PCI DSS version 4 was released in April 2022, and organizations must comply with the framework by 2025.
For organizations that collect or store payment data, it’s important to start reviewing your current solutions now to identify any gaps you’ll need to fill.
Automated Log Analysis to Minimize Breach Exposure
One of the expected and major changes in version 4 is the requirement to use automated log analysis tools for PCI DSS’s 10.4.1 control. Guidance for this requirement includes:
Checking logs daily (7 days a week, 365 days a year, including holidays) minimizes the amount of time and exposure of a potential breach. Log harvesting, parsing, and alerting tools, centralized log management systems, event log analyzers, and security information and event management (SIEM) solutions are examples of automated tools that can be used to meet this requirement.
Version 3 allowed the manual review of logs, however, it is not practical for an individual to review the massive amount of logs that even a small in-scope environment generates.
Checking logs daily is considered best practice until March 31, 2025 – after that date, it will be required. Implementing a solution now can raise your security posture across the company, and get you prepared for new requirements before they become mandatory.
As one of our customers, Ottawa County’s Technical Infrastructure Manager Mike Morrow put it, “We’re required by CJIS and IRS Pub 1075 compliance to review our logs daily. Blumira has saved us time because we can’t monitor all of our logs — we would need a team of 100 to go through all of these logs manually.”
To help reduce the manual effort for customers, Blumira’s platform leverages our detection rules written and maintained by our team of security experts to automate threat analysis, detection and response. Learn more about our approach to threat detection and how we test and tune rules to reduce noisy alerts and false positives. See an example of an automated finding below:
Best Practices For Log Data Retention
What hasn’t changed in this latest version is the requirement to retain an audit log history (10.5.1). All logs from in-scope systems should be retained “hot” (or data that is immediately accessible) for three months and in some other accessible format for 12 months or a year. In practice, the most simple solution is to use an easy-to-setup SIEM that has 12 months of retention already built in.
In requirement 10.4.1, PCI DSS recommends the use of a SIEM to centrally store all logs for convenient retention, retrieval, and query. As covered in the previous section, 10.4.1 also requires daily review for any alerts generated by security tools such as a SIEM.
How Blumira Helps: Easily Access and View Retained Logs; Customize Notifications
To help customers meet PCI DSS 10.5.1, Blumira retains one year of data by default in our Cloud and Advanced editions, so there’s no need to export logs every three months and store them in a different location.
Blumira also gives customers a convenient portal to access and review all of their current and past findings. This is offered as part of your flat fee, subscription-based pricing model, unlike other SIEM providers that charge their customers if they want to access their own logs.
Customers can also set up alert notifications to send immediately via email, SMS/text and phone call whenever a detection rule is triggered. These alerts can be customized by finding type, such as by risk, suspect or threat, including by the priority (i.e., Priority 1 refers to critical threats that we recommend customers respond to immediately).
Protect the Integrity and Confidentiality of Logs
PCI DSS requirement 10.5 is also unchanged but relevant as it pertains to data retention – it requires limiting access to audit trails, protecting logs from unauthorized modification, backing up log files to a centralized log server that’s difficult to alter, and having the ability to write logs onto a secure, centralized log server.
To help customers meet 10.5, Blumira protects log data both in transit and at rest to ensure attackers cannot gain access to log archives to read data without the appropriate keys. The Blumira log database is only accessible to internal Blumira services and parties that require access, as part of implementing least privileges (access limited to those that need it to do their jobs).
Blumira also maintains raw log data while tracking and identifying log messages to ensure data integrity and validation. Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared.
Learn more about how you can help meet PCI DSS requirements with Blumira, and see which plan is right for your organization. Or, get started logging your Microsoft 365 data in minutes to get deeper visibility, automated detection and response with Blumira’s free edition.
Sign Up For Your Free Account Today
Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.
Resources and References:
Chris Furner, Senior Sales Engineer at Blumira, contributed to this article.