Insider Threat Management

A Painless Solution to One of PCI’s Most Challenging Controls: Requirement 10

If you’re reading this, you’re probably well aware that becoming compliant with PCI DSS is a difficult and challenging undertaking. Implementing security controls and practices in order to be compliant with PCI DSS (or other regulations) is a daily reality at thousands of organizations of all sizes.

According to an oft-quoted Verizon report about PCI compliance, one of the weakest compliance points at companies which suffered a data breach is Requirement 10: Track and monitor all access to network resources and cardholder data. This requirement is all about using logs for vulnerability management and event forensics. These logs must record every time someone accesses the protected data (including cardholder data and log data) to enable a “who-did-what-and-when” audit trail.

Complying with this requirement means implementing a comprehensive system to log every time any employee or remote vendor accesses a server or application which processes protected data. This is an ongoing requirement that calls for continuous monitoring and review (log review, the key part of Requirement 10.6, is explicitly mandated to occur on a daily basis). Furthermore, according to the Requirement, these records must be immediately available for three months and stored for later retrieval for one year.

This is a particularly difficult requirement to meet because for a variety of reasons:

  • Many applications dealing with protected data do not generate logs at all (e.g., legacy applications, custom applications, cloud applications). In most situations, it is simply unfeasible to modify the source code of these applications to incorporate the required logging code.
  • Cloud (SaaS) applications that do generate logs may not make their logs available to corporate customers, or they may not be available in a timely fashion.
  • Even when logs are generated from all relevant applications (a very rare situation), they are often incomplete for the purposes of compliance monitoring (e.g., the logs were implemented for debugging purposes as opposed to compliance purposes).
  • Even if all required logs were available, it is difficult or impossible to combine and cross-reference them sufficiently well to make the data comprehendible to a human (and thus to satisfy auditors).
  • Even if complete log information is available, thorough ongoing review is impossible without an alert mechanism to automatically draw attention to the small percentage of daily events that deserve review.

For these reasons, many companies discover that they are simply unable to comply with PCI DSS Requirement 10, besides the worrisome additional fact that their sensitive data is at higher risk of unauthorized exposure.

A Painless and Elegant Solution to PCI-DSS Requirement 10 Compliance

Fortunately, there is a straightforward solution to Requirement 10 compliance that completely circumvents all of the substantial barriers mentioned above. This solution is software known as Screen Session Recording or User Activity Monitoring. The software monitors and records every user action on servers and desktops, inside all applications and system operations, whether at the computer itself or accessing it from a remote location.

By simply installing agent software on every machine with direct or indirect access to protected data, all Requirement 10 compliance needs are instantly met because every user action in every legacy, custom and cloud application is recorded (in video) and logged (in text logs).

It doesn’t matter where the application (or server) is located, or whether or not it already generates its own logs! Logs and screen recordings will be created over every session protocol (SSH, RDP, Citrix, VMware, etc.) and on Windows, Unix and Linux systems, thus covering the entire organization.

Because the activity text logs are keyword-searchable, it is fast and easy to find any recorded event on any server, in any application, accessing any data, by any user. These systems even provide direct links between events recorded in the text log to the recorded screen recordings so that with one click an auditor (or a forensic investigator) can see with his own eyes exactly what the user did on the screen.

The daily review requirement is neatly met by the User Activity Monitoring system as well: alerts and reports can be created to include any activity involving protected data, making it a simple matter to review a day’s worth of relevant access to the data. Predefined compliance reports supplied with these systems can show all relevant actions, with links to video replay for further clarification, allowing almost out-of-the-box compliance.

An additional Requirement 10 compliance benefit of such a system include identifying exactly which user logged in to an application or server, even when using a shared login account (such as administrator).

Conclusion

The demands of PCI-DSS Requirement 10, which have been intimidating IT teams and management teams alike, are easily met with a suitable User Activity Monitoring system – even for legacy, custom and cloud applications for which no built-in logging exists.

Auditors appreciate the user friendliness of these systems which combine instant keyword search with visual recordings of every user action. There is no more need for complex and incomplete log management systems in order to determine what users have done. Daily log reviews are fast and easy with predefined compliance reports.

If your company deals with credit card data in any way, it behooves you to take a close look at one of these products. Of course, we’d be happy for you to take a close look at our own solution, Proofpoint!

Subscribe to the Proofpoint Blog