PCI Requirement 10: Logging and Log Monitoring

Learn the ins and outs of log monitoring at your business.

How much do you know about logs? Do you have someone track them? Log monitoring is actually crucial to finding potential holes in your security.

System event logs are recorded tidbits of information regarding the actions taken on computer systems like firewalls, office computers, printers, etc.

Log monitoring systems (e.g., Security Information and Event Management [SIEM] tools) oversee network activity, inspect system events, alert of suspicious activity, and store user actions that occur inside your systems. They are your watchtower lookout and can provide the data that warns you of a data breach. The raw log files are also known as audit records, audit trails, or event logs.

Most systems and software generate logs, including operating systems, Internet browsers, POS systems, workstations, anti-malware, firewalls, and Intrusion Detection Security (IDS) devices. Some systems with logging capabilities don’t automatically enable logging, so it’s important to make sure all systems have logs turned on. Some systems generate logs but don’t provide event log management solutions. Make sure you know your system capabilities and consider installing third-party log monitoring and management software.

See also: SecurityMetrics PCI Guide

Establish log management

Businesses should review their logs daily to search for errors, anomalies, or suspicious activity that deviates from the norm.

A log alert acts as a red flag when something potentially bad is happening in your system. Given the
large of amount of log data that’s generated by systems, it’s impractical (and likely impossible) to manually review all logs each day. Log monitoring software takes care of that task by using rules to automate log review and only alert on events that might reveal problems. This is often done using real-time reporting software that alerts you through email or text when suspicious actions are detected.

See also: The Importance of Log Management‍

Log monitoring software often comes with default alerting templates. However, because not everyone’s network and system designs are the same, it’s critical to take time to correctly configure your alerting rules.

‍Log management system rules

‍Here are some actions to consider when setting up your log management system rules:

• Password changes
• Unauthorized logins
• Login failures
• New login events
• Malware detection
• Malware attacks seen by IDS
• Scans on your firewall’s open and closed ports
• Denial of service attacks
• Errors on network devices
• File name changes
• File integrity changes
• Data exported
• New processes started or running processes stopped
• Shared access events
• Disconnected events
• New service installation
• File auditing
• New user accounts
• Modified registry values

Make the most of log management; make sure you have these log security steps in place:

• Decide how and when to generate logs
• Secure your stored logs so they aren’t maliciously altered by cybercriminals or accidentally altered by well-intentioned employees
• Assign an employee you trust to review logs daily
• Set up a team to review suspicious alerts
• Spend time to create rules for alert generation (don’t just rely on a template)
• Store logs for at least one year, with three months readily available
• Frequently check log collection to identify necessary adjustments

Regular log monitoring means a quicker response time to security events and better security program effectiveness. Not only will log analysis and daily monitoring demonstrate your willingness to comply with PCI DSS requirements, it will also help you defend against insider and outsider threats.