Guest View: The Ultimate Security Conundrum

Written by Evan Schuman
January 31st, 2008

Most merchants are so focused on protecting credit card and social security numbers that they forget the very process of securing their environment creates a risk. All of the alerts and log data from all of the various network, application and database monitoring tools must be promptly reviewed and acted upon.

When these alerts and log files are allowed to "sit around" without being processed, the data and the lack of action become "evidence" that could be used to show negligence, in the event of a breach.

Over the past few weeks, I’ve been interviewing merchants and a Panel of Experts for the PCI Knowledge Base, which the PCI Alliance is building. Both the merchants and PCI Experts agree that security managers are often overwhelmed by the volume of data coming in from access control logs, network and application monitoring tools and intrusion detection systems.
For example, we interviewed a forensic technologist who stated that in more than 90 percent of the cases when he’s brought in after a breach, there are several unprocessed "threat alerts" that could have been used to prevent the breach, but they were ignored, usually because the security manager was overwhelmed by the volume of security logs and alert data that had to be reviewed on a daily or weekly basis, often manually.

The threat data is not centralized. The PCI security standards require the implementation of many different tools that generate alerts about both external and internal threats to confidential data. However, the question of how, and how often to monitor this data is left to the merchant. Many of the merchants we’ve interviewed report that they are using a number of manual procedures to review this data, and that alerts are "coming in from all over the place" and are only centralized in that it falls upon the security manager or CISO to review all this log data, across dozens of different tools, across multiple systems, each with its own user interface, of course.

Threat criteria is not consistent. One of the hardest tasks that security managers face is properly configuring and "tuning" the various logging, monitoring and alerting functions, so that the proper files and activities are being monitored, the volume of alerts is manageable, and there is enough intelligence in the system to sort out "false positives" so that they don’t waste the security manager’s time.

One problem is that PCI doesn’t require what is called "event correlation" or the automation of threat management across systems. It requires "regular" monitoring, leaving it up to the merchant to decide what that means. Such flexibility is appropriate and makes achieving compliance easier, but we’ve interviewed a number of merchants who have achieved compliance, but are having difficulty with identifying and managing threats across their various systems, and the manual review process is quite burdensome.

Evidence of potential breaches exists on many systems. One of the major security and financial risks to merchants, apart from security breaches themselves, is the fact that large volumes of these monitoring and access control logs exist on many different systems, and this data is "discoverable" by a plaintiff or forensic technologist, should a security breach occur.

PCI compliance has brought about an increase in the volume of this data by causing merchants to add new types monitoring and alerting functionality, and not requiring the management of this data be centralized or automated.

Don’t blame PCI or the card brands. A couple of managers I’ve interviewed suggested they were better off before PCI, because they weren’t so overwhelmed by this audit log data. But I’m pretty sure they were joking. The real problem is that upper management still needs to be "sold" on the need for Security Event Management (SEM) and "event correlation" solutions.

They aren’t on the PCI "checklist," so many merchants still haven’t implemented them. But the implementation of the monitoring and alerting tools does cause a major increase in the "level of pain" felt by the security manager or team, as they attempt to analyze the alert data across the many different security tools.

Centralize and Automate Log Review – PCI DSS 10.7 requires merchants to retain audit logs for at least a year. Your policies should require the same thing. But since this data could potentially be used as evidence against you in the event of a breach, it’s very important that you put into place the systems and procedures to centralize and automate (to the extent possible) the review of the various types of logs. No one knows this better than security managers who are faced with the burdensome task of manual log review and analysis.

Find out log review best practices and tools from your peers. One of the purposes of the interviews the PCI Alliance is conducting is to create a "PCI Knowledge Base" which is a website where merchants can go to find out what their peers are going, and get advice from a Panel of Experts. To find out more, and participate in the creation of this PCI Knowledge base, click here.


One Comment | Read Guest View: The Ultimate Security Conundrum

  1. Jestep Says:

    This is sort of like the 3 mile island nuclear incident. You can get to a point where there are so many alarms that you don’t know what’s going on when they all go off. The problem with PCI in general is that it does not mean that a system is secure, only that the system passed some general idiot checks. Take a small business owner who can just barely operate their cash register and ask them to identify when their system is compromised, good luck getting a accurate result from that.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.