LogRhythm and PCI Compliance

Transcription

1 LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS standards apply to all organizations that store, process or transmit cardholder data and all affected organizations must be PCI compliant. The PCI DSS standards are enforced by the founding members of the PCI Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The first PCI DSS standard is a combined effort from the results of several independent company data protection standards. The Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The first PCI DSS standard was released on December 15, 2004 and its latest revision was released on October 1, LogRhythm is a participating organization in the PCI Security Standards Council and as such, will work with the Council to evolve the PCI Data Security Standard (DSS) and other payment card data protection standards. The collection, management, and analysis of log data are integral to meeting PCI audit requirements. IT environments include many heterogeneous devices, systems, and applications that all report log data. Millions of individual log entries can be generated daily, if not hourly. The task of simply assembling this information can be overwhelming in itself. The additional requirements of analyzing and reporting on log data render manual processes or homegrown remedies inadequate and costly. LogRhythm has extensive experience in helping organizations improve their overall security and compliance posture while reducing costs. Log collection, archive, and recovery are fully-automated across the entire IT infrastructure. LogRhythm automatically performs log data categorization, identification, and normalization to facilitate easy analysis and reporting. LogRhythm s best-of-breed log management capabilities enable automatic identification of the most critical events and notification of relevant personnel through its powerful Alarming capabilities. LogRhythm provides out-of-the-box PCI compliance. As part of the PCI Compliance Package, enterprise assets are categorized according to Network Security, Cardholder Data, Vulnerability Management, Access Control, Network Monitoring and Testing, and Information Security Policy. To ensure compliance with PCI requirements, information systems are monitored in real-time. Investigations, Reports and Alarm Rules are provided, allowing for immediate notification and analysis of conditions that impact the integrity of the organization s cardholder data. Areas of non-compliance can be identified in real time. Additional Investigations, Reports and Alarm Rules are provided as part of LogRhythm s standard Knowledge Base to further augment the usefulness of the log data. Reports can be generated as needed by the PCI Security Assessor and scheduled to run at pre-determined intervals. PCIwp LogRhythm, Inc. All Rights Reserved page 1 of 10

2 The table below explains how LogRhythm and the PCI Compliance Package address the six sections of the standard: PCI Section and Purpose LogRhythm Compliance Support Build and Maintain a Secure Network Protect Cardholder Data LogRhythm supports most popular firewall products and associated network protection systems such as intrusion protection systems, unified threat managers, and content inspection systems. Also specified is the removal of default passwords and to enforce the secure deployment of equipment in the organization. LogRhythm provides monitoring for insecurity such as use of default passwords. Alarming is provided when they are detected. LogRhythm monitors for proper operations and configuration changes that may jeopardize the security of cardholder data. Alarms are provided to identify suspicious network activity in real time. Maintain a Vulnerability Management Program Anti-virus software can be monitored for proper signature updates. Malicious software is centrally reported. Investigations can be launched to identify activities related to malware infections to assess exposure, incident handling and response. Vulnerabilities may be detected by systems and collected in real-time, allowing for faster awareness than spotcheck vulnerability assessments. Implement Strong Access Control Measures Access to card holder systems and data, changes in permissions and access rights, and suspicious behavior are all collected in real-time by LogRhythm. Investigations can be rapidly performed for any suspected abuses or compromises to PCI DSS protected data. Shared account usage can be easily spotted, as well as after-hours access or unusual account access frequency. Access successes and failures to systems, applications, and objects are collected and processed by LogRhythm. Regularly Monitor and Test Networks LogRhythm establishes the automated audit trail for all system components as mandated by PCI DDS Requirements , covering one of the most difficult-to-attain requirements. By converting this information to useful data, LogRhythm meets both the conditions and the spirit of these requirements. Maintain an Information Security Policy Most organizations need a security policy that extends into all areas of the business, and these environments may mirror the PCI standards or use more robust policies such as CobiT or ISO 27001/ LogRhythm supports enterprise-class systems that can be far more diverse than just the organization s PCI environment and ensure compliance with other security frameworks and regulations. The tables on the subsequent pages outline how LogRhythm directly meets requirements of the PCI sections. The requirements listed come directly from the PCI compliance documents located at the PCI Security Standards Council web site ( The column describes the capabilities LogRhythm provides that will meet, support or augment PCI compliance. PCIwp LogRhythm, Inc. All Rights Reserved page 2 of 9

