Troy Leach of the PCI Security Standards Council says log monitoring is an effective data breach detection tool that, unfortunately, not enough merchants put to use.
That's why the PCI Council next year will issue guidance on best practices for daily log monitoring, he explains in an interview with Information Security Media Group.
"Log monitoring is one of the most underused business tools available today," he says. "This is an opportunity for us to give practical advice about what you should be looking for and how you can adequately monitor all of these logs."
But the challenge for most businesses, Leach says, is that they are overwhelmed with the number of logs they have to manage. "It's hard to know what to even look for in these logs," he says. "Some businesses are receiving 50,000 log entries per second."
Finding anomalies in that many entries can be daunting, even for organizations that have automated their log monitoring.
"In some of the recent breaches we've seen, daily log monitoring was happening," he says. But employees, nevertheless, failed to pick up on breach indicators.
In the Target Corp. breach, for instance, a forensics analysis conducted as part of the post-breach investigation showed that anomalous activity was evident in Target's log entries, according to news reports. But those entries were apparently either overlooked or ignored, security experts have surmised.
In early 2015, the Payment Card Industry Security Standards Council expects two of its special interest groups to issue new guidelines. In addition to outlining best practices for daily log monitoring, the guidance will provide insights on shared security responsibilities for third-party service providers.
So why revisit third-party security? Post-breach analysis of recent card data breaches shows third party compromises are to blame for the vast majority of POS breaches, Leach explains. In fact, Home Depot revealed last week that its breach stemmed from hackers using a third-party vendor's username and password to enter the perimeter of its network.
By issuing additional guidance, Leach says the PCI Council hopes to expand upon what is already outlined in version 3.0 of the PCI Data Security Standard - an update to the PCI-DSS that took effect in January.
During this interview, Leach also discusses:
- How the council is working through its global round of community meetings, including the one this month in Asia-Pacific, to get the word out about anticipated 2015 best practices and guidance;
- How the retail point-of-sale breaches of 2014 have spurred the PCI Council to take action; and
- Why emerging payments technologies are opening new doors for risk as well as new opportunities for security.
In his role as CTO and lead security standards architect for the PCI Council, Leach has developed and implemented a comprehensive quality assurance program. Before joining the council, he led the incident response program at American Express, where he reviewed more than 300 cases of account data compromises. Over the past 18 years, he has held positions in systems administration, network engineering, IT management, security assessment and forensic analytics.