Hi All,

I haven't noticed as much discussion on this forum about PCI logging requirements as I would expect. This requirement was one that I interpreted as being one of the most challenging aspects of PCI (at least for us). And I am hoping to get some thoughts on our PCI logging strategy.

We are a retail company. We have over a dozen store locations and a central server, which is used by everybody in the company for POS, AR, AP, financial reports, hourly employee clockings-in, and just about anything else you can imagine.

Everybody needs access to it because everybody uses it. Oh yes, and it stores CHD. Because of this, we interpret the logging requirements to apply to darn near every piece of networking equipment the CHD traffic flows through and those that support authentication to our network (we're talking routers, switches, authentication servers, IP enabled toasters), which would produce a considerable amount of log data. I have recommended that we invest in a SIEM solution to centralize and correlate the massive amount log events I believe we are required to in order to meet the logging requirements of PCI. Is this valid reasoning? Would anybody recommend a different strategy?

Yes, you would need to collect and store the logs in one place for 10.5 and 10.7 of the audit procedures, for all the system components that store, process and transmit CH data.

Reviewing logs on a daily basis (10.6) could be done anywhere the logs are generated or stored, but usually on the central log repository is easiest on a daily operations level (not always cheapest). Hence the rise of the SIEM/SEM market. Open source or commercial packages can permit compliance here.

I'd also suggest that the CHD application and storage be moved off to a separate box, for 2.2.1. Consider if you can VLAN or segregate the network traffic into CHD and every thing else e.g. use VPN tunnels or similar from the remote sites etc. This may allow you to minimise the scope of devices in the PCI scope.
This may reduce the PCI logging data volume somewhat also. Whether it's cost effective is up to you to determine.

lyalc

Reviewing logs on a daily basis (10.6) could be done anywhere the logs are generated or stored, but usually on the central log repository is easiest on a daily operations level (not always cheapest). Hence the rise of the SIEM/SEM market. Open source or commercial packages can permit compliance here.

Another benefit of centralized logging is the ability to recognize more sophisticated attacks that involve more than just one device. Most centralized logging solutions come with filters or canned queries that look for particular types of or specific attacks. Most of the open source solutions provide such capabilities through their User Forums or other sources related to their solutions.

In addition, a number of Intrusion Detection/Prevention Systems also will use log data and will analyze it looking for attacks or threats.

A side benefit of centralized logging is better and more proactive operations because you can set up canned queries looking for operational problems based on your applications' known error messages. Thus allowing you to monitor and report operations problems so that you can focus on correcting the most common issues.

Absolutely. The SIEM products we've been looking at have some very valuable operations-related capabilities as well, such as alerting when hardware errors start popping up in server or network appliance logs.

Although I am not one to shy away from open source alternatives, we have a very tiny IT staff so we've been leaning toward commercial SIEMs. This is because they have more sophisticated correlation capabilities such as tracking and alerting on the flow of a potential attack across varying types of equipment from multiple vendors. We simply do not have the staffing to effectively do this manually.

Can you mention any of the SIEM vendors, either commercial or open source? Is there a defacto market leader or "magic quadrant" type of solution?

While we're on the subject, is anyone aware of a document or other source of guidance that describes exactly what is required to be logged, both by log type and data element? I'm sure this varies by company but there have to be some best practices out there. Thanks!

Can you mention any of the SIEM vendors, either commercial or open source? Is there a defacto market leader or "magic quadrant" type of solution?

Go to http://www.loganalysis.org for the most current list of commercial and open-source solutions.

While we're on the subject, is anyone aware of a document or other source of guidance that describes exactly what is required to be logged, both by log type and data element? I'm sure this varies by company but there have to be some best practices out there.

Basically, you need to grab every bit of log-able information that a system can produce. The reason is that in the event of a breach, the forensic analysis that will occur will need as much evidence as possible regarding what happened, when it happened and how it happened. Since you will not be able to predict how the breach occurred, there's no safe way to operate without generating log information for every little bit of activity on the system(s) involved as even the most obscure piece of information might be key to the investigation.

To answer your question about SIM products:

It seems that ArcSight is the leader and also the highest end solution. It's so far out of our price range that we're not even considering it. They quoted me around 100,000 USD to start. Cisco MARS is another big SIM product but it didn't look as manageable or capable as some of the other ones.


n the mid-range, the products we found to be the most interesting were TriGeo, Hightower SEM, Q1 Radar, and RSA Envision. Currently, we're leaning toward Q1 Radar for its features, usability, and reporting capabilities.

I found Networkworld's "SIM in the City" article was helpful in evaluating some of these products.

http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=187203569
http://i.cmpnet.com/nc/1710/graphics/1710f2d.gif

Oh yeah, and also there is not much in the open source realm for complete SIM products. I looked there first.

Splunk is nice but it only addresses some log management/searchability capability. It's like having Google for your syslog server. The real power of SIM is in the event correlation engine, which I have not seen yet in the open source products. But if anyone knows of a project I'm ears.

Many SIM products rely on the open source product, Snare, which is an event log agent for gathering Windows logs. Solutions that use Snare tend to have lower per client costs whereas custom agent-based solutions like TriGeo start to get really expensive as you add more clients to the mix.

I cannot pass up referencing a piece that summarizes the intent of audit logging (Requirement 10):
http://pcianswers.com/2006/07/31/track-and-monitor-all-access-to-network-resources-and-cardholder-data/

To answer your question about SIM products:

It seems that ArcSight is the leader and also the highest end solution. It's so far out of our price range that we're not even considering it. They quoted me around 100,000 USD to start. Cisco MARS is another big SIM product but it didn't look as manageable or capable as some of the other ones.


n the mid-range, the products we found to be the most interesting were TriGeo, Hightower SEM, Q1 Radar, and RSA Envision. Currently, we're leaning toward Q1 Radar for its features, usability, and reporting capabilities.

