A3.5.1 A methodology is implemented for the prompt identification of attack patterns and undesirable behavior across systems

Defined Approach Requirements

A3.5.1 A methodology is implemented for the prompt identification of attack patterns and undesirable behavior across systems that includes:

• Identification of anomalies or suspicious activity as it occurs.
• Issuance of prompt alerts upon detection of suspicious activity or anomaly to responsible personnel.
• Response to alerts in accordance with documented response procedures.

PCI DSS Reference: Requirements 10, 12

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.5.1.a Examine documentation and interview personnel to verify a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a prompt manner, and includes all elements specified in this requirement.

A3.5.1.b Examine incident response procedures and interview responsible personnel to verify that:

• On-call personnel receive prompt alerts.
• Alerts are responded to per documented response procedures.

Purpose

The ability to identify attack patterns and undesirable behavior across systems—for example, using centrally managed or automated log-correlation tools—is critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something goes wrong. Determining the cause of a compromise is very difficult, if not impossible, without a process to corroborate information from critical system components and systems that perform security functions, such as network security controls, IDS/IPS, and file integrity monitoring (FIM) systems. Thus, logs for all critical system components and systems that perform security functions need to be collected, correlated, and maintained. This could include using software products and service methodologies to provide real-time analysis, alerting, and reporting, such as security information and event management (SIEM), FIM, or change detection.