PCI Compliance — SIEM Solutions Protecting Your Data

Requirement 5: Protect Systems Against Malware; Update Anti-virus Software: 5.0

PCI DSS 5.2 – Ensure that all anti-virus mechanisms are kept current, and perform periodic scans as well as generate audit logs (retained per PCI DSS 10.7).

Blumira helps customers by retaining and analyzing audit logs.

Requirement 10: Implement Audit Logs: 10.2.

10.2.1 – Audit logs are enabled and active for all system components and cardholder data.

10.2.1.1 – Audit logs capture all individual user access to cardholder data.

10.2.1.2 – Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.

10.2.1.3 – Audit logs capture all access to audit logs.

10.2.1.4 – Audit logs capture all invalid logical access attempts.

10.2.1.5 – Audit logs capture all changes to identification and authentication credentials including, but not limited to creation of new accounts, elevation of privileges, and all changes, additions, or deletions to accounts with administrative access.

10.2.2 – Audit logs record the details for each auditable event including user identification, type of event, date and time success and failure indication, origination of event, and identity or name of affected data, system component, resource, or service - for example, name and protocol.

10.3.1 – Read access to audit logs files is limited to those with a job-related need.

10.3.2 – Audit log files are protected to prevent modifications by individuals.

Blumira collects your log data from different systems and applications, including all relevant information about users, type of event, data and time, origin of event and more. Then, the Blumira security platform analyzes your data in near real-time to automatically detect threats and alert you to any anomalies, including suspicious activity within your environment.

To reduce the noise of false positives and alert fatigue, the Blumira security team uses the latest intel from different threat feeds for fine-tuned detection rules and alerts. Blumira reviews logs to determine security and operational risk, and makes them available to organizations for periodic review, which can be used for their own policy and procedural purposes.

Blumira users can also generate existing or new reports to meet any compliance needs on a scheduled basis. Blumira reporting also allows organizations to easily search their own logs to view trends related to access attempts, like failed logins. With certain integrations, Blumira can collect and notify you of administrative activity, the elevation of privileges, and all changes to user accounts.

The Blumira log database is only accessible to internal Blumira services and parties that require access. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation.

Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared to help protect them from modification by attackers or insiders that may want to hide their activity.

Blumira also provides documentation and Group Policy Object configurations to fully enable and enhance Windows logging, in order to enable as many valuable security logs as possible.

Requirement 10: Review Audit Logs: 10.4 & 10.4.1

10.4 – Audit logs are reviewed to identify anomalies or suspicious activity.

10.4.1 – The following audit logs are reviewed at least once daily: All security events, logs of all system components that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD), logs of all critical system components, and logs of all servers and system components that perform security functions - for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), and authentication servers.

Good Practice Guidance From PCI DSS provides good practice guidance that recommends checking logs daily (7 days a week, 365 days a year, including holidays) to minimize the amount of time and exposure of a potential breach. Log harvesting, parsing, and alerting tools, centralized log management systems, event log analyzers, and security information and event management (SIEM) solutions are examples of automated tools that can be used to meet this requirement.

To help reduce the manual effort for customers, the Blumira team of security experts writes and maintains detection rules, and then deploys them into the platform to automate threat analysis, detection and response. We focus on real attacker behavior patterns, testing and tuning our rules to reduce noisy alerts and false positives, which surfaces meaningful findings through  playbooks that guide customers through remediation.

Requirement 10:  Automated Audit Log Review: 10.4.1.1

10.4.1.1 is currently a “best practices” requirement, but will be mandatory in 2025. When it’s mandatory, manual review of logs will no longer be an option, and all organizations that fall under PCI DSS requirements must use a SIEM or other equivalent tool that automatically analyzes logs for signs of attacker behavior.

Once Blumira receives logs from a supported system, our expert-created and maintained detection rules find logs that show evidence of attacker behavior in a system. If a rule is triggered, system administrators are notified, and if needed, Blumira SecOps support is available 24/7 to assist with urgent issues.

Requirement 10:  Retention of Audit Log History: 10.5

10.5.1 – Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.

Blumira retains one year of your organization’s audit log history in hot storage, which means it’s immediately available to help with forensic analysis. Many cyber insurance policies also require at least a year of log data retained, as well as centralized logging, detection, and response. Without meeting this requirement, it can be challenging to get insured or get a claim paid out after a security incident.

Requirement 10: Control System Failure Detection

10.7 – Failures of critical security control systems are detected, reported, and responded to promptly.

Blumira deploys security policies to monitor access to networks and data where relevant and possible, based on incoming data. Once integrated with other security tool feeds, such as firewalls, identity and access management, endpoint protection, servers and cloud infrastructure, Blumira can monitor, detect, and report any operational disruptions. This helps organizations recognize and respond in a timely manner to any critical security control failures.

Appendix A1

A1.1 – Multi-tenant service providers protect and separate all customer environments and data.

A1.2 Multi-tenant service providers facilitate logging and incident response for all customers

Blumira only uses PCI DSS-approved cloud-hosted solutions within Google Cloud Platform. Our on-site sensor limits access, as well as only performs limited actions, and the security of the host is managed by the organization.

All Blumira data is encrypted and accessible only through role-based access controls. Blumira holds and analyzes audit logs for CDEs to ensure consistent authentication. Organizations can use this data to perform daily reviews within our Reporting dashboard, which includes access to all raw data gathered within the environment.

With integrations, Blumira ensures that logs are enabled and active by default for common third-party applications, and available for review only by the owning customer.