On a yearly basis, all organizations that process or handle credit cards are required to validate their security controls based on the Payment Card Industry Data Security Standard (PCI DSS). Requirement 10 of the standard mandates that organizations “track and monitor all access to network resources and cardholder data.” It is one of the most important requirements, and also one of the most difficult to implement effectively.
In developing Requirement 10, the PCI Security Standards Council recognized that any vulnerabilities in wired and wireless networks, and the systems and endpoints that connect to those networks, could give cybercriminals a means of accessing payment card applications and data. It’s impossible to eliminate vulnerabilities, so you have to actively look for unauthorized access attempts and any suspicious changes to user accounts, privileges or authentication mechanisms. Systems are designed to log these activities, but you have to set up audit trails to automatically correlate events across multiple systems and tie them to individual users in order to make sense of the data.
Here’s what the rules say:
Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs.
In the past, organizations didn’t really see the value of maintaining activity logs, so they didn’t do enough logging and auditing to meet PCI DSS requirements. Today, the pendulum has swung the other way — organizations tend to log so much data that they have trouble sorting through it all. Drowning in data, they’re unable to spot security breaches quickly.
After interpreting Requirement 10 against the complexity of the IT environment and business processes, many organizations find that compliance seems virtually impossible. Simply getting all the log files centralized and protected is overwhelming. Then you have to add automated tools in order to derive any value from the data.
Security information and event management (SIEM) platforms would seem to be tailor made for Requirement 10. SIEM systems aggregate and correlate log files and other security-related data from across the organization, bringing it into a centralized management interface for analysis. SIEM can help IT teams identify and remediate security issues more quickly, but the technology is notoriously difficult to implement, configure, manage and monitor.
SageNet and SIEMonster have teamed to provide a low-cost solution that helps you comply with Requirement 10 with little to no effort from your IT team after the initial setup. This service has been evaluated by our Qualified Security Assessor and incorporated into the SageNet Attestation of Compliance.
The details of this offering are beyond the scope of a blog post. However, we can demo the solution from end to end with live honeypot data to simulate the power of the platform. We can also help you develop a plan for enhancing your coverage of PCI DSS Requirement 10, and get to a price that will fit your budget. If this has piqued your interest, give us a call to schedule a confidential consultation and demo.