Bit9 Security Solution Technology Whitepaper Date: September 17, 2015

Transcription

1 P a g e 1 Bit9 Security Slutin Technlgy Whitepaper Date: September 17, 2015 Atlanta Bstn Dallas Denver Ls Angeles Manchester (U.K.) New Yrk San Francisc Seattle Washingtn, D.C inf@calfire.cm

2 P a g e 2 O v e r v i e w Bit9 + Carbn Black cntracted with Calfire Systems, Inc. (Calfire), t cnduct an independent assessment f their Bit9 architecture as it pertains t security and Payment Card Industry Data Security Standard (PCI DSS) scpe. Calfire is certified by the Payment Card Industry Security Standards Cuncil (PCI SSC) as a Qualified Security Assessr Cmpany and is a leading industry prvider f IT security, gvernance and regulatry cmpliance services. The purpse f this white paper is t prvide an verview f Calfire s assessment f the Bit9 architecture and t cnfirm t what extent Bit9 helps satisfy PCI DSS requirements. The scpe f the PCI DSS cntrls selected fr validatin was derived thrugh cllabratin with Bit9 cmpliance individuals and Calfire assessrs. The review and testing was perfrmed based n the use cases generated fr validatin f PCI DSS requirements that are addressed when Bit9 is utilized. The assessment perfrmed included the fllwing cmpnents: Review verall design and architecture f Bit9 Sftware. Technical Testing and related evidence cllectin fr the use cases prvided: Re-perfrmance testing f the slutin Observatin f the slutin including installatin, cnfiguratin and functinal capabilities Frensics analysis t cnfirm n cardhlder data is ever captured by Bit9. Interviews with Subject Matter Experts (SMEs). Review and feedback f supprting dcumentatin. There are n knwn inhibitrs identified with the Bit9 slutin which wuld prevent an rganizatin frm implementing the slutin in a PCI envirnment. Additinally, there are features within the slutin which facilitate meeting certain PCI DSS requirements. Every rganizatin has unique business, technical and security gvernance requirements, as a result this paper des nt prvide detailed recmmendatins fr hw t cnfigure Bit9 t meet the applicable prtins f the PCI DSS and merchants shuld cnsult with their QSA t ensure prper implementatin. Bit9 prvides the flexibility t enable, manage, and meet PCI DSS requirements in many areas. Bit9 helps rganizatins with varius PCI requirements such as file-integrity mnitring /cntrl, change mnitring and alerting, and audit trail retentin. The slutin can als supprt the develpment f cmpensating cntrls fr requirements such as anti-virus and patching (prtectin f unpatched systems). Carbn Black is a cmplementary security slutin that can als help satisfy PCI DSS requirements in areas such as establishing a prcess t identify security vulnerabilities, file-integrity mnitring and alerting. The fcus f this particular paper hwever is nly n the Bit9 prduct. The Carbn Black prduct was nt tested fr this whitepaper.

3 P a g e 3 Audience This white paper has varius target audiences: QSA and Internal Audit Cmmunity: This audience may be evaluating Bit9 t assess merchant r service prvider envirnment fr PCI DSS. Administratrs and Other Cmpliance Prfessinals: This audience may be evaluating Bit9 fr use within their rganizatin fr cmpliance requirements ther than PCI DSS. Merchant and Service Prvider Organizatins: This audience is evaluating Bit9 fr deplyment in their cardhlder data envirnment and what benefits culd be achieved frm using this slutin. PCI DSS Cmpliance O verview PCI DSS applies t all rganizatins that stre, prcess r transmit cardhlder data. This includes entities such as merchants, service prviders, payment gateways, data centers and utsurced service prviders. PCI Standard is mandated by the card brands and administered by the PCI SSC Cuncil. The PCI DSS standard specifies 12 requirements fr cmpliance rganized int six majr cntrl bjectives. Cntrl Objectives Build and Maintain a Secure Netwrk Prtect Cardhlder Data Maintain a Vulnerability Management Prgram Implement Strng Access Cntrl Measures Regularly Mnitr and Test Netwrks Maintain an Infrmatin Security Plicy PCI DSS Requirements 1. Install and maintain a firewall cnfiguratin t prtect cardhlder data 2. D nt use vendr-supplied defaults fr system passwrds and ther security parameters 3. Prtect stred cardhlder data 4. Encrypt transmissin f cardhlder data acrss pen, public netwrks 5. Use and regularly update anti-virus sftware n all systems cmmnly affected by malware 6. Develp and maintain secure systems and applicatins 7. Restrict access t cardhlder data by business need-t-knw 8. Assign a unique ID t each persn with cmputer access 9. Restrict physical access t cardhlder data 10. Track and mnitr all access t netwrk resurces and cardhlder data 11. Regularly test security systems and prcesses 12. Maintain a plicy that addresses infrmatin security

