PCI Compliant SIEM
The Payment Card Industry Data Security Standard (PCI DSS) is a set of compliance requirements that apply to any organization that processes or stores credit card information. If a company fails to meet PCI DSS compliance, they will face a number of penalties, fines, forensic investigations, liability for fraudulent charges, negative impact to their brand, etc.
Blumira’s cloud-based SIEM and security platform is PCI DSS compliant. Log monitoring is a key part of PCI DSS requirements and helps organizations identify suspicious network activity early in order to equip them to contain threats in near real-time.
71% of hackers attack small businesses and merchants with fewer than 100 employees, according to the PCI Security Standards Council. – Plante Moran
When it comes to security event logging, reporting, audit trails, anomaly and threat detection, as well as tracking critical security control systems, Blumira helps you both meet and exceed PCI DSS compliance. Contact us for more information on our Attestation of Compliance report.
PCI DSS Monitoring and Reporting
Blumira’s security platform performs a wide range of monitoring and reporting capabilities that can help organizations with PCI DSS 4.1, 5.2, 6.3, 10.1-10.8 and 12.10. Get a summary of the requirements below and more specifics about how Blumira can help.
PCI DSS Version 4.0
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
PCI DSS 4.2.1
4.2.1 Strong cryptography and security protocols are implemented as follows to safeguard primary account numbers (PAN) during transmission over open, public networks:
- Only trusted keys and certificates are accepted.
- Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details.
- The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
- The encryption strength is appropriate for the encryption methodology in use.
How Blumira helps: Blumira alerts organizations to insecure protocols being used like File Transfer Protocol (FTP) and Telnet.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
PCI DSS 5.3.4
Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1.
Guidance from PCI DSS
Audit logs allow an entity to determine how malware entered the environment and track its activity when inside the entity’s network.
How Blumira helps: Blumira helps customers by retaining and analyzing audit logs.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
PCI DSS 5.2
Ensure that all anti-virus mechanisms are kept current, and perform periodic scans as well as generate audit logs (retained per PCI DSS 10.7).
How Blumira helps: Blumira helps customers by retaining and analyzing logs.
Requirement 10: Track and monitor all access to network resources and cardholder data.
PCI 10.0 emphasizes the importance of logging mechanisms to track user activities in order to prevent, detect or minimize the impact of a compromise. It can be very difficult or impossible to determine the root cause of a compromise without system activity logs. Blumira’s security platform can help you meet certain aspects of the PCI DSS requirement 10.
PCI DSS 10.1
Implement audit trails to link all access to system components to each individual user.
How Blumira helps: Blumira collects security event logs and retains them for up to one year, providing an audit trail that helps you to trace suspicious activity back to specific users.
PCI DSS 10.2.
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1 Audit logs are enabled and active for all system components and cardholder data.
10.2.1.1 Audit logs capture all individual user access to cardholder data.
10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
10.2.1.3 Audit logs capture all access to audit logs.
10.2.1.4 Audit logs capture all invalid logical access attempts.
10.2.1.5 Audit logs capture all changes to identification and authentication credentials including, but not limited to:
- Creation of new accounts.
- Elevation of privileges.
- All changes, additions, or deletions to accounts with administrative access.
10.2.2 Audit logs record the following details for each auditable event:
- User identification.
- Type of event.
- Date and time.
- Success and failure indication.
- Origination of event.
- Identity or name of affected data, system component, resource, or service (for example, name and protocol).
10.3.1 Read access to audit logs files is limited to those with a job-related need.
10.3.2 Audit log files are protected to prevent modifications by individuals.
How Blumira helps: Blumira collects your log data from different systems and applications, including all relevant information about users, type of event, data and time, origin of event and more. Then, Blumira’s security platform analyzes your data in near real-time to automatically detect threats and alert you to any anomalies, including suspicious activity within your environment.
To reduce the noise of false positives and alert fatigue, Blumira’s security team uses the latest intel from different threat feeds for fine-tuned detection rules and alerts. Blumira reviews logs to determine security and operational risk, and makes them available to organizations for periodic review, which can be used for their own policy and procedural purposes.
Blumira users can also generate existing or new reports to meet any compliance needs on a scheduled basis. Blumira’s reporting also allows organizations to easily search their own logs to view trends related to access attempts, like failed logins and more. With certain integrations, Blumira can collect and notify you of administrative activity, the elevation of privileges, and all changes to user accounts.
