Wednesday, November 24, 2010

Complete PCI DSS Log Review Procedures, Part 1

Once upon a time, I was retained to create a comprehensive PCI DSS-focused log review policies, procedures and practices for a large company. As I am preparing to handle more of such engagements (including ones not focused on PCI DSS, but covering other compliance or purely security log reviews), I decided to publish a heavily sanitized version of that log review guidance as a long blog post series, tagged “PCI_Log_Review.”  It was written to be a complete and self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and  log analysis (a key requirement for this project – guidance was to be useful to such people) in order to enable them to do the job and then grow their skills. It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation (or without any compliance flavor – of course!)
This is the first post in the long, long series... prepare to see lots of process flow charts Smile
A few tips on how you can use it in your organization:
  • If you need to establish log review practices to satisfy PCI DSS Requirement 10.6 “Review logs for all system components at least daily”, feel free to steal from this document and adapt it tor your environment. I can do that for you too.
  • There is a slight bias towards application and OS logging in this document (as per client request) – an you do need to review network and security device logs as well. The methods and practices apply to them as well.
  • This was created before PCI DSS 2.0 release, but has been checked to “comply” with the most recent standard (and Requirement 10 has not changed much in 2.0)
  • A QSA looked at it and liked it– but YMMV. Your QSA is always the ultimate authority in regards to what will “make you compliant”
  • Don’t forget to buy me a beer if you find it useful. Better – contract me to create something similar for your organization.  Are you doing a good job with log review today? Owning an expensive  SIEM product but not using it well does not magically make you compliant or secure (it can make you poor though Smile) – but then again, you already knew it….
And so we begin our journey.

Project Goals

The goal of this project is to create a comprehensive Log Review Procedures document for PCI DSS applications. Such document needs to cover log review procedures, tasks and practices and incorporate other systems in review workflow and  also document all stages of log review.  If implemented in operational practice, this Log Review Procedure document should satisfy PCI DSS requirements in select sections of PCI DSS Requirement 10 and 12 and should be adequate to pass PCI compliance validation[1].

Project Assumptions, Requirements and Precautions

These critical items are essential for a success of PCI logging, log management and log review project. It is assumed that the following requirements are satisfied before the Log Review Procedures are put into operational practice.


A set of requirements needs to be in place before the operational procedures described in this document can be used effectively:
1. Logging policy is created to codify PCI DSS log-related requirements as well as other regulatory and operational logging requirements
2. Logging is enabled on the in-scope systems
3. Interruption or termination of logging is in itself logged and monitored
4. Events mandated in PCI DSS documentation are logged
5. Generated logs satisfy PCI DSS logging requirements (e.g. Req 10.3)
6. Time is synchronized across the in-scope systems and with the reliable time server (NTP or other as per PCI DSS Req 10.4)
7. Time zones of all logging systems are known and recorded and can be reviewed in conjunction with logs


This additional precautions need to be taken in order to make logs useful for PCI DSS compliance, other regulations as well as security, forensics and operational requirement:
· Key precaution: the person whose actions are logged on a particular system cannot be the sole party responsible for log review on that same system.
· Key precaution: PCI DSS mandates log security measures (detailed below), all access to logs should be logged and monitored to identify attempts to terminate or otherwise affect the presence and quality of logging.

[1] No assurance or guarantee of PCI compliance or passing PCI validation with one or more PCI DSS requirements can be given in this document. Only each organization’s QSA can be the judge of compliant status, as per PCI Council guidelines.

Out-of-scope Items

The following items are not covered in the document despite the fact that they might be essential for becoming PCI DSS compliant:
Out-of-scope Item Why out of scope?
What events to log for each application? Scope of the project is defined to cover log review only. It is assumed that proper logging is already implemented as per corporate logging policy.
What details to log for each logged event for each application? Scope of the project is defined to cover log review only. It is assumed that proper logging is already implemented as per corporate logging policy.
High-level logging and monitoring policy It is known that such policy is already in place.
Log aggregation, rotation and retention policies and procedures Even though PCI DSS prescribes log retention, such procedures are not covered in this document.
Security incident response process Scope of the project is defined to cover log review only. Log review procedures sometimes call for initiation of a security incident response process and investigation
Application that are not in scope for PCI DSS Scope of the project is defined to cover PCI DSS applications only
Network devices that are OR are not in scope for PCI DSS Scope of the project is defined to cover PCI DSS applications only.
A.C. note when posting: make sure you do include network devices I your PCI logging project!
Access control to stored logs, protecting the confidentiality and integrity of log data Even though PCI DSS prescribes access control guidelines for aggregated logs, such procedures are not covered in this document as per project definition.
Compensating controls when logging is not possible Scope of the project is defined to cover log review only. Log review is always possible whenever logging is possible. However, situation where logging is not possible is not covered in this document
Real-time monitoring of central logging health, performance, etc Scope of the project is defined to cover periodic log review only.
Any and all logging requirements in PCI DSS outside of Requirements 10 and 12. Scope of the project is defined to cover log review procedures in PCI requirements 10 and 12 only. A brief overview of PCI logging requirements in other sections is provided, but no detailed operational guidance is given.
Guarantee of passing PCI DSS assessment Only each organization QSA can provide such assurance or guarantee after the assessment.
Correlation rules for PCI monitoring While correlation rules can be created to automate some of the items discussed in the document, the project is scoped to cover log review and not correlation
Log record preservation for forensic purposes Log record preservation should be a part of a security incident response workflow.
Note that some or all of the above items may be mandatory for passing PCI compliance validation
To be continued.

Go to PCI_Log_Review to see all 18 posts.

P.S. This posted by a scheduler. I am away from computers and response to comments will be slow.

Possibly related posts:

Dr Anton Chuvakin