4 P a g e 4 C mp e nsating Cntr ls Cmpensating cntrls can be utilized by merchant r service prvider rganizatins t achieve cmpliance fr PCI DSS requirements when an entity cannt currently meet a requirement explicitly as stated, due t legitimate technical r dcumented business cnstraints, but has sufficiently mitigated the risk assciated with the requirement thrugh implementatin f ther, r cmpensating, cntrls. 1 Cmpensating cntrls are hwever required t satisfy the fllwing listed criteria: 1. The intent and rigr f the riginal PCI DSS requirement has t be met. 2. A similar level f defense as the riginal PCI DSS requirement has t be prvided, such that the cmpensating cntrl sufficiently ffsets the risk that the riginal PCI DSS requirement was designed t defend against. 3. Be abve and beynd ther PCI DSS requirements. (Simply being in cmpliance with ther PCI DSS requirements is nt a cmpensating cntrl.) This whitepaper assumes that the reader is familiar with PCI DSS and relevant guidance publicatins, card brand requirements and any ther supplemental dcuments frm PCI SSC cuncil. Methdlgy Calfire cnducted this validatin thrugh rigrus technical testing in ur cmpliance validatin labs using cmmn PCI envirnmental scenaris. The utcme f this testing prvides verificatin that custmers implementing Bit9 will be able t meet specific PCI DSS cntrl requirements in their real wrld cardhlder data envirnments. Each PCI requirement was assessed by validating the utput r state f the Bit9 prduct as deplyed in ur lab scenari. A brad spectrum f netwrk, system and applicatin scenaris was used in ur validatin testing. Test results and lab cnfiguratins are summarized in the technical sectin f the white paper. Summary Findings Bit9 architecture and implementatin requirements can be deplyed in a PCI envirnment allwing a custmer t meet PCI requirements. When implemented prperly, Bit9 can prvide prtectin against current malware that target Pint f Sale Systems, fixed functin devices. When prperly deplyed and cnfigured, Bit9 can satisfy specific PCI DSS requirements r supprt the develpment f cmpensating cntrls t meet PCI DSS requirements: 1

5 P a g e 5 PCI Requirement Directly Meets Requirements Supprts the Develpment f Cmpensating Cntrls a A p p l i c a t i n A r c h i t e c t u r e a n d S e c u r i t y Bit9 is a cmprehensive and widely deplyed endpint threat prtectin and cmpliance slutin. Cmbining a trust-based and plicy-driven apprach t applicatin cntrl with real-time threat intelligence, Bit9 cntinuusly mnitrs and recrds all endpint and server activity t prevent, detect and respnd t cyber threats that evade traditinal security defenses. 2 With pen APIs and a brad partner ecsystem, Bit9 prvides exceptinal flexibility t seamlessly integrate with bth in-huse and third-party tls. Carbn Black is anther security slutin that prvides endpint threat detectin and rapid respnse slutins fr Security Operatins Center (SOC) and Incident Respnse (IR) teams. 3 When Bit9 and Carbn Black are used in cmbinatin they prvide functinality fr cntinuus mnitring and recrding f all activities n endpint servers fr varius rganizatins. Instant Visibility: Bit9 agent prvides administratrs with real-time visibility int all executable type files running acrss the envirnment. Trust ratings can be used t identify and autmatically take actin against the files that culd be malicius. Carbn Black can als prvide visibility int files, executins, netwrk cnnectins, critical system resurces n each system and the relatinships between them. Preventin with Flexibility: Using Bit9 s practive preventin capabilities, Bit9 security platfrm can reduce an rganizatin s attack surface prviding administratrs with flexibility t ensure right balance between prtectin and access. Advanced Detectin: It includes autmated and clud delivered advanced threat detectin technlgies t quickly identify and stp attacks. Using Bit9 + Carbn Black threat intelligence clud, Bit9 can cntinuusly mnitr and detect malicius activity acrss all endpints in the rganizatin envirnment

