Since the inception of PCI DSS, organizations have put a number of protective mechanisms into place. As retailers, card processors and other PCI-DSS covered entities have evolved their security mechanisms – so has the hacking community. Credit card information can sell for a considerable sum in online black markets, and it has become well worth it for data thieves to evolve and fun more sophisticated strategies to breach it. But the question remains – do data security strategies continue to evolve?
The recent Verizon 2014 PCI Compliance Report, that talks about the state of compliance of global organizations with PCI security standards in the year 2013, discusses key gaps in PCI-DSS compliance – specifically related to attack visibility and recognition.
PCI-DSS Requirement 10: Track & Monitor All Access to Network Resources & Cardholder Data
This requirement covers the creation and protection of information that can be used for tracking and monitoring of access to all systems that store, process, or transmit cardholder data, including databases, network switches, firewalls, and clients. The data from the Verizon report shows that
- Only 9.4% of organizations that their RISK team investigated after a data breach was reported were compliant with Requirement 10.
- Only 31.7% of the audited organizations were Requirement 10 compliant.
These statistics demonstrate the strong relationship is between a lack of security visibility and monitoring and the likelihood of suffering a security breach. Bringing up some statistics from Verizon’s Data Breach Investigation Report 2013, 66% of breaches that happened in 2012 took months or years to even discover.
So, Why Aren't More Companies Compliant with Requirement 10?
Early implementations of Security information and event management (SIEM) systems – built to enhance information security through effective log management– were sophisticated, difficult to manage systems that were pushed into tightly-resourced environments to comply with Requirement 10. Due to the overall complexity of enterprise focused SIEM solutions – many organizations found they simply didn’t have the money, time or expertise to meaningfully leverage the technology.
Today, enterprise SIEM remains complex, but in the past 10 years, simpler, easier to use, and more affordable products have come to market. With the prevalence of easy-to-use SIEM software solutions in the market which are purpose-built to run on their own and provide security intelligence, organizations can now cost-effectively strengthen their security and compliance strategies.
Log Management Benefits Reach Beyond the Scope of Requirement 10
Enterprises that implement log management in their network for logging network and system activity for PCI compliance purposes will realize that they are now more aware of suspicious behavior patterns and policy violations across their entire IT infrastructure. This helps them stay vigilant towards detecting breaches and reacting to them more quickly. Beyond the scope of PCI Requirement 10, log management will help achieve overall data protection and information security.
The scope and slow time to identify and resolve recent attacks such as Target, Neiman-Marcus, and Michaels not only demonstrate the importance of improving visibility, but also the constant arms race security teams and hackers are fighting. A strategic security monitoring program, coupled with proper compliance reporting and backed by a SIEM that is suited for the size and capabilities of your security team, and will enhance your overall IT security strategy and satisfy cardholder data protection norms.
- PCI-DSS 3.0 Requirements: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
- Verizon PCI Compliance Report 2014: http://www.verizonenterprise.com/pcireport/2014/
- Verizon DBIR 2013: http://www.verizonenterprise.com/DBIR/2013/