3 Install and maintain a firewall configuration to protect data 1 LogRhythm collects logs from firewall devices to ensure and validate compliance Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure Periodic review of firewall/router rule sets Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. Verify that router configuration files are secure and synchronized Limit inbound Internet traffic to IP addresses within the DMZ Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment. Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ. LogRhythm provides monitoring and investigations to perform testing procedures 1.1.5a and 1.1.5b by showing the use of protocols in the network environment. Testing requires verification that all used services, protocols and ports have a business need. Reporting facilitates easy and independent review of firewall and router operation. Reports can be generated that shows actual traffic allowed and denied by firewall and router rule sets. PCI requires verification at least every six months. Verification that inbound and outbound traffic is properly controlled (limited and/or denied) for the cardholder data environment. LogRhythm detects and alerts on inbound internet activity within the cardholder data environment, providing verification of proper and the presence of improper network activities. LogRhythm identifies synchronization events and can be used to verify the proper functioning of routers, firewalls, or other collaborative network devices. Reports provide a consolidated review of internal/external activity and threats. Firewall And Router Policy Synchronization LogRhythm detects and alerts on inbound and outbound internet activity not restricted to the DMZ, identifying non-compliant network traffic or attempts to access services inside the DMZ that are not approved for Internet accessibility. LogRhythm can detect and alert on activity where internal addresses are not passed from the Internet into the DMZ. LogRhythm detects and alerts on any outbound activity not necessary for the payment card environment. Any accesses to IP addresses to unauthorized networks can be quickly identified. PCIwp LogRhythm, Inc. All Rights Reserved page 3 of 9

4 Do not use vendor-supplied defaults for system passwords and other security parameters 2 LogRhythm monitors the network for indications of improper behavior and signs of weak security configuration Always change vendor-supplied defaults before installing a system on the network for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts. Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non-console administrative access. LogRhythm can alarm on detected use of default passwords or known default accounts that should not be used in a secure deployment. Example Alarms: Alarm On Default Account Usage Alarm On Anonymous Or Guest Account Usage LogRhythm provides a record of all services used and can alarm on the use of nonencrypted protocols. Use Of Non-Encrypted Protocols 3 Protect stored cardholder data LogRhythm provides monitoring of changes in the cardholder environment and can alarm on changes to security critical resources Prevention of unauthorized substitution of cryptographic keys LogRhythm may alarm on actions that affect specific files or objects, including cryptographic keys. The details of who, when and where a key was altered will be available in real-time to the custodian(s). File Integrity Monitoring Activity 4 Encrypt transmission of cardholder data across open, public networks LogRhythm monitors network use to ensure that only the proper protocols are being used in the cardholder data environment. LogRhythm records which protocols are being used in the cardholder data environment, showing when any unauthorized protocols or unencrypted services are used. In 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open public networks. addition, LogRhythm is capable of alarming on conditions where a system observes unencrypted information passed when expecting only encrypted traffic Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE i) to implement strong encryption for authentication and transmission. (Wireless is being prohibited by PCI after June 30, 2010.) LogRhythm can observe and report on detected wireless networks, identifying wireless access points that communicate with the cardholder data environment. Wireless Access Points PCIwp LogRhythm, Inc. All Rights Reserved page 4 of 9

5 Use and regularly update anti-virus software or programs 5 LogRhythm collects and can alarm on detected malware and compromises in the cardholder data environment Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs Develop and maintain secure systems and applications Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release. Develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices, and incorporate information security throughout the software development life cycle. LogRhythm detects and alerts on any error conditions originating from anti-virus applications, when the services are started and stopped, as well as identifies when new signatures are installed. Alarming can be configured to inform the custodian(s) of when any malware is detected inside the cardholder data environment. Malware Detected Anti-Virus Signature Update Report Example Alarms: Alarm On Malware LogRhythm can track and report on when patches are installed on devices, showing which systems have had matching within the past month, or any other time frame as dictated by organizational policy. Patches Applied LogRhythm provides intelligence for the logging that custom written software needs to be effective. By providing an intelligence system for logs to be sent to, rules can be created to provide proper alarming, reporting, and enhancement to the abilities of any custom application to be used in the cardholder data environment Separation of duties between development/test and production environments Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes. LogRhythm can report on communications between production and development environments to ensure separation. Vulnerabilities outlined in section 6.5 can be detected by real-time examination tools or by using compatible vulnerability scanning systems. Attempts to attack the web applications, such as by a cross-site scripting vulnerability (XSS), can be alarmed on in real-time by LogRhythm. Vulnerabilities Detected PCIwp LogRhythm, Inc. All Rights Reserved page 5 of 9