6 P a g e 6 Rapid Respnse: Bit9 prvides tls t help rganizatin rapidly respnd, lg and investigate security incidents nce an attack is detected. Open API architecture: Bit9 can be integrated with third party security prducts like Security Infrmatin and Event Management (SIEM), Netwrk, Endpint, peratins fr imprved autmatin, reprting and faster security respnse times. Please nte that Carbn Black slutin was nt evaluated and tested fr this whitepaper wrk. B it9 Architec tur e Di a g r a m Bit9 Architecture cnsists f the fllwing cmpnents: Bit9 Server Sftware prvides central file security management, event mnitring and a live inventry f files f interest n all agent systems Bit9 Agent Sftware runs n desktps, laptps, virtual machines and fixed functin devices. The agent sftware mnitrs files and either blcks r permits executin based n security plicy settings. Bit9 Sftware Reputatin Service: cmpares new files intrduced n cmputers running Bit9 agent t a database f knwn files, prviding infrmatin n threat level, trust factr and sftware categrizatin. Bit9 can be integrated with third party prducts like Splunk and ther netwrk security prducts.

7 P a g e 7 T e c h n i c a l A s s e s s m e n t Calfire assessr cnfigured Windws 2008 R2 Server as Bit9 Server with necessary sftware like Internet Infrmatin Services (IIS), SQL Server,.NET Framewrk as per instructins in the server set up guide. The Bit9 agent was then installed n the Bit9 Windws 2008 server as well as a separate database server with Windws 2008 R2. The scpe f the assessment was defined with the fllwing tasks: Understand prduct functinality, architecture, implementatin and peratin Review installatin guidance and supprting dcumentatin Test Bit9 prduct fr required cntrls in the lab envirnment Review and verify Bit9 sftware hardening best practices Review Bit9 server cnfiguratins and capabilities Verificatin f slutin fr security and cmpliance Review and testing t cnfirm n cardhlder data is ever captured r managed by the slutins Review and validate hw Bit9 prvides cmpliance supprt fr rganizatins. Review and testing f cnfiguratins fr File-integrity mnitring cntrl Review and testing fr use f prduct as cmpensating cntrl t replace antivirus Review and testing fr use f prduct as cmpensating cntrl fr nt having current patches n End f Life (EOL) perating systems fr e.g. Windws XP, Windws 2003 Review and testing f cntrls that require mnitring and alerting fr lg and critical files. The assessment was fcused n the prduct s ability t satisfy certain PCI DSS requirements and was nt a cmplete review f the Bit9 prduct. The fllwing use cases were tested during the assessment. Please nte that Bit9 agent was nt installed n all perating systems as nted in use cases belw, but the requirements testing that were t be validated was accmplished using the prduct specified, and specific rules and settings nted. U s e Case 1: Operating Systems: Windws 7, Windws XP standard and Embedded Requirement t Accmplish: Needed t meet PCI standard 11.5 fr File Integrity Mnitring. Needed t utilize Bit9 as a cmpensating cntrl fr Requirement 6.2 and ensure that unsupprted systems are lcked dwn and prtected in the absence f patches and supprt. Prduct emplyed: Bit9 Plicy specific Settings and Rules: File Integrity Rules created t blck unauthrized access t cre critical system files (i.e. *. Sys, *.cmd, *.cfg)

