{"id":80,"date":"2022-11-13T21:56:00","date_gmt":"2022-11-14T02:56:00","guid":{"rendered":"https:\/\/terrabytefoundry.com\/blog_s\/?p=80"},"modified":"2022-11-13T20:00:54","modified_gmt":"2022-11-14T01:00:54","slug":"intro-to-pci-version-4-requirement-10","status":"publish","type":"post","link":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/","title":{"rendered":"Intro to PCI version 4: Requirement 10"},"content":{"rendered":"\n<p>In PCI requirement 10 is about actively watching the activity within your environment and keeping records of what\u2019s happening, so you can investigate when something does go wrong.\u00a0 That isn\u2019t always due to someone compromising your systems, but it is one of the possible use of event logs.\u00a0 \u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overall Thoughts<\/h2>\n\n\n\n<p>This is the most reactive element of IT security.\u00a0 Keeping records of what is happening by its very nature can only present you with needed data AFTER the event has taken place.\u00a0 To be fair the very nature of IT security frameworks is all reactive, as they adjust to changes in the landscape.\u00a0 At least that is the only noticeable way to view it.\u00a0 If changes are made ahead of a new threat, no one notices that threat \u2013 since it has been already made a non-threat.\u00a0 (If a tree gets hacked in the woods and no one hears it, do we even wonder how it got internet or what it was doing with it? Probably not).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s New for Req 10 in v4<\/h2>\n\n\n\n<p>There isn\u2019t too much new in requirement 10, from the net-new perspective. The new controls in requirement 10 of v4 are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>10.1.2 &#8211; Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood.es to the existing controls (surprised?) &lt;- literally cut and paste this line from the post on requirement 9 (which was cut from 8, etc.)<\/li>\n\n\n\n<li>10.4.1.1 \u2013 Audit log reviews are automated.&nbsp; A clear attempt at minimizing risk associated with human error (or bad faith internal actors).<\/li>\n\n\n\n<li>10.4.1.2 \u2013 A targeted risk analysis is performed to determine frequency of log reviews for all other system components.&nbsp; Do the due diligence to check the risk of other possible entry points into your sensitive system areas from other internal points.<\/li>\n\n\n\n<li>10.7.2 &#8211; Failures of critical security control systems are detected, alerted, and addressed promptly.&nbsp; Combined with the new 10.4.1.1, this one is all about reduction of time to respond.<\/li>\n\n\n\n<li>10.7.3 &#8211; Failures of critical security control systems are responded to promptly.&nbsp; It feels redundant, since 10.7.2 clearly states \u201caddressed promptly\u201d, but this control is the SSC being very specific that a response of some fashion is the only acceptable way to \u201caddress it\u201d.&nbsp; What is the difference between a \u201cresponse\u201d and something being \u201caddressed\u201d.&nbsp; To be short with the answer \u2013 action taken.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Changes to v4.10 (Looks like a kid&#8217;s shotgun written this way &#8211; BAM!)<\/h2>\n\n\n\n<p>Requirement 10 is mostly changing the focus on the use of automated solutions when reviewing log files.&nbsp; They are even changing the language to refer to \u201caudit logs\u201d instead of \u201caudit trails\u201d, to further reinforce the idea that event monitoring is key, along with technical solutions to provide alerts to the correct people and start the investigation process (ideally via ticket creation).<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>10 \u2013 Clarification\/guidance \u2013 Updated principal requirement title to reflect focus on audit logs, system components, and cardholder data. Clarified that these requirements do not apply to user activity of consumers (cardholders). Replaced \u201cAudit trails\u201d with \u201cAudit logs\u201d throughout.<\/li>\n\n\n\n<li>10.2 \u2013 Removed \u2013 Structure\/format &#8211; Removed \u201cnull\u201d requirement (all content pointed to other requirements).<\/li>\n\n\n\n<li>10.5 \u2013 Removed \u2013 Structure\/format &#8211; Removed \u201cnull\u201d requirement (all content pointed to other requirements).<\/li>\n\n\n\n<li>10.5.1 \u2013 10.5.5 \u2013 Now 10.3.1 \u2013 10.3.4 &#8211; Moved audit log protection requirements under Requirement 10.3.<\/li>\n\n\n\n<li>10.5.3 \/ 10.5.4 \u2013 Now 10.3.3 &#8211; Structure\/format &#8211; Combined requirements to align similar topics.