Wednesday, November 24, 2010

PCI and Logging

In my experience, one of the most challenging areas of PCI DSS compliance is logging. Anyone who is familiar with PCI or with Verizon's 2010 Data Breach Investigations Report knows that daily inspection of your logs is not only required, it is good security.

The problem, of course, is that logging is complicated (see Barbie's "Math class is tough!"...if you dare). Therefore, I suggest that anyone involved in, responsible for, or just interested in logging and PCI, head over to good friend and logging guru Anton Chuvakin's blog (click here) for his analysis of PCI DSS log review procedures.

Many of you will remember Anton from his memorable presentation at last year's PCI Workshop. This time he is in process of putting together a string of blog posts which he describes as:

It was written to be a complete and self-contained guidance document that can be provided to people NOT yet skilled in the sublime art of logging and log analysis (a key requirement for this project – guidance was to be useful to such people) in order to enable them to do the job and then grow their skills. It is focused on PCI DSS, but based on generally useful log review practices that can be utilized by everybody and with any regulation (or without any compliance flavor – of course!)
If you are involved in PCI compliance or just the logging part, I suggest you bookmark Anton's blog (if you haven't already!) and follow along. It promises to be valuable, interesting, and if I know Anton, occasionally hilarious.

No comments:

Post a Comment