8 P a g e 8 U s e Case 2: Operating Systems: Windws XP standard and Embedded, Windws 2003 Server Requirement t Accmplish: PCI DSS Requirement 5.x, 6.2, 11.5 Replace burdensme AV with Bit9. Needed t satisfy requirement 5.x using Bit9 as a cmpensating cntrl t AV. Needed t ensure that unsupprted systems are lcked dwn and prtected in the absence f patches and supprt. Prduct Emplyed: Bit9 Plicy specific Settings and Rules: Systems were set t a High enfrcement plicy and cmbined with bth custm memry and registry rules t prtect the unsupprted fixed functin endpints. File Integrity Rules created t blck unauthrized access t cre critical system files (i.e *. Sys, *.cmd, *.cfg) U s e Case 3: Operating Systems: Windws XP, Windws 7 and Windws 8 Requirement t Accmplish: PCI Requirement 5.x, 6.2, 11.5 Needed t meet PCI standard 6.2 in rder t ensure the prtectin f their XP systems first. File risk ranking was dne thrugh Bit9 which prvided reprting n the threat and trust f the entire file infrastructure. They needed t prtect their ATM machines, many f which were running windws XP withut any frm f advanced prtectin ther than AV. Prduct emplyed: Bit9 Plicy specific Settings and Rules: File integrity rules fr memry and registry as well as unauthrized change. Endpint systems were put int a high enfrcement Plicy.

9 P a g e 9 Validatin Findings f r Bit9 PCI Requirement Hw Bit9 Supprts PCI Cmpliance Test Prcedure PCI DSS Requirement 5: Prtect all systems against malware and regularly update anti-virus sftware r prgrams Ensure that anti-virus prgrams are capable f detecting, remving, and prtecting against all knwn types f malicius sftware. Bit9 can be used in develping a cmpensating cntrl t replace the anti-virus sftware OR Bit9 can be used alngside anti-virus sftware slutins. Bit9 can stp cyber threats that evade antivirus and ther traditinal defenses using zer-day and targeted attacks. Bit9 prvides preventin by giving rganizatins visibility int everything running n their endpints and servers. Bit9 prvides signature-less detectin and preventin f advanced threats Bit9 prvides recrded histry f all endpint and server activity t rapidly respnd t alerts and incidents Deplyed Bit9 and set up plicies using High, Medium and Lw enfrcement cmbined with bth custm memry and registry rules. Attempted t install varius sftware including malicius sftware n the system with Bit9 installed and cnfigured (with High enfrcement). Bit9 was able t blck the attempt and prvided alert ntificatin in the Bit9 dashbard Fr systems cnsidered t be nt cmmnly affected by malicius sftware, perfrm peridic evaluatins t identify and evaluate evlving malware threats in rder t cnfirm whether such systems cntinue t nt require anti-virus sftware. Bit9 can be used n servers nt affected cmmnly by malicius sftware t evaluate threats n such systems Bit9 prvides preventin by giving rganizatins visibility int everything running n their endpints and servers. Bit9 prvides signature-less detectin and preventin f advanced threats Deplyed Bit9 and set up plicies using High, Medium and Lw enfrcement cmbined with bth custm memry and registry rules. 5.3 Ensure that anti-virus mechanisms are actively running and cannt be disabled r altered by users, unless specifically authrized by management n a case-by-case basis fr a limited time perid. Bit9 can be used in develping a cmpensating cntrl t replace the anti-virus sftware OR Bit9 can be used alngside antivirus sftware. Bit9 can cntinuusly mnitr and recrd all activity n endpint and servers. Bit9 can be cnfigured as such that end users cannt disable the sftware- unless authrized administratr grants that access. Deplyed Bit9 agents n servers and attempted t stp Bit9 Service and uninstall Bit9 sftware, assessr was unable t d s. Bit9 tamper prtectin is enabled by default, Only Bit9 administratrs can enable/disable the tamper prtectin feature frm within the Bit9 sftware. 5.4 Ensure that security plicies and peratinal prcedures fr prtecting systems against malware are dcumented, in use, and knwn t all affected parties. Bit9 can be used in develping a cmpensating cntrl t assist rganizatins with ensuring the plicies and prcedures are peratinal Advanced threat detectin can help distribute and enfrce cmpliance plicies and put mechanisms in place t infrm and educate end users n established plicies Observed and tested varius cnfiguratins within Bit9 sftware like belw Tamper prtectin feature, High, medium and lw enfrcement plicies cmbined with custm memry and registry rules PCI DSS Requirement 6: Develp and maintain secure systems and applicatins

