Back in Aug 19, 2015, we announced that Sumo Logic has joined the Payment Card Industry (PCI) Security Standards Council (SSC) as a participating organization, and is also an active member in the “Daily Log Monitoring” Special Interest Group (SIG).
The purpose of the SIG and primary reason we joined, is to provide helpful guidance and techniques to organizations on improving daily log monitoring and forensic breach investigations to meet PCI Data Security Standard (DSS) Requirement 10.
Organizations face many challenges in dealing with PCI DSS Requirement 10 including but not limited to large volumes of log data, distinguishing between what is a security event and what is normal, correlating log data from disparate systems, and meeting the stated frequency of manual log reviews.
It was with great honor that the chair of this SIG, Jake Marcinko, Standards Manager PCI SSC asked us to co-present with him on stage at the PCI European Community Meeting in Nice France. Over 500 people came from all over Europe – Banks, Merchants, Card Brands, Qualified security assessors (QSA), Penetration testers, certified information system auditors (CISA), and vendors – for a packed three days of education, networking, discussions and of course, good food!
To provide some context and background – and part of the “raison d’etre” this SIG came to fruition – when looking anecdotally at past data breaches, evidence has often been found in merchant logs. However, the details were extremely difficult to find due to the high volume of logged events. And although log collection and daily reviews are required by the PCI DSS, logs collected from merchants can be huge, at the peak of the day, some organizations seeing over 50,000 events per second. This makes it time consuming and often difficult – if not humanely possible – to accurately review and monitor those logs to meet the intent of PCI DSS. This is akin to finding the needle in the haystack, where the needle is the security event, and the haystack is the corresponding logs and data packets.
According to Mandiant’s annual M-Trends Report, the median number of days before a breach is detected is 205 days. Why is this the case? Because existing security technologies are struggling to keep up with modern day threats. Fixed rule sets we see across SIEM solutions are great if you know what you are looking for, but what happens when we do not know what too look for or when we do not even know the right questions to ask?
So what does this all mean? Is there hope, or are we destined to continue along with the dismal status quo?
Luckily there are new cloud-native, advanced security solutions emerging that leverage data science to help us look holistically across our hybrid infrastructure to give us visibility across the entire stack, leveraging machine learning to reduce millions of data streams into human digestible patterns and security events, and to know what is normal by baselining and automatically identifying and alerting on anomalies and deviations.
It is these continuous insights and visibility across hybrid workloads that become real opportunities to improve one’s security posture and approach compliance with confidence and clarity.
Timelines and Deliverables
Information Supplement – Daily Log Monitoring SIG guidance is expected to be released in Q1, 2016.