I was on a call the other day and we were walking through requirement 10 of the PCI DSS v3 to ensure we had everything covered regarding changes. One of the other people on the call gasped and told all of us to look at requirement 10.6.
“Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.”
The person who gasped said, “You don’t think they mean ALL other systems as in everything do you?”
We all looked at the Guidance column for advice and saw that it said:
“Logs for all other system components should also be periodically reviewed to identify indications of potential issues or attempts to gain access to sensitive systems via less-sensitive systems. The frequency of the reviews should be determined by an entity’s annual risk-assessment.”
The tests 10.6.1 and 10.6.2 also refer to “all other systems” as well. In the end, we came to agreement that the new version of the PCI DSS does call out that all systems, even those out of scope, need to have their log data reviewed based on their risk to the organization.
Talk about a “How in the Hell did we miss that?” kind of moment.
Worse is that we know a lot of organizations are going to push back very, very hard on this requirement. They sized their security information and event monitoring (SIEM) solution based on their cardholder data environment (CDE) and Category 2 systems, not their entire networks. But it gets even worse because this is not a requirement that you can put off until 2015, this requirement needs to be complied with immediately when going to the new version of the PCI DSS. Oops!
But if this is not enough, the Council used that word “periodically” in the requirement. In the guidance they state, “The frequency of the reviews should be determined by an entity’s annual risk-assessment.” So there is another requirement for the risk assessment. Your risk assessment must define why log data of all systems is only reviewed once a month/quarter/year/etc. However, if you are routing all log data from all systems/devices into a SIEM, it should be reviewed in almost real-time.
Congratulations to all those SIEM vendor sales people out there as it will likely be a very good year for all of you.
Just wanted to provide you all with the heads up.