10 P a g e 10 PCI Requirement Hw Bit9 Supprts PCI Cmpliance Test Prcedure 6.2 Ensure that all system cmpnents and sftware are prtected frm knwn vulnerabilities by installing applicable vendr-supplied security patches. Install critical security patches within ne mnth f release. Bit9 can be used in develping a cmpensating cntrl fr nt having current patches n the systems r fr systems that d nt have patches available (e.g. Windws XP, Windws 2003 servers) Only allwed executables can be allwed t run n devices/ systems by blcking executin f sftware Untrusted sftware can be cntinuusly blcked Custmers can then use risk-based apprach t priritize installatins. Advanced Threat indicatrs can prvide additinal intelligence n cntrlled endpints and alert persnnel in event f critical system change that can impact security and cmpliance. PCI DSS Requirement 10: Track and mnitr all access t netwrk resurces and cardhlder data Systems were set t a High r Medium enfrcement plicy and cmbined with bth custm memry and registry rules t prtect the unsupprted fixed functin endpints. File-Integrity Rules created t blck unauthrized access t cre critical system files (i.e. *. Sys, *.cmd, *.cfg). Assessr attempted t install unknwn/malicius executable files n the system, Bit9 sftware was able t blck the executin f the sftware. Assessr als tried t make mdificatins in the cre critical system files n the Windws Operating System and was unable t make any changes Use file-integrity mnitring r change-detectin sftware n lgs t ensure that existing lg data cannt be changed withut generating alerts (althugh new data being added shuld nt cause an alert) Retain audit trail histry fr at least ne year, with a minimum f three mnths immediately available fr analysis (fr example, nline, archived, r restrable frm backup). Bit9 prvides file-integrity cntrl t Blck unauthrized writes t lg files and any critical files n the systems Ensures that nly authrized prcesses can write r update the lg files and critical files Alerts can be sent ut in case unauthrized prcesses changes data lg files and critical files Using Bit9, all audit trail histry can be retained within the server fr 3 mnths. The data can be immediately available fr analysis. After 3 mnths the data can be frwarded t Security Infrmatin and Event Management (SIEM) frm within Bit9. Cnfigured file-integrity mnitring t reprt actins when lg data and critical files are changed. Ntificatins were available thrugh the Bit9 cnsle dashbard. ntificatins were als cnfigured thrugh the Bit9 cnsle. Assessr tried t make mdificatins in the cre critical system files n the Windws Operating System that were registered thrugh Bit9 and was unable t make any changes. Perfrmed frensics using AccessFTK fr the perating system with Bit9 prduct and a sample payment applicatin n the system. Bit9 des nt capture, stre r transmit any cardhlder data, nly hash f the files are calculated and stred in the Bit9 database. Bit9 settings were bserved t cnfirm that the event lg can be cnfigured fr retentin f 3 mnths. After 3 mnths, custmers have t cnfigure Bit9 t have the lgs frwarded t SIEM. Bit9 can hld event lg files and data can be backed-up by custmer t centralized server. Retentin can be nline fr 90 days and after 3 mnths it can be backed up. PCI DSS Requirement 11: Regularly test security systems and prcesses

