• No results found

PCI DSS compliance and log management

N/A
N/A
Protected

Academic year: 2021

Share "PCI DSS compliance and log management"

Copied!
19
0
0

Loading.... (view fulltext now)

Full text

(1)

PCI DSS compliance and log management

March 11, 2014

Abstract

How to control and audit remote access to your servers to comply with PCI DSS using the

syslog-ng Store Box

(2)

Table of Contents

1. Preface ... 3

1.1. Log Management’s Role ... 3

1.2. Using syslog-ng PE and SSB for compliance ... 4

1.3. Public references ... 4

2. Using the syslog-ng Store Box and syslog-ng Premium Edition for policy compliance ... 6

3. Summary ... 19

(3)

1. Preface

Organizations involved in payment card processing — including those that store, process, or transmit credit card-holder data — are required by credit card companies to implement The Payment Card Industry (PCI) Data Security Standard (DSS). PCI DSS provides a baseline of technical and operational requirements designed to protect card-holder data. PCI-DSS 3.0 was published in 2013. This latest version consists of six control objectives and twelve requirements, which are summarized in the following table.

PCI DSS Requirements Control Objectives

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Build and Maintain a Secure Network and Systems

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks Protect Cardholder Data

5. Protect all systems and malware and regularly update anti-virus soft-ware or programs

6. Develop and maintain secure systems and applications Maintain a Vulnerability Management

Program

7. Restrict access to cardholder data by business need-to-know 8. Identify and authenticate access to system components Implement Strong Access Control

Meas-ures

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes Regularly Monitor and Test Networks

12. Maintain a policy that addresses information security for all personnel Maintain an Information Security Policy

1.1. Log Management’s Role

Log messages provide important information about the events of the network, the devices, and the applications running on these devices. Log messages document user and system activity and can be used to detect security incid-ents, operational problems, and other issues like policy violations, and are useful in auditing and forensics situations. Collecting, storing and reviewing logs is explicitly required in requirement ten of PCI DSS but log messages are a very useful tool to prove compliance with the standard’s other requirements. The following table will give examples of how log management can help comply either directly or indirectly with PCI DSS.

This paper discusses the advantages of using the syslog-ng Store Box appliance and the syslog-ng Premium Edition application to collect, store, and manage system log (syslog) and eventlog messages in compliance with the Payment Card Industry Data Security Standard (PCI-DSS). The document is recommended for technical experts and decision

(4)

fully understand its content. The procedures and concepts described here are applicable to SSB version 3 F2 and syslog-ng Premium Edition version 5 LTS.

1.2. Using syslog-ng PE and SSB for compliance

Compliance is becoming more and more important in several fields — laws, regulations and industrial standards mandate increasing security awareness and the protection of sensitive data. As a result, companies have to increase the control over and the auditability of their business processes, and this makes thorough log management necessary — especially since several regulations require the centralized collection of logs (including retaining logs for an ex-tended amount of time often spanning several years).

Log messages provide important information about the events of the network, the devices, and the applications running on these devices. Log messages document user and system activity and can be used to detect security incid-ents, operational problems, and other issues like policy violations, and are useful in auditing and forensics situations. Collecting, storing and reviewing logs is explicitly required in requirement ten of PCI DSS but log messages are a very useful tool to prove compliance with the standard's other requirements.

The syslog-ng Premium Edition enables enterprises to collect, filter, normalize, forward, and store log messages from across their IT environment. Using syslog-ng Premium Edition, organizations can centralize and simplify their log management infrastructure to improve operations, gain visibility of security threats, and meet compliance requirements. The syslog-ng Store Box (SSB) is a high-reliability log management appliance that builds on the strengths of syslog-ng Premium Edition, and extends its functionality to provide a Graphical User Interface, flexible, fast search capabilities, custom reporting, and other useful features.

