Any company that handles credit card transactions is obliged by the Payment Card Initiative Data Security Standard (PCI DSS) to “track and monitor all access to network resources and cardholder data”.
This means that if card details are stolen, the company should be able to see how it happened, allowing it to plug security vulnerabilities and providing vital evidence in the event of a forensic investigation.
In practice, this means pouring through system log files, text-based records of the activity and access history of a given system. In a modern IT infrastructure, log files can be huge – hundreds of gigabytes for some large organisations.
Retail stock brokerage Share Centre, which allows customers to buy and sell shares using their credit cards, used to monitor its logs ‘manually’, aggregating them all into a single document by hand before analysis. But as business took off and the volume of log data exploded, this became untenable.
"As markets got busier and our customer base grew, it became more difficult to monitor our logs manually,” recalls IT infrastructure manager Giles Roberts.
Driven in part by the obligations of PCI DSS, Roberts sought a system to take the legwork out of log management. That lead him to LogRhythm, a US-based vendor whose technology automatically collects and aggregates log files.
The single greatest benefit, Roberts says, has been to reduce the time required to monitor log files. “It saves the time of somewhere between half and one person a week,” he explains. “That’s freeing up resources to do other thing.”
By providing detailed data about the performance of its security systems, the deployment has also improved Share Centre’s ability to hold its suppliers to account.
"We’ve had some issues with one particular firewall which we wouldn’t have seen otherwise,” explains Roberts. “The firewall itself was doing its job, but the software was giving out errors. [With LogRhythm] we can go back to the manufacturer and ask some questions."
By supporting more detailed analysis of log data, he adds, the system means Share Centre would be better able to respond in the event of a breach.
"Should anything happen, we’ve got all the evidence we might need to look, that means we can go back and look at anything,” Roberts explains. “If you want to do a forensic investigation, then you need all that source data.”
All of this comes at a time when the awareness of information security is at an all time high, thanks in part to media coverage of high profile security incidents.
These incidents are good news for the security profession, Roberts remarks. "All those things in the press are good for us, as they bring security to the attention of people and give me a little more leverage," he says. "It gives us reason to be paranoid, and it’s my job to be paranoid.
