Need for effective SOC/Security monitoring from PCI DSS perspective – Part 3
Planning for the effective Log Monitoring
Effective planning of log-monitoring activities starts with a thorough understanding of organization legal, regulatory, business, and operational requirements. The technical capabilities of the organization systems should be monitored through the available technologies. The organization should leverage on technical capabilities of the individuals and teams within the organization for developing effective and efficient log-monitoring practices.
There are various steps involved in Log Monitoring, which is as follows:
- Logging Requirements should be determined
Any log-monitoring strategy can’t be accomplished, before building a processes and support infrastructure by considering following aspects:
- The areas that need to be addressed for monitoring
- The system components that should be included in the monitoring strategy
- The information that needs to be tracked and captured in the security log
- The steps or process through which the security logs will be captured and analyzed
- The frequency of review and security log data analysis
- The retention duration of the security log data
The organizations on priority must consider the required applicable laws and regulations for the entire organizational structure. Existing organizational policies or risk management strategies should be carefully altered along with the PCI standards. Apart from other legal, compliance, or operational obligations, PCI DSS Requirements should be considered as a basis for defining logging requirements. Thus, log-monitoring and management processes can be defined to meet all the requirements of the organization IT Security
II. High-Level Activities Monitoring should be defined
Establishing or improving the existing log-monitoring processes will be defined at the higher level. The possible indicators and potential types of activities of the organization must be tracked for malicious or anomalous behavior. Events of interest are the term used by The Security Information and Event Management (SIEM) for malicious or anomalous behavior.
PCI DSS specifics the standards for the higher-level activities that necessitate log tracking and list the individual users those who can access the cardholder data. All changes from the root or administrative privileges should be tracked. Access audit trails should cover all the actions by any individual from the root or administrative privileges. In addition to the events defined above, PCI DSS identifies other activities related to log that needs to be tracked. For instance, like all anti-virus mechanisms and identified activities must be captured in those logs. This will help in tracking all “virus and malware activity and anti-malware reactions” as per the definition.
The main purpose of defining security events at high-level is to give flexibility to the administrators in associating specific system messages or alerts of high-level events. There are possibilities of high-level events reflecting differently in the security logs of different systems. Therefore, planning a standpoint to discuss the log requirement with the security personnel will help in determining the appropriate system-level messages that relate the high-level events. Apt mapping needs to be defined for system-level messages to exercise and perform at high-level events.
The organization may be interested in other events in addition to those specified in PCI DSS requirements. Events like detection of active malware on a web server, the CHD presence and unauthorized location, or multiple attempts to connect to a database server, containing CHD from an unauthorized source from an external IP address). The additional events of interest are defined by the organization may depend greatly on the organization environment, the technologies in use, and the organization’s risk management strategy.
PCI DSS provides certain structure and guidance on what should be logged, tracked, and monitored as per the compliance requirements. The organization can determine activities and events that need to be monitored for the organization’s security objectives. While PCI DSS is intended to protect CHD through effective security controls, organizations should consider IT security beyond PCI DSS needs for the complete information security objectives apart from CHD.
III Identify Potential Log Sources
The environment that needs to be monitored and the logging capabilities of the systems are the greater factors that contribute in structuring an effective log-monitoring program. For the PCI DSS standards, one must identify the scoping exercise. Each system must be identified individually and logs must be generated and forwarded from that particular system.
Most of the Operating Systems generate multiple logs. Windows-based systems typically generate three different types of logs namely Security, System and Application logs. Linux-based systems comparatively generate more logs that can be located in the “/var/log” directory. Depending upon the function of the system serves and the software running, other logs can be generated by the systems.
For example, Microsoft Windows running web servers with Internet Information Services (IIS) will generate IIS logs along with the operating system logs. Apache web server of Linux system will generate log messages for Apache-specific log files.
Depending on the configuration of the operating system and software running, the number of logs files generated will vary. Identifying the capabilities and locations of potential log sources is possible with the help of the documentation provided by the vendors of the software. Once the potential log sources are identified, they make it easy to represent potential log source and categorize them by the operating system. You may further, break those systems by functions of the system like web server, database server, etc.