The syslog-ng Store Box logserver appliance and the syslog-ng Premium Edition log collector application give you the tools you need to create a complete, reliable, and trusted log infrastructure to collect the log messages from the clients to a central log server, ensuring the secure transmission and storage of the log messages from a wide variety of operating systems.

1.3. Public references

Among others, the following companies of the financial sector decided to use SSB in their production environment:

1.3.1. Public references of syslog-ng Store Box

Among others, the following companies decided to use SSB in their production environment:

DATA BASE FACTORY (Read Case Study)

Fiducia IT AG

LinkedIn Corporation

Societe Generale

University of Exeter (Read Case Study)

1.3.2. Public references of syslog-ng Premium Edition

Among others, the following companies decided to use syslog-ng PE in their production environment:

(5)

Air France

Coop Denmark

DataPath, Inc. (Read Case Study)

Facebook

Hush Communications Canada Inc.

Tecnocom Espana Solutions, S.L. (Read Case Study)

Telenor Norge AS (Read Case Study)

(6)

2. Using the syslog-ng Store Box and syslog-ng Premium Edition for policy

compli-ance

The following table provides a detailed description of the requirements of the Payment Card Industry Data Security Standard version 3 (PCI-DSS, available here) relevant to log management and auditing.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Log management role: Configuration changes can be documented in firewall messages to demonstrate compliance.

Requirement 1.1.1: A formal process for approving and testing all network connections and changes to the firewall and router configur-ations.

How syslog-ng PE helps you: Create a trusted path of logs from the firewalls to the logserver that provides tamper proof, digitally signed, timestamped log storage to have an audit trail of every configuration change.

How syslog-ng Store Box helps you: The syslog-ng Store Box helps you manage the life cycle of the audit logs, including: collection, transfer, safe and secure storage, backup, archiving, cleanup. You can quickly find relevant firewall logs using the search interface or the API.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security

parameters

Log management role: A report showing server logs can be used to demonstrate that servers are solely performing a primary function.

Requirement 2.2.1: Implement only one primary function per server to prevent func-tions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.

How syslog-ng PE helps you: With syslog-ng PE you can flag logs from unknown programs on the host, right at the source of the message, and route them dif-ferently (for example, to a list of suspicious log mes-sages), or create alerts based on them.

How syslog-ng Store Box helps you: SSB can generate customized reports detailing server functions.

(7)

Log management role: Logs are a valuable source to determine if previously disable services are running as they might indicate an attack.

Requirement 2.2.2: Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

How syslog-ng PE helps you: Using syslog-ng Premium Edition, logs from disabled services can be filtered from normal log traffic to alert security analysts.

How syslog-ng Store Box helps you: Using syslog-ng Store Box, logs from disabled services can be filtered from normal log traffic to alert security analysts.

Requirement 3: Protect stored cardholder data

Log management role: In the event that PAN data needs to be included in logs, PCI DSS requires that the logs be unreadable. Logs may contain sensitive informa-tion such as personal identificainforma-tion numbers (PIN) and card validation codes.

Requirement 3.4: Render PAN unreadable anywhere it is stored (including on portable di-gital media, backup media, and in logs) by using any of the following approaches:

■ One-way hashes based on strong

cryptography, (hash must be of the

entire PAN) How syslog-ng PE helps you:Premium Edition application can rewrite any logs con-The syslog-ng taining cardholder data to mask any numbers, optionally using strong, cryptographically secure hashing. This re-writing can be done right at the message source to make sure that the cardholder data never leaves the system. Logs can also be stored in binary, time-stamped files using strong encryption to ensure that any sensitive data is secure. Only authorized users can access the decryp-tion key.

■ Truncation (hashing cannot be used

to replace the truncated segment of PAN)

■ Index tokens and pads (pads must

be securely stored)

■ Strong cryptography with associated

key-management processes and procedures.

