Here is a hard problem: you MUST log, but there are no logs to enable. Or, what is no less common, logs are so abysmal that they don’t help – and don’t fit the regulatory mold (example: PCI DSS Requirement 10.2 and 10.3). Or, logs are “out there in the cloud” and you cannot get them, but compliance is here and requires them.
What to do?
The answer to this eternal question is in my new whitepaper that I have written for Observe-IT (observeit-sys.com)
This paper covers the critical challenges implementing PCI DSS controls and suggests creative solutions for related compliance and security issues. Specifically, the hard problem of security monitoring and log review in cloud, legacy, and custom application environment is discussed in depth. Additionally, clarification of key PCI DSS compensating controls is provided. This paper will help you satisfy the regulatory requirements and improve security of your sensitive and regulated data.
Short version [PDF] (5 pages)
Extended version [PDF] (13 pages)
As usual, the vendor was paying the bill, but thinking and research are all mine (SecurityWarrior Consulting)
Possibly related posts / past whitepapers: