Splunk is fast becoming one of the most highly regarded solutions for Log management.
Splunk is a versatile and comprehensive data analysis toolkit. By creating PCI specific searches, filters and reports, we have created a cost effective log collection and analysis tool that helps you meet all of the relevant PCI logging requirements including file integrity assessment.
Splunk, allows organisations to centralise disparate and diverse logs for compliance, regulatory and best practise review, here are some of its key features:
Collection
Allows for rapid and simple collects logs from just about any application, server, router, firewall and system
Analysis
Asses log events for importance and correlate against best practice security templates. Including rapid association of common/linked events from separate systems
Alerting
Automate the escalation and distribution of important events
Reporting
Various reports ranging from summary style compliance-ratings to drill-down deep detail all customisable and easy to produce
Archiving
logs are separately time/date stamped, hashed to retain integrity and made available when required for post event analysis and forensic style examination
Key benefit: Unlike other log management solutions, Splunk is priced on the log activity processed rather the number of systems and because Splunk can be configured to only collect the events you require you can drastically reduce your log collection needs and reduce costs.
Systems where we have helped with Splunk PCI integration: (this is not meant to be exhaustive)
Microsoft Windows 2000 and 2003 servers
Till Controllers
Sureswitch (IBM AIX)
RSA strong authentication server
Cisco routers
Firewalls
Citrix Client Access Gateway
Cisco IOS
TACACS
Opinion
Splunk was born of our founders’ frustration running some of the worlds largest IT infrastructures. Armed with state-of-the-art IT management tools, they found it nearly impossible to locate the root cause of problems, investigate security attacks and assemble all the data required for compliance audits.
Their conclusion was the silo approach to managing IT with separate tools for every technology and IT function was cumbersome, costly and didn't scale
Key Features & Benefits
Key features of how Splunk can assist with PCI adherence:
Requirement 10.2: Implement Assessment Trails for all system components
Requirement 10.3: Record at least the following Assessment Trail entries…
Requirement 10.5: Secure Assessment Trails so that they cannot be altered
Requirement 10.6: Review Logs for all system components at least daily
Requirement 10.7: Retain Assessment History for at least one year…
Requirement 7.1: Limit access to computing resources and cardholder info…
This is not exhaustive list, but is typical of what Spunk and our integration services offer. Another example where Splunk can be used is that of PCI control reporting ( see PCI 1.2.1 & 1.2.3) for example where card holder data should be segregated and only passed from points A to B for instance: the firewall, router, switches and the alike all have separate logs that provide evidence as much. Splunk would collect and collate all such disparate logs and analyze them for the same exception criteria of reporting on any traffic destination other than A to B for instance.