How syslog-ng Store Box helps you: The syslog-ng Store Box can store log messages in binary, time-stamped files using strong encryption to ensure that any sensitive data is secure. Only authorized users can access the decryption key. In addition, syslog-ng Store Box provides fine-grained access control and encryption functionality to its search interface, helping you allow access to logs that have to include PAN data on a need-to-know basis.

(8)

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Log management role: Logs may contain sensitive information such as personal identification numbers (PIN) and card validation codes. Such data must be safeguarded when it is transmitted or received over open, public networks.

Requirement 4.1: Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive card-holder data during transmission over open, public networks, including the following:

Only trusted keys and certificates are accepted.

How syslog-ng PE helps you: The syslog-ng

Premium Edition application supports Transport layer security (TLS) to encrypt the communication between the clients and the log server, and to protect the integrity of the messages. Using TLS-encryption also prevents third-parties from accessing or modifying the commu-nication. The communication between the syslog-ng PE client and the SSB logserver can be mutually authentic-ated using X.509 certificates to verify the identity of the communicating parties, and prevent attackers from in-jecting fake messages into the log files. The syslog-ng PE application can also validate certificate chains, and use only selected, strong ciphers.

■ The protocol in use only supports

secure versions or configurations.

■ The encryption strength is appropri-ate for the encryption methodology in use.

How syslog-ng Store Box helps you: SSB supports Transport layer security (TLS) to encrypt the communic-ation between the clients and the log server, and to protect the integrity of the messages. Using TLS-encryp-tion also prevents third-parties from accessing or modi-fying the communication. The communication between the syslog-ng PE client and the SSB logserver can be mutually authenticated using X.509 certificates to verify the identity of the communicating parties and prevent attackers from injecting fake messages into the log files. The web interface and the search API of SSB is only accessible via the encrypted HTTPS protocol.

(9)

Requirement 5: Protect all systems against malware and regularly update anti-virus software or

programs

Log management role: Logs from anti-virus tools not only demonstrate that logging has been activated but also can show when anti-virus updates fail.

Requirement 5.2: Ensure that all anti-virus mechanisms are maintained as follows:

■ Are kept current,

How syslog-ng PE helps you: The syslog-ng Premium Edition application can collect and centralize logs from a wide variety of log sources including anti-virus tools from leading vendors.

■ Perform periodic scans

■ Generate audit logs which are

re-tained per PCI DSS Requirement 10.7.

How syslog-ng Store Box helps you: SSB can col-lect and centralize logs from a wide variety of log sources including anti-virus tools from leading vendors. Using the PatternDB functionality, you can parse the logs of anti-virus tools and create reports and alerts based on the information they contain (for example, last database update time, software version, and so on).

Requirement 6: Develop and maintain secure systems and applications

Log management role: Log management is part and parcel of application security today. Custom applications should include a log generating feature to track applica-tion activity.

Requirement 6.3: Develop internal and ex-ternal software applications (including web-based administrative access to applications) se-curely, as follows:

In accordance with PCI DSS (for example, secure authentication and logging)

How syslog-ng PE helps you: The syslog-ng

Premium Edition application runs on a wide variety of platforms, making it easy to set up log management for custom applications. The syslog-ng PE application can collect logs directly from applications using various formats (for example, plain text, JSON, RFC3164, RFC5424) and various methods (for example, read from file, UNIX domain sockets, TCP, fetch directly from SQL, and the built-in logging facilities of the operating systems). Using the PatternDB functionality it is straightforward to write patterns for custom applications that identify security events.

■ Based on industry standards and/or

best practices.

■ Incorporating information security

throughout the software-develop-ment life cycle

How syslog-ng Store Box helps you: SSB can col-lect and centralize logs from a wide variety of log sources. In addition to the features of syslog-ng PE, SSB helps developers and operators (DevOps) monitor their custom applications for proper operation (including se-curity aspects) through its powerful search interface and API.

(10)

Log management role: Logs provide a rich source of data about traffic to web-applications. Collecting and centralizing logs from network and application layers can provide context from which attacks can be identified.