I found Networkworld's "SIM in the City" article was helpful in evaluating some of these products.

http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=187203569
http://i.cmpnet.com/nc/1710/graphics/1710f2d.gif
ArcSight was also out of my range. Then they came to me with their "Logger" appliance, which I understand to be newer and scaled down from their full-blown product. Depending on your log volume/nodes, you may be able to cut that price way way down. I was, anyway. Might be worth looking into. They sell a "PCI Compliance Pack" for an extra $10K (list), so you may want to factor that in to any of your guestimates. I haven't bought their product yet, but as they have now become the inexpensive solution, I probably will.

ArcSight was also out of my range. Then they came to me with their "Logger" appliance, which I understand to be newer and scaled down from their full-blown product. Depending on your log volume/nodes, you may be able to cut that price way way down. I was, anyway. Might be worth looking into. They sell a "PCI Compliance Pack" for an extra $10K (list), so you may want to factor that in to any of your guestimates. I haven't bought their product yet, but as they have now become the inexpensive solution, I probably will.


I agree with the consensus on Arcsight. It's expensive for companies who are wary of their budget. What does this "PCI Compliance Pack" entail, btw? I hate it when companies start marketing compliance :mad: Just market your stinking product for how good it is at what it does :rolleyes:
I was in the same boat not long ago, researching all these SIMs. Then I stopped worrying when I found out that upper mgmt doesn't really understand [or wants to understand] the differences between the products and had already made a predetermined decision to go with Cisco MARS. I still get asked what I think about Cisco MARS vs. others, as if my opinion might sway the predetermined decision, but I find giving an answer rhetorical and pointless.

In either case, I guess I better start trying to learn as much as I can about MARS in advance. Cisco MARS, IMHO, doesn't seem to be a very user-friendly product. I'm a technical person, but when it comes down to using a product, that we're paying for, that is supposed to make things a little easier, I expect it to do just that. Unfortunately, not many products deliver in that area.
[okay, off the soapbox I go]

NOTE: I guess I should qualify the decision to go with Cisco MARS with the fact that most of our networking equipment is Cisco. So it would make sense to stick with that vendor to handle our log management! Can you say "conflict of interest?" :)

The Gartner SIEM Report (5/7/07 is the latest report I have) lists the following manufacturers in the upper right Quadrant:
Symantec, RSA enVision, ArcSight ESM, LogLogic, TriGeo and NetIQ

Many have mentioned Cisco MARS as their solution, primarily due to cost. RSA and LogLogic both are very competitive in price with MARS. I think some of you are settling for MARS because you cannot afford ArcSight; there are good alternatives out there. Mars does not support a lot of devices, especially their competitors (when are they going to realize that businesses do not put all their eggs in one basket?).

Have any of you heard of LogRhythm? I was settled on an ArcSight solution, but they look similar and somewhat tempting on the surface. Are these guys legit, or some garage operation?

LogRhythm is in the Gartner lower right quadrant, which means they are a visionary but have not been able to execute. They are a new market entrant so they may have added many features since 5/07. They are legitimate.
I can send you the Gartner report, just send me a private message with your email.

It's a month later and I just ran across this forum post and felt it would be potentially helpful to respond. Please allow me to preface my comments by admitting I am an Engineer at LogRhythm, and I spend my days playing in the SIEM and Log Management Sand.

Yes, in 2007 LogRhythm made the Gartner report and as bhuebner pointed out. In addition, IANS (Institute for Applied Network Security) placed LogRhythm as the only solution on the short list for both Log and Event Management. Consider this biased, but at least it's not coming from a marketing department, LogRhythm is the most powerful Log Processing and Analytics solution on the planet :D. I encourage anyone interested in Log and Event Management to compare LogRhythm with any competitive products including the ones mentioned in this Post (Log Logic, Arcsight, Mars, etc.).

Earlier in this post JBHall56 provided valuable insight into the unique challenge in this market 'Basically, you need to grab every bit of log-able information that a system can produce. The reason is that in the event of a breach, the forensic analysis that will occur will need as much evidence as possible regarding what happened, when it happened and how it happened.' These comments couldn't be more true. As we all know the best IDS, SIEM, Malware defense systems are only as good as their 'signatures' provide. If our systems are compromised by a zero day exploit what resources do we have to track down root cause, effected systems, source, etc. The forensics we can extract from historical log data is powerful.

LogRhythm is introducing version 4.0 on March 17th. This is our biggest release in over 2 years and will continue to keep us on the map as visionaries in our space. The world of log data isn't restricted to just routers, switches, firewalls and Operating Systems. When it comes to PCI compliance the majority of protected data is also stored at the application and database layer. We support the next generation of PCI compliance, SIEM, and Log Management.

I'd be happy to answer any inquires about LogRhythm or the general topic of Log and Event Management.

I just recently found this forum, and thought I'd let y'all know about what my company does. Lumigent has a product (Audit DB) that is designed to track all changes made at the database level. For the most part, it leverages the redo logs already produced by a database (TRN backup for SQL and archive redo logs for Oracle and DB2). We utilize that component (log reading) in concert with a network capture utility for the capture of high-volume SELECTs.

We have some very large in addition to small clients needing to maintain PCI adherence. If interested, Arcsight has developed a Lumigent "connector", allowing for the pulling of the database events individually into their database for participation in their strong "correlation engine" approach.

If you want details, I can send you along to the appropriate person in my company. You can reach me at neil.fleming at lumigent dot com.

...Neil