PCI DSS Logging, Threat Detection and Response
The Payment Card Industry Data Security Standard (PCI DSS) is a set of compliance requirements that apply to any organization that processes or stores credit card information. If a company fails to meet PCI DSS compliance, they will face a number of penalties, fines, forensic investigations, liability for fraudulent charges, negative impact to their brand, etc.
Blumira’s cloud-based SIEM and security platform is PCI DSS compliant. Log monitoring is a key part of PCI DSS requirements and helps organizations identify suspicious network activity early in order to equip them to contain threats in near real-time.
71% of hackers attack small businesses and merchants with fewer than 100 employees, according to the PCI Security Standards Council. – Plante Moran
When it comes to security event logging, reporting, audit trails, anomaly and threat detection, as well as tracking critical security control systems, Blumira helps you both meet and exceed PCI DSS compliance. Contact us for more information on our Attestation of Compliance report.
PCI DSS Monitoring and Reporting
Blumira’s security platform performs a wide range of monitoring and reporting capabilities that can help organizations with PCI DSS 4.1, 5.2, 6.3, 10.1-10.8 and 12.10. Get a summary of the requirements below and more specifics about how Blumira can help.
PCI DSS Version 3.2.1
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
- Only trusted keys and certificates are accepted.
- The protocol in use only supports secure versions or configurations.
- The encryption strength is appropriate for the encryption methodology in use.
Examples of open, public networks include but are not limited to the internet; wireless technologies (802.11 and Bluetooth); cellular technologies like Global System for Mobile communications (GSM), General Packet Radio Service (GPRS) and satellite communications.
How Blumira helps: Blumira alerts organizations to insecure protocols being utilized like FTP and Telnet.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
Ensure that all anti-virus mechanisms are kept current, and perform periodic scans as well as generate audit logs (retained per PCI DSS 10.7).
How Blumira helps: Blumira helps customers by retaining and analyzing logs.
Requirement 6: Develop and maintain secure systems and applications
Develop internal and external software applications (including web-based administrative access to applications) securely. This includes according to PCI DSS standards (such as secure authentication and logging); based on industry best practices; and by incorporating information security throughout the software dev lifecycle. Note: This applies to internally-developed software, bespoke and/or custom third-party software.
How Blumira helps: Blumira supports this control by capturing logs and performing analysis on them.
Requirement 10: Track and monitor all access to network resources and cardholder data.
To summarize, PCI 10.0 emphasizes the importance of logging mechanisms to track user activities in order to prevent, detect or minimize the impact of a compromise. It can be very difficult or impossible to determine the root cause of a compromise without system activity logs. Blumira’s security platform can help you meet certain aspects of the PCI DSS requirement 10.
Implement audit trails to link all access to system components to each individual user.
How Blumira helps: Blumira collects security event logs and retains them for up to one year, providing an audit trail that helps you to trace suspicious activity back to specific users.
Implement automated audit trails for all system components to reconstruct the following events (10.2.1 – 10.2.7 is summarized below):
- All user access to cardholder data
- All actions taken by users with root or admin privileges
- Access to all audit trails
- Invalid logical access attempts
- Use of/changes to identification and authentication mechanisms (such as creating new accounts, elevating privileges, any changes to accounts with root or admin privileges)
- Any starting, stopping or pausing of audit logs
- Creating and deleting system-level objects
How Blumira helps: First, Blumira’s lightweight software sensors collect your log data from different systems and applications. Then Blumira’s security platform and team analyzes activity and alerts you to any potentially suspicious behavior.
Record at least the following audit trail entries for all system components for each event (10.3.1 – 10.3.6 is listed below):
- User identification
- Type of event
- Date and time
- Success or failure indication
- Origination of event
- Identity or name of affected data, system component, or resource
How Blumira helps: Blumira’s platform centralizes audit trail entry details and alerts you to any suspicious activity or a potential compromise to help you understand who, what, where, when and how.
