SIEM Use Cases for PCI DSS 3.0 – Part 4
So we have finally reached the final part of this series of articles. First of all I would like to thank you readers for such an outstanding response to Part 1, Part 2, and Part 3 of this series, which cover the use cases for the PCI DSS 3.0 to an extent, and this article will focus on the remaining requirements and possible use cases around them.
Use Case 16
PCI DSS Requirement 10.2.1: "All individual user accesses to cardholder data."
Learn Network Security Fundamentals
PCI DSS Guidance: "Malicious individuals could obtain knowledge of a user account with access to systems in the CDE, or they could create a new, unauthorized account in order to access cardholder data. A record of all individual accesses to cardholder data can identify which accounts may have been compromised or misused."
Possible SIEM Threat: "Disclosure of information."
Log Sources: Server storing confidential data.
SIEM Use Case: Access to sensitive data should be recorded.
SIEM Rule: Enable auditing on the sensitive file and look for access related events.
Use Case 17
PCI DSS Requirement 10.2.2: "All actions taken by any individual with root or administrative privileges."
PCI DSS Guidance: "Accounts with increased privileges, such as the "administrator" or "root" account, have the potential to greatly impact the security or operational functionality of a system. Without a log of the activities performed, an organization is unable to trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and individual."
Possible SIEM Threat: "Misuse of privileges."
Log Sources: Active Directory, Applications, Databases.
SIEM Use Case: Detect all the actions taken by any individual with root or administrative privileges.
SIEM Rule: Define the privileged users in the privileged users building block and look for the actions taken by those users.
Use Case 18
PCI DSS Requirement 10.2.7: "Creation and deletion of system level objects."
PCI DSS Guidance: "Malicious software, such as malware, often creates or replaces system level objects on the target system in order to control a particular function or operation on that system. By logging when system-level objects, such as database tables or stored procedures, are created or deleted, it will be easier to determine whether such modifications were authorized."
Possible SIEM Threat: "Unauthorized modifications."
Log Sources: Databases
SIEM Use Case: Alert when system-level objects, such as database, tables or stored procedures, are created or deleted.
SIEM Rule: Enable auditing and search for the events related to creation and deletion of system-level objects and then include those events in the rule.
Use Case 19
PCI DSS Requirement 10.2.6: "Initialization, stopping, or pausing of the audit logs."
PCI DSS Guidance: "Turning the audit logs off (or pausing them) prior to performing illicit activities is a common practice for malicious users wishing to avoid detection. Initialization of audit logs could indicate that the log function was disabled by a user to hide their actions."
Possible SIEM Threat: "Unable to track."
Log Sources: Systems, Databases, Applications
SIEM Use Case: Alert when audit services are stopped on a compliance host.
SIEM Rule: Define the hosts in the compliance definition BBs and verify that the events for the audit service stopped for your host are in the Auditing Stopped building block.
Use Case 20
PCI DSS Requirement 10.2.3: "Access to all audit trails."
PCI DSS Guidance: "Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel."
Possible SIEM Threat: "Modification"
Log Sources: Application Servers
SIEM Use Case: Alert when someone is trying to access the audit/log file of any application/system.
SIEM Rule: Enable auditing on the audit file and check for the access related events.
Use Case 21
PCI DSS Requirement 8.5: "Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
- Generic user IDs are disabled or removed.
- Shared user IDs do not exist for system administration and other critical functions.
- Shared and generic user IDs are not used to administer any system components."
PCI DSS Guidance: "If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual's actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials."
Possible SIEM Threat: "Unaccountability"
Log Sources: Active Directory
SIEM Use Case: Alert when a privileged account is shared between two or more employees.
SIEM Rule: Look for authentication events made for the same username by different IP addresses.
Learn Network Security Fundamentals
References
Network Security Fundamentals
Learn the fundamentals of networking and how to secure your networks with seven hands-on courses. What you'll learn:- Models and protocols
- Networking best practices
- Wireless and mobile security
- Network security tools
- And more
In this Series
- SIEM Use Cases for PCI DSS 3.0 – Part 4
- What is zero trust architecture (ZTA)? Pillars of zero trust and trends for 2024
- A deep dive into network security protocols: Safeguarding digital infrastructure 2024
- Asset mapping and detection: How to implement the nuts and bolts
- The Pentagon goes all-in on Zero Trust
- How to configure a network firewall: Walkthrough
- 4 network utilities every security pro should know: Video walkthrough
- How to use Nmap and other network scanners
- Security engineers: The top 13 cybersecurity tools you should know
- Converting a PCAP into Zeek logs and investigating the data
- Using Zeek for network analysis and detections
- Suricata: What is it and how can we use it
- Intrusion detection software best practices
- What is intrusion detection?
- How to use Wireshark for protocol analysis: Video walkthrough
- 9 best practices for network security
- Securing voice communications
- Introduction to SIEM (security information and event management)
- VPNs and remote access technologies
- Cellular Networks and Mobile Security
- Secure network protocols
- Network security (101)
- IDS/IPS overview
- Exploiting built-in network protocols for DDoS attacks
- Firewall types and architecture
- Wireless attacks and mitigation
- Wireless network overview
- Open source IDS: Snort or Suricata? [updated 2021]
- PCAP analysis basics with Wireshark [updated 2021]
- What is a firewall: An overview
- NSA report: Indicators of compromise on personal networks
- Securing the home office: Printer security risks (and mitigations)
- Email security
- Data integrity and backups
- Cost of non-compliance: 8 largest data breach fines and penalties
- How to find weak passwords in your organization’s Active Directory
- Monitoring business communication tools like Slack for data infiltration risks
- Firewalls and IDS/IPS
- IPv4 and IPv6 overview
- The OSI model and TCP/IP model
- Endpoint hardening (best practices)
- Wireless Networks and Security
- Networking fundamentals (for network security professionals)
- How your home network can be hacked and how to prevent it
- Network design: Firewall, IDS/IPS
- Work-from-home network traffic spikes: Are your employees vulnerable?
- RTS threshold configuration for improved wireless network performance [updated 2020]
- Web server protection: Web server security monitoring
- Web server security: Active defense
- Web server security: Infrastructure components
- Web server protection: Web application firewalls for web server protection
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