6 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications LogRhythm can address either solution by working in conjunction with web exploit sensitive systems, such as Intrusion Detection Systems, Web-Application Firewalls, Stateful Inspection Firewalls, Web Servers, and other log sources to analyze detected potential abuses as well as provide a way to investigate suspected breaches. Suspicious Activity by User Top Targeted Hosts Suspicious Activity by Host Top Targeted Applications Top Suspicious Users Vulnerabilities Detected Restrict access to cardholder data by business need to know 7 LogRhythm monitors access privilege assignments and suspicious data accesses. 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access to cardholder data can be monitored by the custodian(s) of the data in real-time by collecting access control system data. Account creation, privilege assignment and revocation, and object access can be validated using LogRhythm. Host Authentication Summary Disabled Accounts Summary Applications Accessed by user Removed Account Summary Assign a unique ID to each person with computer access 8 LogRhythm helps identify shared account usage in the network, including unobvious accounts with more than one user. 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data. Account creation can be monitored through reporting and investigations of logs pertaining to the creation and modification of accounts. Accounts that have more than one user may be identified through investigations of frequent and/or suspicious login activities. Account Creation Activity Account Modification Activity Track and monitor all access to network resources and cardholder data 10 LogRhythm automates collection, centralization and monitoring of logs from servers, applications, security and other devices, significantly reducing the cost of compliance Implement automated audit trails for all system components to reconstruct PCI Standard specified events. LogRhythm s core capabilities are centralization and proper management of log data that comprises the majority of the audit trail. Reports can be produced to show all audit activity from account creation, through account activity, to account removal. Support for reporting on log data from custom applications containing portions of the audit trail is easily achieved using LogRhythm s built in rule building tools. Account Creation Activity User Authentication Summary User Access Summary Account Modification PCIwp LogRhythm, Inc. All Rights Reserved page 6 of 9

7 Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges. Implement automated audit trails for all system components to reconstruct all invalid logical access attempts. Record user identification, type of event, date and time for each audit trail entry. LogRhythm collects all account management activities. LogRhythm reports ensures policy adherence by providing easy and standard review of all account management activity. Account Creation Activity Account Modification Activity User Access Summary Host Access Granted & Revoked LogRhythm identifies failed access and authentication attempts for enterprise networked devices. LogRhythm automates the process of identifying high-risk activity and prioritizes based on asset risk. High-risk activity can be monitored in real-time or alerted on. LogRhythm reports provide easy and standard review of inappropriate, unusual, and suspicious activity. Disabled Accounts Summary Removed Account Summary Audit Exceptions Event Summary User Object Access Summary Failed Host Access By User Failed Application Access By User LogRhythm timestamps and classifies each event received to match this requirement, as well as extract useful information such as user identification, IP addresses and host names, objects accessed, vendor message ids, amounts affected (bytes, monetary values, quantities, durations), affected applications and other details useful for forensic investigation of the audit logs Synchronize all critical system clocks and times Many environments cannot synchronize system clocks to a single time standard, so LogRhythm independently synchronizes the timestamps of all collected log entries, ensuring that all log data is time-stamped to a standard time regardless of the time zone and clock settings of the logging hosts Limit viewing of audit trails to those with a job-related need Protect audit trail files from unauthorized modifications LogRhythm includes discretionary access controls allowing you to restrict the viewing of audit logs to individuals based on their role and Need-To-Know. Using LogRhythm helps ensure audit trail are protected from unauthorized modification. LogRhythm collects logs immediately after they are generated and stores them in a secure repository. LogRhythm servers utilize access controls at the operating system and application level to ensure that log data cannot be modified or deleted. PCIwp LogRhythm, Inc. All Rights Reserved page 7 of 9