11 P a g e 11 PCI Requirement Hw Bit9 Supprts PCI Cmpliance Test Prcedure 11.5 Deply a change-detectin mechanism (fr example, file-integrity mnitring tls) t alert persnnel t unauthrized mdificatin (including changes, additins and deletins) f critical system files, cnfiguratin files, r cntent files; and cnfigure the sftware t perfrm critical file cmparisns at least weekly a Verify the use f a changedetectin mechanism within the cardhlder data envirnment by bserving system settings and mnitred files, as well as reviewing results frm mnitring activities Implement a prcess t respnd t any alerts generated by the changedetectin slutin. Bit9 file-integrity cntrl prevents unauthrized mdificatin f critical system files and cntent files while ensuring nly authrized prcesses can write t these files. Bit9 file-integrity cntrl prevents unauthrized mdificatin f critical system files and cntent files while ensuring nly authrized prcesses can write t these files. Files can be mnitred by selecting the specific flders and reprting the changes. Advanced Threat Indicatrs functinality can be used t identify file changes. Bit9 prvides practive apprach t rganizatins t analyze data in real-time s that critical system files, cnfiguratin files r cntent files can be prtected. Prcess fr respnding t alerts received remains the respnsibility f the merchant/ service prvider rganizatin. File Integrity Rules were created t blck unauthrized access t cre critical system files (i.e. *. Sys, *.cmd, *.cfg). Reprts were generated fr the events ccurred and prvided details n the changes that ccurred n specific files. Results were reviewed thrugh the weekly reprt generated. Assessr tried t make mdificatins in the cre critical system files n the Windws Operating System that were registered thrugh Bit9 and was unable t make any changes. Perfrmed frensics using AccessFTK fr the perating system with Bit9 prduct and a sample payment applicatin n the system. Bit9 des nt capture, stre r transmit any cardhlder data, nly hash f the files are calculated and stred in the Bit9 database. Cnfigured file-integrity cntrl t reprt actins when critical system files and cntent files are changed. Reprts were generated fr the events ccurred and prvided details n the changes that ccurred n specific files. Results were reviewed thrugh the weekly reprt generated. Assessr tried t make mdificatins in the cre critical system files n the Windws Operating System that were registered thrugh Bit9 and was unable t make any changes. Perfrmed frensics using AccessFTK fr the perating system with Bit9 prduct and a sample payment applicatin n the system. Bit9 des nt capture, stre r transmit any cardhlder data, nly hash f the files are calculated and stred in the Bit9 database. Cnfigured file-integrity cntrl t reprt actins when critical system files and cntent files are changed. Reprts were generated fr the events ccurred and prvided details n the changes that ccurred n specific files. Ntificatins thrugh Bit9 were available thrugh the Bit9 cnsle dashbard. ntificatins were als cnfigured thrugh the Bit9 cnsle.

12 P a g e 12 C n c l u s i n : After reviewing the requirements f PCI DSS, Calfire has determined thrugh review f business impact and technical assessment that Bit9 as utlined in this dcument meets several PCI DSS requirements. The ability t achieve verall cmpliance with any regulatin r standard will be dependent upn the specific design and implementatin f the Bit9 prduct in the cntext in which it is implemented. Bit9 demnstrated high level f flexibility fr custmizatin f plicies, sftware rules, events and indicatrs. The flexibility makes Bit9 adaptable t different envirnments and capable f addressing cmpliance requirements. Bit9 is a direct r cmpensating cntrl fr several PCI DSS requirements (as detailed n page 5), helping rganizatins meet the evlving cmpliance and security needs f their envirnments. Bit9 aligns with cmpliance requirements related t: File-integrity mnitring and alerting Audit trail retentin fr 3 mnths Antivirus requirements Patch requirements (prtectin f unpatched/end-f-life systems) L e g a l D i s c l a i m e r : Calfire is slely respnsible fr the cntents f this dcument as f the date f publicatin. The cntents f this dcument are subject t change at any time based n revisins t the applicable regulatins and standards (HIPAA, PCI-DSS et.al). Cnsequently, any frward-lking statements are nt predictins and are subject t change withut ntice. While Calfire has endeavred t ensure that the infrmatin cntained in this dcument has been btained frm reliable surces, there may be regulatry, cmpliance, r ther reasns that prevent us frm ding s. Cnsequently, Calfire is nt respnsible fr any errrs r missins, r fr the results btained frm the use f this infrmatin. Calfire reserves the right t revise any r all f this dcument t reflect an accurate representatin f the cntent relative t the current technlgy landscape. In rder t maintain cntextual accuracy f this dcument, all references t this dcument must explicitly reference the entirety f the dcument inclusive f the title and publicatin date; Neither party will publish a press release referring t the ther party r excerpting highlights frm the dcument withut prir written apprval f the ther party. If yu have questins with regard t any legal r cmpliance matters referenced herein yu shuld cnsult legal cunsel, yur security advisr and/r yur relevant standard authrity.