SIEM solution and PCI scope. Why scoping environment is important

SIEM stands for Security Information and Event Management. Log management and notifications is a part of PCI DSS requirements and not optional in case of SAQ D. SIEM would gather user (staff) activity from computers, servers and network. Logs can be used in event of breach to rebuild a picture what was happening on the network.

An example: someone can install a virus on your network on purpose to steal data. With SIEM it is possible to narrow down who has done it or more like whose credentials were used for that.

SIEM integration is quite sophisticated and requires a lot of time at the beginning. It is not type of "setup and forget", a continuous maintenance and daily monitoring+review would be needed.

Different vendors have various licensing models: either per number of computers or amount of activity on the network. There are also subscription model or perpetual licence.

The more computers you have on your network the more activity will be logged. However it is possible to minimize this: computers having access to your CDE can be moved into a separate network which would be called "PCI environment" (or CDE). Computers (or staff) who do not need to have access to the system which holds card data, they can be considered outside of scope. The process is called: segmentation.

Reducing the scope, or if put this different way - having less computers with access to your business system, would mean:

  • Lower SIEM solution cost
  • Less activity logged which means less to review daily, less alerts and easier management
  • Lower risk of breach

Proper scoping of environment would not only cost cheaper, but would also involve less maintenance and reduce the risk for your business.

Roman, Date: 2016-05-23 14:00:00 UTC