Requirement 6.6: For public-facing web applications, address new threats and vulnerab-ilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

How syslog-ng PE helps you: The syslog-ng Premium Edition application can collect and process logs from a variety of security devices including firewalls, and IDSs. Using the PatternDB or the regex-matching capabilities of syslog-ng PE you can create alerts for known attack patterns.

■ Reviewing public-facing web

applic-ations via manual or automated ap-plication vulnerability security assess-ment tools or methods, at least an-nually and after any changes

■ Installing an automated technical

solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.

How syslog-ng Store Box helps you: SSB can col-lect and process logs from a variety of security devices including firewalls, and IDSs. The search capabilities can be used to look for known attack patterns in the logs of these systems automatically or manually.

Requirement 7: Restrict access to cardholder data by business need to know

Log management role: Logs can be used to demonstrate access to system components and cardhold-er data.

Requirement 7.1: Limit access to system components and cardholder data to only those individuals whose job requires such access.

How syslog-ng PE helps you: All log messages can be encrypted using public-key encryption on the central log server in a so-called logstore™ file. The syslog-ng PE application can also digitally sign the files, and re-quest timestamps for the stored data from an external Timestamping Authority (TSA) provide reliable date for the signature.

How syslog-ng Store Box helps you: SSB can re-strict access to logs using strong authentication and granular access policies. All log messages can be encryp-ted using public-key encryption on the central log server in a so-called logstore™ file. The SSB can also digitally sign the files, and request timestamps for the stored data from an external Timestamping Authority (TSA) provide reliable date for the signature.

(11)

Requirement 8: Identify and authenticate access to system components

Log management role: Not only are logs essential to detecting suspicious behavior such as excessive failed login attempts but they are an excellent means by which to demonstrate compliance with user access require-ments.

Requirement 8.1: Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system compon-ents as follows:

Requirement 8.1.1: Assign all users a unique ID before allowing them to access system components or cardholder data.

How syslog-ng PE helps you: Using the syslog-ng

PE's PatternDB feature, logs for successful logins and logouts can be paired to create session events which fa-cilitate tracking user access.

How syslog-ng Store Box helps you: SSB can generate custom reports to show access to system com-ponents. SSB can connect usernames to an Active Dir-ectory or LDAP database. Strong RADIUS-based au-thentication (for example, using auau-thentication key fobs) is also available to ensure accountability for those access-ing logs potentially containaccess-ing cardholder data.

Requirement 10: Track and monitor all access to network resources and cardholder data

Log management role: Log management is an es-sential tool in linking user access to system components enabling security teams to trace suspicious activity back to a specific user.

Requirement 10.1: Implement audit trails to link all access to system components to each individual user.

How syslog-ng PE helps you: The syslog-ng Premium Edition application provides a reliable log management infrastructure that can collect and store logs for such audit trails. Without all of the necessary log data, security teams may fail to identify attacks or their sources.

How syslog-ng Store Box helps you: SSB provides a reliable log management infrastructure that can collect and store logs for such audit trails. Without all of the necessary log data, security teams may fail to identify attacks or their sources.

(12)

Log management role: Generating logs of these actions provides a context for identifying and tracing malicious activity. These events represent high risk activity which merit close scrutiny.

Requirement 10.2: Implement automated audit trails for all system components to recon-struct the following events:

Requirement 10.2.1: All

individu-al user accesses to cardholder data How syslog-ng PE helps you: The syslog-ng

Premium Edition application provides a reliable logging infrastructure that can collect and store logs for such audit trails. Using syslog-ng PE's PatternDB feature, logs can be filtered based on content including special events such as logins by privileged users and access to log data.

Requirement 10.2.2: All actions taken by any individual with root or administrative privileges

Requirement 10.2.3: Access to all audit trails

Requirement 10.2.4: Invalid

lo-gical access attempts How syslog-ng Store Box helps you:a reliable system logging infrastructure that can collectSSB provides and store logs for such audit trails. Events can be invest-igated in their context using the intuitive search interface. Using syslog-ng PE's PatternDB feature, logs can be filtered based on content including special events such as logins by privileged users and access to log data.