<\/li>\n\n\n\n<li>10.6 \u2013 Removed \u2013 Structure\/format &#8211; Removed \u201cnull\u201d requirement (all content pointed to other requirements).<\/li>\n\n\n\n<li>10.6.1 \u2013 10.6.3 \u2013 Now 10.4.1 \u2013 10.4.3 \u2013 Structure\/format \u2013 Moved requirements for audit log reviews to 10.4<\/li>\n\n\n\n<li>10.7 \u2013 Now 10.5.1 \u2013 Structure\/format \u2013 Moved requirements for audit log history to 10.5.1<\/li>\n\n\n\n<li>10.4\/10.4.1 \u2013 10.4.3 \u2013 Now 10.6.1 \u2013 10.6.3 \u2013 Structure\/format \u2013 Moved time synchronization under 10.6 and reorganized.<\/li>\n\n\n\n<li>10..8 \u2013 Now 10.7.1 \u2013 Structure\/format &#8211; Moved service provider only requirement to detect, alert, and promptly address failures of critical control systems to Requirement 10.7.1.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>As you can see by looking over the exciting, bulleted list (?) of changes to requirement 10, almost all of them are only structural changes.&nbsp; The one that isn\u2019t is focused on the semantics of \u201ctrails\u201d versus \u201clogs\u201d.&nbsp; Even with those minor changes and the short list of new controls, don\u2019t let your guard down on this one.&nbsp; Most of you are probably already doing some form of automated log review and alerting system.&nbsp; Take the time to go through it and confirm it is configured to remove the manual processes as much as the technology will support.&nbsp; It would be a good idea to also go through your firewall access lists and do the TRA on all potential entry points into your environment.&nbsp; My advice would be to look over each VLAN managed by the firewalls that control access to sensitive networks and do a separate TRA on each of them.&nbsp; For some this will likely take only a few minutes.&nbsp; Others will require a deeper dive, but in either case it is worth the effort \u2013 even if you think it only a tool towards compliance.<\/p>\n\n\n\n<p>As always, I hope this tidbit of information gives you a base to have discussions with your internal subject matter experts and your trusted external sources for IT security and PCI knowledge.\u00a0 Feel free to reach out to me directly with questions or to have a conversation via my email and\/or social media information on the TBF website.\u00a0 Thanks for taking the time to read my thoughts on PCI v4 Requirement 10.\u00a0 We will continue to work through each of the PCI requirements each week.<\/p>\n\n\n\n<p>~ Shawn<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In PCI requirement 10 is about actively watching the activity within your environment and keeping records of what\u2019s happening, so you can investigate when something does go wrong.\u00a0 That isn\u2019t always due to someone compromising your systems, but it is one of the possible use of event logs.\u00a0 \u00a0 Overall Thoughts This is the most &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Intro to PCI version 4: Requirement 10&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8,5,7,6],"tags":[],"class_list":["post-80","post","type-post","status-publish","format-standard","hentry","category-assurance","category-pci","category-shawn","category-version-4"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Intro to PCI version 4: Requirement 10 - Shawn&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Intro to PCI version 4: Requirement 10 - Shawn&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"In PCI requirement 10 is about actively watching the activity within your environment and keeping records of what\u2019s happening, so you can investigate when something does go wrong.\u00a0 That isn\u2019t always due to someone compromising your systems, but it is one of the possible use of event logs.\u00a0 \u00a0 Overall Thoughts This is the most &hellip; Continue reading &quot;Intro to PCI version 4: Requirement 10&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/\" \/>\n<meta property=\"og:site_name\" content=\"Shawn&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-14T02:56:00+00:00\" \/>\n<meta name=\"author\" content=\"TBF_Shawn\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TBF_Shawn\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/13\\\/intro-to-pci-version-4-requirement-10\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/13\\\/intro-to-pci-version-4-requirement-10\\\/\"},\"author\":{\"name\":\"TBF_Shawn\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"headline\":\"Intro to PCI version 4: Requirement 