3 Reasons To Work With a PCI DSS Certified SIEM Managed Security Service Provider To Satisfy Requirement 10
There are 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS). Requirement 10 in the PCI DSS states that a company must track and monitor all access to network resources and cardholder data. Many find this requirement one of the most difficult to satisfy.
The systems must be set up correctly to capture all the logs. After setup, people must actively monitor all logs. Failure to monitor the activity within your environment can lead to warning signs of cyber attacks or breaches being missed. Falling victim to a cyber attack can be ruinous for your organization and harm the people who are trusting you to keep their information safe.
The subcategories for the requirement related to log monitoring are:
10.1 Implement audit trails to link all access to system components to each individual user.10.2 Implement automated audit trails for all system components to reconstruct the following events:10.2.1 All individual user accesses to cardholder data10.2.2 All actions taken by any individual with root or administrative privileges10.2.3 Access to all audit trails10.2.4 Invalid logical access attempts10.2.5 Use of and changes to identification and authentication mechanisms— including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges10.2.6 Initialization, stopping, or pausing of the audit logs10.2.7 Creation and deletion of system-level objects10.3 Record at least the following audit trail entries for all system components for each event:10.3.1 User identification10.3.2 Type of event10.3.3 Date and time10.3.4 Success or failure indication10.3.5 Origination of event10.3.6 Identity or name of affected data, system component, or resource.10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.10.4.1 Critical systems have the correct and consistent time.10.4.2 Time data is protected.10.4.3 Time settings are received from industry-accepted time sources.10.5 Secure audit trails so they cannot be altered.10.5.1 Limit viewing of audit trails to those with a job-related need.10.5.2 Protect audit trail files from unauthorized modifications.10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).10.6 Review logs and security events for all system components to identify anomalies or suspicious activity. Note: Log harvesting, parsing, and alerting tools may be used to meet this Requirement.10.6.1 Review the following at least daily: All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/ IPS), authentication servers, e-commerce redirection servers, etc.).10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.10.6.3 Follow up exceptions and anomalies identified during the review process.10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).
Meeting these requirements takes time and effort. In this post, we will cover several reasons working with a Managed Security Service Provider (MSSP) can be beneficial.
1. Bring Insights from Details
Log details from a Security Information Event Management (SIEM) platforms are a critical part of cybersecurity. The aggregate logs, rules, and alerts that trigger tell a story. The details of a log recorded include the time, systems, dates, and other items in 10.2. Understanding and writing rules to make this information meaningful is an arduous job. Relying on a company that focuses on this 24×7 often can be more effective than handling in-house.
2. Save Your Team Time
Using a service provider that has a relevant Attestation of Compliance (AOC) saves time. Companies should ensure their vendors are in compliance. Meeting the requirements with an in-house team can be cumbersome. A Qualified Security Assessor (QSA) will go point-by-point to make sure your internal team is following the rules. Using an external provider to monitor the logs can help immensely. Using a trusted solution provider shifts the primary responsibility. That being said, it is vital to ensure the organization you are working with does hold a valid and up-to-date AOC.
Time and money are directly related. So working with a provider saves companies money as well. Rather than paying for employees and their related costs, the cost is simply for a dedicated provider.
3. Plan Ahead
The partner that you work with to help with PCI DSS requirement 10 can bring other resources and insights to bear. Cyber intelligence can be used to get insights into evolving threats. If an incident has happened, the MSSP can help with incident response and forensics. The organization that you rely on to satisfy requirement 10 can also provide consulting and guidance on which technologies can be used to secure other parts of your organization.
If you would like to discuss how Cipher can help you meet your PCI DSS requirements, including requirement 10, send us a message.