When it comes to PCI, it provides some very prescriptive things that one must do with their logs in order to maintain compliance. Of those things, they can basically be boiled down into three categories: centralizing your log data into a secure location, regularly investigating your logs for known events, and then creating audit trails to prove that investigations were done. We're going to go through each of these in a little detail.
For centralizing your log data, there are a few things to keep in mind. First, you have to consider all the different places within your IT environment logs are coming from. In addition to your application, you have servers, you have databases, firewalls, and routers. It's important to think of all these places as locations from which you should be logging and collecting logs from. Secondly, PCI requires that logs remain searchable for up to 90 days and are retained for over at least a year. Finally, the data must remain unaltered once collected. If an attacker infiltrates your system and tries to cover their tracks by manipulating the logs, you need to be alerted or the logs must be removed from your environment entirely so they can be protected.
Number two, regular investigation of known events. The idea here is that, rather than just looking at the logs, you're looking for known events that PCI specifies. There are several. A few examples include account log-on successes and failures, object access or the deletion of objects, and policy changes or the manipulation of access controls. Finally, there are specific details that need to be logged in relation to these events so that you can know exactly what's happening. For each of these events, required logging includes the user ID or an identifier for each user who's making these actions, the date and time of the event, the event type, and several others.
Number three, creating audit trails. The idea here is that if an auditor was to come to check whether you are maintaining your compliance, you need to be able to prove that you are in fact doing the investigations that you say you're doing. Different organizations take different approaches to these audit trails. Some provide a manual record of the investigations. Others use a tool to help provide an audit trail for them.
So when considering how to go about managing your logs, many organizations turn to using a tool in order to make this process easier. There are a few questions one should ask when considering different tools to make sure you're choosing the right one for you. When it comes to centralizing log data, it's important to first consider how easy it would be for you to collect the logs from all your different sources. How much configuration is going to be required and how much time will it take for you to set this up? Finally, how much time are you going to be able to search the logs for, retain logs for, and will the logs remain unaltered? If they are not being stored outside of your environments, is there a way to alert you to the fact that they've been altered?
For tools to help you regularly investigate your logs, you should be considering how easily can you run searches for these different known events. Can you correlate this data with other data you have to complete a deeper investigation? How easily can you rerun these queries or these investigations without having to start from scratch each time? Finally, for audit trails, a good question to ask could be, "Does the tool provide me with an audit trail?"
So how can Logentries help? Logentries is a log management, investigation, and analytics tool that can be used to help one maintain PCI compliance through log centralization, easy-to-use investigation tools, and providing an audit trail. Logentries makes this process a lot easier.
I'm Matt Kiernan. Thanks for joining this Whiteboard Wednesday. You can learn more about Logentries as well as start your free 30-day Logentries trial at logentries.com.
