PDA

View Full Version : SIEM/ Log monitoring

rvalipir
04-12-2007, 09:10 AM
PCI 1.1 has number of requirements (Req #10.1 to Req#10.7) which deal with logs and audit trails. I'm attempting to understand how an SIEM solution can address those requirements. Specifically if scope of SIEM is expanded from corporate to retail store level.

It can centralize the log data.
Correlation features can help log reviews and provide alerting capabilities.
Simplify implementation of retention requirements of log data.
Access restrictions to audit trial and log data can be easily implemented.

1.) My question is what are retailers doing to comply with these requirements at retail store level?
2.) Would it make sense to expand SIEM's scope to retail store level?
3.) Any alternatives to SIEM at retail store level?
jbhall56
07-29-2007, 08:34 AM
1.) My question is what are retailers doing to comply with these requirements at retail store level?

Most retailers are doing all they can to get their retail outlet servers out of scope. The majority of my retail clients are implementing solutions that, if they store the PAN, the PAN is masked with only expiration date and cardholder name as added information. With the retail server out of scope, the requirement of collecting log information and file monitoring are removed. Not that this is a best practice in my book, but at least it's now not driven by PCI compliance, giving you more flexibility as to what is monitored.

2.) Would it make sense to expand SIEM's scope to retail store level?

From an operational standpoint, IMHO it's a best practice. As a best practice, you should be monitoring the operations of your servers and changes to critical files through the log information that is generated as well as other monitoring sources. However, without the PCI requirements, you can typically reduce the amount of information fed back to your centralized logging and analysis systems.

3.) Any alternatives to SIEM at retail store level?

Not if you're storing an encrypted PAN at the store level. You then must be conducting some sort of log and file monitoring and analysis process whether automated or manual.