Last week, I wrote about the tendency of some companies that are willing to "accept the risk" of a breach and, effectively, turn off security controls at times.
This week, I want to cover an even more significant issue, which is probably the most important finding in the PCI Knowledge Base to date. Many retailers, scrambling to achieve PCI compliance, do not have the time, money or inclination to implement security management tools not specifically required by PCI DSS. As a result, many security managers are simply overwhelmed by the volume of log files, alerts, configuration changes, password changes, access control reviews, change control reviews and the like, which require manual review by a member of the security team.
As one security manager put it: "We are so far behind in tracking down the alerts, we could have been breached a month ago and still not know it." The heavy reliance on manual review of large volumes of security data is one of the major reasons why more security breaches of compliant companies are likely.
PCI DSS is famous for its level of detail, in laying out for merchants procedures for implementing and testing many different security controls. But PCI DSS does not tell merchants how they should actually manage all these alerts, or which of these controls need to be integrated and which of the procedures need to be automated.
That's perfectly reasonable. Most merchants would "have a cow" if a security standard tried to dictate such things. However, while a merchant can pass a PCI audit by saying, "We have a process where the security team will review these logs on a weekly basis," the assessor is thinking (or saying), "Fine, but when I come back next year, you'd better be able to show me 12 months of approved and signed reviews."
Having a manual procedure is not unreasonable. It allows the merchant to pass. Unfortunately, for most companies, manual procedures quickly become unmanageable without some type of automated tool to, for example, filter and prioritize alerts.
A little automation goes a long way. Some of the best practices identified in the PCI Knowledge Base are related to the automation of alert monitoring, configuration management, log review and doing "real-time" review of both internal and external threats.
Based on the interviews we've conducted to date, there are many examples of companies that have saved time, reduced staffing costs and generally stopped security management from becoming a largely clerical job. The point is that if merchants don't automate a large percentage of their security data management, they stand a good chance of losing their most talented security professionals. Merchants simply cannot afford to "degrade" their security management team by forcing them to manually review the tons of data being generated by all the new controls they implemented to achieve PCI compliance.
I'm sure that after reading a few paragraphs, you've now got religion and are ready to run out and buy a bunch of SIM/SEM, or configuration management, or log management tools. I'm happy to make recommendations based on what the members of the PCI Knowledge Base have told me. But I'm not going to start naming a bunch of vendors and products, because different readers may want different things.
You're welcome to visit the PCI Knowledge Base or send me E-mail if you want, and we can discuss what your needs are and whether or not you need to prove ROI for these tools.
We have some good examples of what leaders have done to justify their purchases, and we're happy to share that information with you. The bottom line is that just because a particular security technology or tool isn't named specifically in PCI DSS doesn't mean that it isn't necessary if you are going to manage PCI compliance on an ongoing or operational basis, which is how we recommend that merchants approach the problem.
If you want to discuss this column or any other security or compliance issues, please send me an E-mail at [email protected] or visit www.KnowPCI.com to join the PCI Knowledge Base.