PCI 2.0 What's Next for PCI DSS and Logging

1. PCI 2.0What's Next for PCI DSS and Logging Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com/ September 2010

2. Outline PCI DSS Refresher PCI DSS 2.0 Review Logging – Key to PCI DSS! PCI DSS: What You MUST Do Now! Conclusions

3. QSA is Coming! Are You Ready? Annual on-site PCI DSS assessment (“QSA visit”) Review PCI DSS policies and procedures Evaluate the scope of PCI applicability Assess compliance with technical controls – including collection and review of logs

4. What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard =

5. PCI Regime vs DSS Guidance The PCI Council publishes PCI DSS Outlined the minimumdata security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime)

6. The Requirements

8. Breach notification costs

9. Investigation costs

10. New security measures

11. Brand damage

12. Cost of lost IP

14. The Key Piece: Requirement 10 In brief: Must have good logs Must collect logs Must store logs for 1 year Must protect logs Must review logs daily (using an automated system)

15. PCI DSS Requirement 10.1 What it is? “Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.” What it means? This means that every log of user action should have a user name in it What will QSA check for? ”Verify through observation and interviewing the system administrator, that audit trails are enabled and active for system components” What you MUST do? Log all admin access, actions; make sure logs are tied to user names

16. PCI DSS Requirement 10.2 What it is? “Implement automated audit trails for all system components” What it means? Make sure you log all PCI-mandated events on all in-scope systems What will QSA check for? ”Through interviews, examination of audit logs, and examination of audit log settings” verify that this is being done What you MUST do? Enable logging on all PCI systems; for details see PCI DSS

17. PCI DSS Requirement 10.5 What it is? “Secure audit trails so they cannot be altered.” What it means? Collected logs must be protected from changes and unauthorized viewing What will QSA check for? ”Interview system administrator and examine permissions to verify that audit trails are secured so that they cannot be altered” What you MUST do? Store logs on a secure system and log all access to logs

18. PCI DSS Requirement 10.5.3 What it is? “Promptly back up audit trail files to a centralized log server or media that is difficult to alter.” What it means? Logs must be centrally collected What will QSA check for? ” Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter” What you MUST do? Deploy a log server to collect logs from all PCI systems

19. PCI DSS Requirement 10.6 What it is? “Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like IDS and authentication, authorization, and accounting protocol servers.” What it means? Collected logs must be reviewed daily What will QSA check for? ”Obtain and examine security policies … to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required. Through observation and interviews, verify that regular log reviews are performed for all system components.” What you MUST do? Establish a log review process and follow it

20. PCI DSS Requirement 10.7 What it is? “Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.” What it means? Collected logs must be stored for ONE YEAR. What will QSA check for? ”Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months’ logs for immediate analysis.” What you MUST do? Make sure that all PCI logs are stored for a year

21. Want a PCI DSS Book? “PCI Compliance” by Anton Chuvakin and Branden Williams Useful reference for merchants, vendors – and everybody else Released December 2009!

22. Questions? Dr. Anton Chuvakin Security Warrior Consulting Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com

23. More on Anton Now: independent consultant Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

24. Security Warrior Consulting Services Logging and log management strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com

25. More on Anton Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

26. Security Warrior Consulting Services Logging and log management strategy, procedures and practices Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations SIEM and log management content development Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com

27. Want a PCI DSS Book? “PCI Compliance” by Anton Chuvakin and Branden Williams Useful reference for merchants, vendors – and everybody else Released December 2009! www.pcicompliancebook.info