Secure audit trails so they cannot be altered (10.5.1 – 10.5.5 is summarized below):
- Limit access to audit trails
- Protect logs from unauthorized modification
- Back up log files to centralized log server (that is difficult to alter)
- Write logs onto secure, centralized log server
- Use file-integrity monitoring to ensure log data can’t be changed without generating alerts
How Blumira helps: Blumira protects log data both in transit and at rest to ensure attackers cannot gain access to log archives to read data without the appropriate keys. The Blumira log database is only accessible to internal Blumira services and parties that require access. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation.
Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared. Blumira can also provide alerting for FIM technologies when changes are determined.
Review logs and security events for all system components to identify anomalies or suspicious behavior (10.6.1-10.6.3 is summarized below):
Review the following logs daily:
- All security events
- All systems that deal with cardholder data (CHD) or sensitive authentication data (SAD)
- Critical system components
- All servers that perform security (like firewalls, intrusion detection systems, authentication servers, etc.)
- All other systems periodically, per your policies and risk management strategy
And follow up on any anomalies identified during the review process.
How Blumira helps: Blumira collects and analyzes all logs in near real-time to automatically detect and raise actionable alerts for any anomalies, including suspicious or threat activity within your environment. Blumira users can also generate existing or new reports to meet any compliance needs on a scheduled basis.
To reduce the noise of false positives and alert fatigue, Blumira’s security team uses the latest intel from different threat feeds for fine-tuned detection rules and alerts. Blumira reviews logs to determine security and operational risk, and makes them available to organizations for periodic review, which can be used for their own policy and procedural purposes.
Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).
How Blumira helps: Blumira collects security event logs and retains them for up to one year, providing an audit trail for investigation and reporting. After a year, all log data is ejected from Blumira’s database to ensure retention and deletion of data is handled in a secure and appropriate manner.
Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
- Physical access controls
- Logical access controls
- Audit logging mechanisms
- Segmentation controls (if used)
Requirement 10.8.1 calls for responding to the failure of critical security controls in a timely manner. For response process, PCI requires you to:
- Restore security functions
- Identify and document:
- The duration of the security failure
- Root cause of failure and how to remediate it
- Any security issues that arose during the failure
Finally, you also need to perform a risk assessment to determine if further actions are required. PCI also requires you to implement controls to prevent the failure from reoccurring, as well as resuming the monitoring security controls.
How Blumira helps: Blumira deploys security policies to monitor access to networks and data where relevant and possible, based on incoming data. Once integrated with other security tool feeds, such as firewalls, identity and access management, endpoint protection, servers and cloud infrastructure, Blumira can monitor, detect and report any operational disruptions. This helps organizations recognize and respond in a timely manner to any failure of critical security controls.
Implement an incident response plan. Be prepared to respond immediately to a system breach.
How Blumira helps: The incident response cycle starts with reliable identification and validation of qualified security events – Blumira’s rules and playbooks can help you identify suspicious activity and potential threats to get you started with your incident response plan.
Shared hosting providers must protect the cardholder data environment. Protect each entity’s hosted environment and data as per (A.1.1 – A.1.4) to ensure:
- Each entity is only running processes with access to their own cardholder data environment (CDE)
- Restrict each entity’s access and privileges to their own CDE
- Logging and audit trails are enabled and unique to their own CDE, consistent with PCI DSS 10
- Enable processes for timely investigation, in the event of a compromise of any hosted service provider
How Blumira meets these requirements: Blumira only uses PCI DSS-approved cloud-hosted solutions within Google Cloud Platform. Our on-site sensor limits access, as well as only performs limited actions, and the security of the host is managed by the organization.
All Blumira data is encrypted and accessible only through role-based access controls. Blumira holds and analyzes audit logs for CDEs to ensure consistent authentication, and organizations can use this data to perform daily reviews within our Reporting dashboard (includes access to all raw data gathered within the environment).