Blumira’s log database is only accessible to internal Blumira services and parties that require access. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation.
Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared to help protect them from modification by attackers or insiders that may want to hide their activity.
Blumira also provides documentation and Group Policy Object configurations to fully enable and enhance Windows logging, in order to enable as many valuable security logs as possible.
PCI DSS 10.4
10.4 Audit logs are reviewed to identify anomalies or suspicious activity.
10.4.1 The following audit logs are reviewed at least once daily:
- All security events.
- Logs of all system components that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
- Logs of all critical system components.
- Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).
Good Practice Guidance From PCI DSS
Checking logs daily (7 days a week, 365 days a year, including holidays) minimizes the amount of time and exposure of a potential breach. Log harvesting, parsing, and alerting tools, centralized log management systems, event log analyzers, and security information and event management (SIEM) solutions are examples of automated tools that can be used to meet this requirement.
How Blumira Helps: To help reduce the manual effort for customers, Blumira’s team of security experts writes and maintains detection rules, and then deploys them into the platform to automate threat analysis, detection and response. We focus on real attacker behavior patterns, test and tune our rules to reduce noisy alerts and false positives, surfacing meaningful findings with playbooks to guide customers through remediation.
10.4.1.1 – Automated mechanisms are used to perform audit log reviews.
This is currently a “best practices” requirement, but will be mandatory in 2025. When 10.4.1.1 is mandatory, manual review of logs will no longer be an option, and all organizations that fall under PCI DSS requirements must utilize a SIEM or other equivalent tool that automatically analyzes logs for signs of attacker behavior.
How Blumira Helps: Once Blumira receives logs from a supported system, our expert-created and maintained detection rules find logs that show evidence of attacker behavior in a system. If a rule is triggered, system administrators are notified, and if needed, Blumira SecOps support is available 24/7 to assist with urgent issues.
PCI DSS 10.5
Audit log history is retained and available for analysis
10.5.1 Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.
How Blumira helps: Blumira retains one year of your organization’s audit log history in hot storage, which means it’s immediately available to help with forensic analysis. Many cyber insurance policies also require at least a year of log data retained, as well as centralized logging, detection and response. Without meeting this requirement, it can be challenging to get insured or get a claim paid out after a security incident.
PCI DSS 10.8
10.7 Failures of critical security control systems are detected, reported, and responded to promptly
How Blumira helps: Blumira deploys security policies to monitor access to networks and data where relevant and possible, based on incoming data. Once integrated with other security tool feeds, such as firewalls, identity and access management, endpoint protection, servers and cloud infrastructure, Blumira can monitor, detect and report any operational disruptions. This helps organizations recognize and respond in a timely manner to any critical security control failures.
PCI DSS 12.10
Suspected and confirmed security incidents that could impact the CDE are responded to immediately
How Blumira helps: The incident response cycle starts with reliable identification and validation of qualified security events. Blumira’s rules can help you identify suspicious activity and potential threats to get you started with your incident response plan. Built-in playbooks also accompany every finding, helping you respond quickly.
Appendix A1
A1.1 Multi-tenant service providers protect and separate all customer environments and data
A1.2 Multi-tenant service providers facilitate logging and incident response for all customers
How Blumira meets these requirements: Blumira only uses PCI DSS-approved cloud-hosted solutions within Google Cloud Platform. Our on-site sensor limits access, as well as only performs limited actions, and the security of the host is managed by the organization.
All Blumira data is encrypted and accessible only through role-based access controls. Blumira holds and analyzes audit logs for CDEs to ensure consistent authentication. Organizations can use this data to perform daily reviews within our Reporting dashboard, which includes access to all raw data gathered within the environment.
With integrations, Blumira ensures that logs are enabled and active by default for common third-party applications, and available for review only by the owning customer.
Get Started With Blumira’s Free SIEM
Blumira provides a PCI-compliant SIEM platform with threat detection and response that alerts your team about critical cyber threats in real-time.
Blumira’s free SIEM gives you the choice of three cloud integrations (Microsoft 365, Duo, SentinelOne, Umbrella, Webroot, Mimecast, OneLogin, Sophos, Google Workspace, and/or JumpCloud). Setup takes a matter of minutes to start streaming logs and analyzing them for threats.
For more coverage and support, you can easily upgrade to a paid version that fits your needs.