Log management role: Collecting these details in logs can reduce the time needed to identify potential incidents and allows security experts to analyze user be-havior.

Requirement 10.3: Record at least the fol-lowing audit trail entries for all system compon-ents for each event:

Requirement 10.3.1: User

iden-tification How syslog-ng PE helps you: The syslog-ng

Premium Edition application provides macros and powerful message-rewriting capabilities to reformat and normalize the messages in order to convert them to a common format to ensure that the order of the data fields in the message is consistent with other messages.

Requirement 10.3.2: Type of event

Requirement 10.3.3: Date and time

Requirement 10.3.4: Success or

failure indication How syslog-ng Store Box helps you: SSB provides

macros and powerful message-rewriting capabilities to reformat and normalize the messages in order to convert them to a common format to ensure that the order of the data fields in the message is consistent with other messages. Events can be investigated in their context using the intuitive search interface.

Requirement 10.3.5: Origination of event

Requirement 10.3.6: Identity or name of affected data, system com-ponent, or resource

(13)

Log management role: Different log messages often use different timestamp formats to date the messages (for example, some timestamp formats do not contain year or timezone information), making it difficult to locate the messages later, and to properly see their place in the flow of events.

Requirement 10.4: Using time-synchroniz-ation technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.

How syslog-ng PE helps you: The syslog-ng Premium Edition application converts the timestamps to a single format (for example as specified in the ISO 8601 standard). The syslog-ng PE server can automatic-ally add the date and time when it received the message, so the log messages contain accurate time information — even if the clock of the client host or the application is mistimed. This is possible while still retaining the ori-ginal receive time. Digital timestamping using a third-party Timestamping Authority (TSA) is available for the logstore™ storage format.

How syslog-ng Store Box helps you: SSB can convert the timestamps to a single format (for example as specified in the ISO 8601 standard). SSB can automat-ically add the date and time when it received the message, so the log messages contain accurate time information — even if the clock of the client host or the application is mistimed. Naturally, SSB itself can synchronize its system clock to NTP servers.

(14)

Log management role: In the event of a data breach, attackers often try cover their tracks by deleting logs. Collecting and transferring logs to a secure central server reduces the risk an attacker can access logs. According PCI DSS, adequate protection of logs includes strong access control (limit access to logs based on "need to know" only), and use of physical or network segregation to make the logs harder to find and modify.

Requirement 10.5: Secure audit trails so they cannot be altered.

How syslog-ng PE helps you: All log messages can be encrypted using public-key encryption on the central log server in logstore™ file. The syslog-ng Premium Edition application can also digitally sign the files, and request timestamps for the stored data from an external Timestamping Authority (TSA) provide reliable date for the signature.

How syslog-ng Store Box helps you: All log mes-sages can be encrypted using public-key encryption on the central log server in a so-called logstore™ file. SSB can also digitally sign the files, and request timestamps for the stored data from an external Timestamping Au-thority (TSA) provide reliable date for the signature. The syslog-ng Store Box appliance is based on a hardened, secured Linux operating system. It is configured to pre-vent unauthorized external access and make sure it acts as a secure log storage. BalaBit issues regular security-update releases to make sure that all components are up-to-date.

How syslog-ng PE helps you: Encrypted log mes-sages can be viewed only if the user has the required encryption key.

Requirement 10.5.1: Limit viewing of audit trails to those with a job-related need.

How syslog-ng Store Box helps you: SSB can re-strict access to logs using strong authentication and granular access policies. Encrypted log messages can be viewed only if the user has the required encryption key. Access to the logs can be also tied to group member-ships, for example, based on information from an Active Directory or other LDAP server.

