  if you’re looking for a solution to ensure that you are compliant with every facet, level, component, and even philosophy of data security and PCI DSS compliance, look no further than Blumira.