8 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter Write logs for external-facing technologies onto a log server on the internal LAN. LogRhythm automatically collects audit trails and stores them in a central and secure repository. When a log is collected, it is stored in a database for analysis and reporting and a copy is written to an archive file. The archive copy of the log also serves as a backup. Archive files can be written to SAN, NAS, or other central location providing for additional redundancy. Segregation can be performed by allowing only log traffic to pass through LogRhythm via firewall, filter control on a router, or configuring the LogRhythm appliance s firewall to reject unanticipated connections. LogRhythm can securely collect logs from the entire IT infrastructure including externalfacing technologies for storage on an internal LAN Network where a LogRhythm appliance resides Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). LogRhythm includes an integrated file integrity monitoring capability that ensures our collection infrastructure is not tampered with. Additionally, LogRhythm servers utilize access controls at the operating system and application level to ensure log data cannot be modified or deleted. Alerts are customizable to prevent or allow alarms on a caseby-case basis, including not causing an alert with new data being added Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up). An audit history usually covers a period of at least one year, with a minimum of 3 months available online LogRhythm supplies a one stop repository from which to review log data from across the entire IT infrastructure. Reports can be generated and distributed on automatically on a daily basis. LogRhythm provides an audit trail of who did what within LogRhythm and a report which can be provided to show proof of log data review. LogRhythm Usage Auditing LogRhythm completely automates the process of retaining your audit trail. LogRhythm creates archive files of all collected log entries. These files are organized in a directory structure by day making it easy to store, backup, and destroy log archives based on your policy. Regularly test security systems and processes LogRhythm can collect logs from intrusion detection/prevention systems and has integrated file integrity monitoring capabilities. The collection of IDS/IPS logs helps to ensure and validate compliance. LogRhythm s file integrity monitoring capabilities can be used to directly meet requirement Use network intrusion detection systems, host-based intrusion LogRhythm collects logs from network and host based IDS/IPS systems. Its risk-based detection systems, and/or intrusion prevention systems to prioritization and alerting reduce the time and cost associated with monitoring and monitor all network traffic and alert personnel to suspected responding to IDS/IPS alerts. The Personal Dashboard feature can be used to monitor compromises. Keep all intrusion detection and prevention intrusion related activity in real-time. A powerful Investigator tool makes forensic PCIwp LogRhythm, Inc. All Rights Reserved page 8 of 9 engines up to date search easy and efficient. LogRhythm combined with IDS/IPS is an extremely powerful tool in identifying and responding to intrusion related activity efficiently and accurately.

9 Successful/Failed Host Access by User Successful/Failed Application Access by User Successful/Failed File Access by User Top Attackers Multiple Authentication Failures Suspicious Activity By User and Host Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files, and perform critical file comparisons at least daily (or more frequently if the process can be automated) LogRhythm agents include an integrated file integrity monitoring capability which can be used to detect and alert on the following for any file or directory: Reads; Modifications; Deletions; Permission Changes. This capability is completely automated. How often files are scanned is configurable. Files can be scanned at user defined frequencies such as every 5 minutes or once a night. File Integrity Monitoring Activity Maintain a policy that addresses information security for employees and contractors LogRhythm provides centralized intelligence that can support the organizational security policy, including incident handling and response. Because policies are flexible, LogRhythm is ready to expand beyond the cardholder data environment to provide support to other areas of the organization that need its critical services Implement an incident response plan. Be prepared to respond immediately to a system breach. LogRhythm provides a centralized management system capable of alarming, reporting and investigating security breaches to the network. LogRhythm supports an incident response plan by providing the real-time enterprise detection intelligence to address issues quickly to prevent damage and exposure. Example Alarms: Alarm On Attack Alarm On Compromise Alarm On Malware LogRhythm Corporate Headquarters EMEA Headquarters LogRhythm Inc. LogRhythm Inc Sterling Circle, Suite 100 Siena Court, The Broadway Boulder CO, Maidenhead, Berkshire SL6 1NJ United Kingdom Phone (303) Phone +44 (0) Fax (303) Fax +44 (0) PCIwp LogRhythm, Inc. All Rights Reserved page 9 of 9