(15)

How syslog-ng PE helps you: When stored in the encrypted logstore™ of the central syslog-ng Premium Edition server, log messages are also timestamped and digitally signed to prevent modifications. The integrity of the messages is also checked when they are transmit-ted from the client to the log server. The communication between the clients and the log server can be mutually authenticated using X.509 certificates to prevent log-in-jection attacks.

Requirement 10.5.2: Protect audit trail files from unauthorized modifications.

How syslog-ng Store Box helps you: When stored in the encrypted logstore™ of the central syslog-ng Store Box server, log messages are also timestamped and digit-ally signed to prevent modifications. The integrity of the messages is also checked when they are transmitted from the client to the log server. The communication between the clients and the log server can be mutually authentic-ated using X.509 certificates to prevent log-injection at-tacks.

How syslog-ng PE helps you: The syslog-ng Premium Edition application was created exactly for this purpose: to transfer the log messages generated on the host to a central log server, where they can be stored in encrypted and digitally signed log files to prevent modi-fications. To ensure that no log messages are lost, syslog-ng PE supports TCP networkisyslog-ng protocol, application-level-acknowledgement via the Reliable Log Transfer Protocol (RLTP) and can also send log messages to a backup log server in case the primary server becomes unavailable. To avoid losing messages during network outages, syslog-ng PE buffers the messages to the hard disk, and sends the messages when the server becomes available.

Requirement 10.5.3: Promptly back-up audit trail files to a centralized log server or media that is difficult to alter.

How syslog-ng Store Box helps you: The syslog-ng Store Box appliance was created exactly for this pur-pose: to act as a centralized log server that securely stores the log messages in encrypted and digitally signed log files to prevent modifications, and handle the entire log life cycle, including archiving and backup. SSB works seamlessly with syslog-ng Premium Edition clients and relays, and can communicate with third-party solutions to ensure that logs are received with minimal delay.

(16)

Log management role: External-facing technologies include devices such as wireless, firewalls, DNS, and mail servers. Transferring logs from these sources to a central log server reduces the risk of those logs being lost.

Requirement 10.5.4: Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.

How syslog-ng PE helps you: The syslog-ng Premium Edition application pushes log messages from log sources to a central server in near real-time rather than pulling data in batches at periodic intervals. This not only ensures that logs are not saved locally for exten-ded periods of time but also reduces traffic bursts.

How syslog-ng Store Box helps you: The syslog-ng Store Box appliance was developed to be a secure, centralized log server.

(17)

Log management role: Data breaches usually take place over days and months so daily review of logs can reduce the risk and magnitude of incidents. PCI DSS does not mandate that logs be reviewed manually; auto-mated log collection and analysis tools can facilitate re-view. Logs from other system components should be reviewed on a periodic basis.

Requirement 10.6: Review logs and security events for all system components to identify anomalies or suspicious activity.

Requirement 10.6.1: Review the following at least daily:

■ All security events

Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD

How syslog-ng PE helps you: Logs detailing activity

of critical system components are essential to identifying and preventing data breaches; missing logins, firewalls and IDS logs can compromise security. The syslog-ng Premium Edition application can ensure no messages are lost in collection and transfer of logs to the central log server with application-level acknowledgment using the Reliable Log Transfer Protocol (RLTP). With syslog-ng PE, you can also parse the content (that is, the mes-sage body) of the log mesmes-sages, extract information from them, and filter and alert based on the extracted data, create reports and statistics, to help you focus on the important logs during a review. The syslog-ng Premium Edition application supports a wide variety of output formats, making it straightforward to integrate syslog-ng PE with third-party solutions.

■ Logs of all critical system

compon-ents

■ Logs of all servers and system

components that perform security functions.

How syslog-ng Store Box helps you: The search interface of SSB helps you perform regular manual re-views, supplemented by a fast indexing engine, and giv-ing the possibility to create ad-hoc charts and timelines to quickly find problematic points. Using the search API, you can create scripted queries and integrate with analysis tools.