10\",\"datePublished\":\"2022-11-14T02:56:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/13\\\/intro-to-pci-version-4-requirement-10\\\/\"},\"wordCount\":895,\"articleSection\":[\"Assurance\",\"PCI\",\"Shawn\",\"version 4\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/13\\\/intro-to-pci-version-4-requirement-10\\\/\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/13\\\/intro-to-pci-version-4-requirement-10\\\/\",\"name\":\"Intro to PCI version 4: Requirement 10 - Shawn&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\"},\"datePublished\":\"2022-11-14T02:56:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/13\\\/intro-to-pci-version-4-requirement-10\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/13\\\/intro-to-pci-version-4-requirement-10\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/11\\\/13\\\/intro-to-pci-version-4-requirement-10\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Intro to PCI version 4: Requirement 10\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\",\"name\":\"Shawn&#039;s Blog\",\"description\":\"Shawn&#039;s Thoughts and Ramblings\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\",\"name\":\"TBF_Shawn\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"caption\":\"TBF_Shawn\"},\"sameAs\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\"],\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/author\\\/tbf_shawn\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Intro to PCI version 4: Requirement 10 - Shawn&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/","og_locale":"en_US","og_type":"article","og_title":"Intro to PCI version 4: Requirement 10 - Shawn&#039;s Blog","og_description":"In PCI requirement 10 is about actively watching the activity within your environment and keeping records of what\u2019s happening, so you can investigate when something does go wrong.\u00a0 That isn\u2019t always due to someone compromising your systems, but it is one of the possible use of event logs.\u00a0 \u00a0 Overall Thoughts This is the most &hellip; Continue reading \"Intro to PCI version 4: Requirement 10\"","og_url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/","og_site_name":"Shawn&#039;s Blog","article_published_time":"2022-11-14T02:56:00+00:00","author":"TBF_Shawn","twitter_card":"summary_large_image","twitter_misc":{"Written by":"TBF_Shawn","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/#article","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/"},"author":{"name":"TBF_Shawn","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"headline":"Intro to PCI version 4: Requirement 10","datePublished":"2022-11-14T02:56:00+00:00","mainEntityOfPage":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/"},"wordCount":895,"articleSection":["Assurance","PCI","Shawn","version 4"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/","url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/","name":"Intro to PCI version 4: Requirement 10 - Shawn&#039;s Blog","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website"},"datePublished":"2022-11-14T02:56:00+00:00","author":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"breadcrumb":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/11\/13\/intro-to-pci-version-4-requirement-10\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/terrabytefoundry.com\/blog_s\/"},{"@type":"ListItem","position":2,"name":"Intro to PCI version 4: Requirement 10"}]},{"@type":"WebSite","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website","url":"https:\/\/terrabytefoundry.com\/blog_s\/","name":"Shawn&#039;s Blog","description":"Shawn&#039;s Thoughts and Ramblings","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/terrabytefoundry.com\/blog_s\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4","name":"TBF_Shawn","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","caption":"TBF_Shawn"},"sameAs":["https:\/\/terrabytefoundry.com\/blog_s"],"url":"https:\/\/terrabytefoundry.com\/blog_s\/author\/tbf_shawn\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/80","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/comments?post=80"}],"version-history":[{"count":1,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/80\/revisions"}],"predecessor-version":[{"id":81,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/80\/revisions\/81"}],"wp:attachment":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/media?parent=80"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/categories?post=80"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/tags?post=80"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}