Analysts estimate that a large percentage of security information and event management (SIEM) and log management solutions are deployed for regulatory compliance. However, the language regarding log management prescriptions is vague, which can lead to confusion. Let's add some clarity to the regulations that affect login, log management and SIEM.
Logs, while often underappreciated by both IT managers and their bosses, can provide useful information for security management. But getting that data takes time and energy -- both of which are often in short supply inside IT organizations. It can seem daunting at first, given the sheer volume and subjective nature of the data. Despite such challenges, logging is a primary means of IT accountability since most user and system actions can be recorded in logs. That's exactly why logging is a perfect compliance technology, mandated by many regulations and laws.
Let's cover a few regulations that affect how a large percentage of organizations view information security.
The Payment Card Industry Data Security Standard (PCI DSS) applies to all organizations that handle credit card transactions. PCI mandates logging specific details and log review procedures to prevent credit card fraud, hacking and related problems in companies that store, process or transmit credit card data.
Although logging is present in all PCI requirements, PCI DSS also contains Requirement 10, which is dedicated to logging and log management. Under this requirement, logs for all system components must be reviewed at least daily, and must include servers that perform security functions.
PCI DSS also requires organizations to implement file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts.
ISO 27001, formally known as "Information technology -- Security techniques -- Information security management systems -- Requirements," is a direct descendant of ISO 17799 and the British Standard 7799. ISO specifies requirements for managing the security of information systems.
For example, ISO 27001 mentions that "audit logs should be turned on for security events, user activities and exceptions. They should be kept for a predetermined period of time."
The North American Electric Reliability Council (NERC) publishes a Critical Infrastructure Protection (CIP) standard that affects utility companies in the U.S. and Canada. It includes requirements regarding logging and alerting, as well as broader security monitoring.
According to the standard, "These alerts shall provide for appropriate notification to designated response personnel. Where alerting is not technically feasible, the responsible entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every 90 calendar days."
U.S. state breach laws and emerging data protection laws
California's SB 1386 started the trend of data breach disclosure laws in 2002. Since then, similar laws have spread to 44 states and a few countries. While not prescribed directly, the provisions requiring notification of those whose records have been stolen lead to requirements regarding auditing and granular data logging. The only alternative to record-level logging will be to not fight every customer in case of a breach, which can be extremely costly.
A trend has recently emerged across the U.S., in which states draft data protection laws in addition to breach disclosure laws. For example, Massachusetts Data Protection Law CMS 201 CMR 17.00 took effect in March. The law establishes a "duty to protect and standards for protecting personal information," and sets forward specific security control requirements, including logging and monitoring.
HIPAA and the HITECH Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant security standards for health information. The following HIPAA requirements are broadly applicable to logging, log review and security monitoring:
Section 164.308(a)(5)(ii)(C), Log-in Monitoring, calls for monitoring the systems relating to patient information for login and access. The requirement applies to "login attempts," which implies both failed and successful logins.
Section 164.312(b), Audit Controls, broadly covers audit logging and other audit trails on systems that deal with sensitive health information. The review of such audit logs seem to be implied by this requirement.
A recent enhancement to HIPAA is the Health Information Technology for Economic and Clinical Health Act, or HITECH Act. The act seeks to further "address the privacy and security concerns associated with the electronic transmission of health information."
Typical logging, log management and security monitoring requirements in the above regulations include:
- Have adequate logging. Regulations vary significantly regarding the meaning of adequate. Some mandates stop after stipulating that an organization have audit logging.
- Collect logs centrally. Some regulations prescribe collection of logs and centralized storage and analysis.
- Review log data. The most onerous part of many regulations is a mandate for log review. PCI DSS, for example, calls for daily review of logs from in-scope systems. Clearly, this does not mean that every single log entry needs to be read by a person.
- Retain logs for a period of time. Regulations prescribe various retention periods for logs, from months to years. Some stop at saying that an organization must have a log retention policy without specifying the exact number.
- Monitor security. Some regulations prescribe reviews of network and Web alerts, and that an incident response process be deployed when required. Additional tasks may include protection of log data, time synchronization, etc.
It's a common misconception that such regulations mandate only that you possess the log data.
I hope I have successfully pointed out that many mandates are similar in the way they address log management and security information and event management. One benefit is that if you comply with one regulation, you're a long way toward complying with both existing and future regulations. And with trends indicating that there will be more diverse regulatory activity in the future, organizations should start dealing with the logging now so future challenges can be addressed on a more solid foundation.
Logging and log review have always been a good idea -- now it's also the law.
Anton Chuvakin is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of the books Security Warrior and PCI Compliance, and a contributor to Know Your Enemy, Information Security Management Handbook and other works.