(18)

Log management role: Data breaches often occur over weeks and months. Retaining logs for at least a year provides investigators the data necessary to determine the length and magnitude of the breach. With three months of data readily accessible, investigators can quickly identify and mitigate breaches.

Requirement 10.7: Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).

How syslog-ng PE helps you: When stored in the logstore™ of the central syslog-ng Premium Edition server, log messages can be compressed to save disk space. Logs can be filtered into different containers in an extremely flexible manner based on their parameters, for example, receive date and time, sending host or program (or any combination thereof) to simplify the management and handling of huge amount of log data.

How syslog-ng Store Box helps you: When stored in the logstore™ of SSB, log messages can be com-pressed to save disk space. SSB provides storage capacity for between 1 and 10TB of log data making log data immediately available to security experts. Messages can be automatically archived to an external storage. Archived messages are still encrypted, but remain avail-able in the SSB web interface as long as the storage server is online, making it easy to review logs and find older messages in forensic situations. Also, SSB can provide access to the log messages over NFS or SMB protocols for those requiring more space or wanting to utilize their own existing storage solutions. The search functionality of SSB was designed to handle terabytes of data, and allows auditors to find the needle in the haystack quickly — even if it means searching in years of stored log data.

(19)

3. Summary

This paper has shown how to use the syslog-ng Store Box (SSB) appliance and the syslog-ng Premium Edition (syslog-ng PE) application to collect and manage log messages in a PCI DSS compliant environment. SSB is an ideal choice to enhance your IT infrastructure if your organization must comply to external regulations like PCI DSS.

3.1. About BalaBit

BalaBit IT Security Ltd. is an innovative information security company, a global leader in the development of privileged activity monitoring, trusted logging and proxy-based gateway technologies to help protect customers against internal and external threats and meet security and compliance regulations. As an active member of the open source community, we provide solutions to a uniquely wide range of both open source and proprietary plat-forms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments. BalaBit is also known for its flagship product, the open source log server application syslog-ng.

BalaBit, the fastest-growing IT Security company in the Central European region according to Deloitte Technology Fast 50 (2012) list, has local offices in France, Germany, Russia, and in the USA, and cooperates with partners worldwide. Our R&D and global support centers are located in Hungary, Europe.

To learn more about commercial and open source SSB products, request an evaluation version, or find a reseller, visit the following links:

syslog-ng Store Box (SSB) homepage

Product manuals, guides, and other documentation

Contact us and request an evaluation version

Find a reseller

All questions, comments or inquiries should be directed to<[email protected]>or by post to the following address: BalaBit IT Security 1117 Budapest, Alíz Str. 2 Phone: +36 1 398 6700 Fax: +36 1 208 0875 Web: http://www.balabit.com/

Copyright © 2014 BalaBit IT Security Ltd. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of BalaBit.

The latest version is always available at the BalaBit Documentation Page.

References

Related documents

Performance of SSB versions 17 Summary 19 About us 20 Contacting us 20 Technical support resources 20 SSB 6.6.0 Performance Whitepaper 3... 1

syslog-ng PE 7.0.25 Windows Event Collector Administration Guide Configure event source

Figure 2: NNT Log Tracker technology will take you through a 3 phase process for gathering events, profiling events through analysis of thresholds of common events, before

The syslog-ng Premium Edition application is licensed on a per-host basis: the syslog-ng server accepts connections only from the number of individual hosts (also called log

Stored log messages and the configuration of SSB can be periodically transferred to a remote server using the following protocols:. ■ Network File System protocol (NFS); ■ Rsync

For example, if messages from a source are sent to a remote server and also stored locally in a file, and the network connection to the server becomes unavailable, neither the

A lightweight client alternative to syslog-ng Premium Edition for Windows, the syslog-ng Agent for Windows application can collect and forward log messages to a remote server.. It

In conclusion, the present study identified a compound heterozygous mutations including two deletions in VSX2 , a single nucleotide and a whole exon that have never