By reviewing logs daily, organizations can maximize their security efforts and minimize the exposure to potential breaches. PCI Requirement 10.6.1 requires that organizations review the following at least daily:
- All security events
- Logs of all system components that store, process, or transmit cardholder data
- Logs of all critical system components
- Logs of all servers and system components that perform security functions
From many breaches that have recently occurred, we see “log fatigue.” The information to identify a breach was there, but staff didn’t react appropriately. This may be because their job is to sit and review logs for hours and hours, and they eventually suffer from “log fatigue.” Employees are your first line of defense, so give them the tools they need to identify anomalies.
Other elements of PCI Requirement 10.6.1 to consider:
- The definition of a “security event” will vary from organization to organization based on types of technology, location, scope, etc.
- Organizations should establish a baseline of “normal” traffic to help better identify anomalies or suspicious behavior.
During an assessment, an assessor should examine policies and procedures and observe personnel to ensure that all security events, logs of all system components that store, process, or transmit cardholder data, logs of all critical system components, and logs of all servers and system components that perform security functions are under review at least daily.
To comply with PCI Requirement 10.6.1, we’re going to be reviewing all our logs at least daily, and this would include all the logs from anything that’s in scope for your PCI assessment. We will be looking at any security log or any log from any security-related device. When individuals are looking at these logs, be cognizant of what I call “log fatigue.” These people are going to be sitting there for eight or nine hours a day and watching the matrix waterfall, so help them, train them, and give them tools to help to identify out of this haystack, what the needle is that they need to be looking for. A lot of the breaches that have occurred as of late, the information was there; it was available for them to of identified that they had been breached, but staff, for whatever reason, didn’t react appropriately. This is one of the first lines of defense that you have, monitoring these logs for anomalies and acting and reacting appropriately.