How an Endace Monitoring and Recording Fabric aids corporate compliance

Transcription

1 How an Endace Monitoring and Recording Fabric aids corporate Regulation is everywhere. It s impossible to escape and it s not going away. For some, is a burden, but for others it s a breeze. If you need to comply with PCI-DSS, SOX, ISO, HIPAA, or FISMA, you need to read this article before investing another dollar in technology. COMPLIANCE COMPLIANCE EVERYWHERE In a nutshell, is simply acting in accordance with certain accepted standards. In the case of security, there are a number of wellpublished standards for achieving and maintaining security across an organisation. Most are focused on information security and privacy which relate directly to securing the network. There s growing pressure from governments, health providers, peers and credit card companies for you to become compliant with their security standards. If you hold customer data on your premises in almost any form, then you can t really escape it. Regardless of the specific standard that you re looking at, the objective (and in fact many of the basic requirements) is the same; namely to make your business and the systems and processes that underpin it more secure. How an Endace Monitoring and Recording Fabric aids corporate Page 1 of 6 Endace

2 STANDARD Payment Card Industry Data Security Standard (PCI-DSS) ISO series Health Insurance Portability and Protection Act (HIPAA) Sarbanes Oxley Act (SOX) Federal Information Security Management Act (FISMA) FOCUS The PCI-DSS is a widely accepted set of policies and procedures intended to optimise the security of credit, debit, and cash card transactions and protect card holders against misuse of their personal information. The series are Information Security standards and guidelines for improving information security, where: ISO formally defines the mandatory requirements for an Information Security Management System. ISO is the code of practice for information security management. HIPAA (relating to IT) seeks to establish standardised mechanisms for electronic data interchange, security, and confidentiality of all healthcare-related data. SOX is legislation to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. FISMA is US legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. In this article we will focus predominantly on the PCI-DSS, but the general principles outlined are transferrable across all the various pieces of legislation and their standards. SO, WHAT IS COMPLIANCE REALLY? It s worth taking a step back and looking at what really is, in order to better understand the implications of it. For all intents and purposes is a statement that an organisation meets certain standards of behaviour and technological protections at a specific point in time. To get a certificate you simply have to prove to an auditor that you have certain things in place and you re off to the races. The costs of non- can be huge (as much as $500K for failure to comply with Payment Card Industry - Data Security Standards (PCI-DSS), which has prompted many companies to sit up and pay attention. Individuals responsible for creating legislation have to tread a fine line. The objective is to get organisations to be more secure, not simply to comply with the standard. Organisations need to implement the security controls with the intent to secure themselves, not to just meet the lowest requirement that will get signed off. However, we all know that legislation is rarely perfect and with a specific standard does not mean that an organisation is magically secure; it does make the organisation more aware of security and should in turn make them a harder target. IT S A MATTER OF PERSPECTIVE In our experience, organisations look at through one of two lenses: The tactical quick-fix smoke and mirrors lense, where is perceived internally as a cost overhead The strategic big picture lense, where is treated as an opportunity to excel. Organisations that take a more strategic view and take security seriously tend to find that comes easy and many have turned into a competitive advantage. The difference is one of mindset. They set out with the end in mind and build a security and monitoring infrastructure that is capable of complying with legislation that hasn t yet been invented. So, in reality this isn t a discussion about at all. It s a discussion about taking security seriously and building a technology and process architecture that is capable of properly protecting your data, your assets, and your customers. TICKING THE BOX The market is awash with point solutions that will provide a tick in the box for a section or subsection of your requirements. These solutions are rapidly becoming commodity elements and are starting to weaken the intent of the security requirement. They create the illusion of security; often organisations will believe they are now secure after a successful report when in fact that is far from the truth. The focus for every organisation should be getting secure through good network security practice, processes, and the correct use of technology to assist with maintaining security over time. Do this right, and will follow, no matter what your requirement. The only way to approach network security is to start with a complete picture of the network and what it is being used for. A guaranteed 100% accurate packet capture and analysis solution is the only way to provide this visibility. THE CORNERSTONES OF GOOD NETWORK SECURITY In their Six defensive walls work, SANS provides a very useful breakdown of core network security activities and how they map to specific sections of the standards we are interested in. For example, implementing an Intrusion Detection System (IDS) will allow you to comply with the following standards: ISO 27001/ , , , , PCI-DSS 10.6, 11.4, SOX HIPAA FISMA A13.2, DS5.10, (a)(2), (a)(1) (a)(6)42, SI-4, AC-2, IDS is, once again, a good example of a requirement that is often implemented poorly, just for the sake of. IDS (and IPS) technology is quickly (and cheaply) added to a network, shown to the auditor, and then essentially ignored because the organisation does not have the resources or skills to manage the technology effectively. Organisations that look at the world more strategically recognise that IDS is a fundamental element in any network security architecture and they hunt out strategic solutions that not only allow them to comply with the specific subsections of whatever act they are seeking to comply with, but build a highperformance monitoring architecture that gives them a real advantage. How an Endace Monitoring and Recording Fabric aids corporate Page 2 of 6 Endace How an Endace Monitoring and Recording Fabric aids corporate Page 3 of 6 Endace

3 CYBER SECURITY MONITORING DE-MYSTIFYING PCI-DSS HOW DOES 100% PACKET CAPTURE MAKE COMPLIANCE EASIER? Endace is a world leader in high-speed network PCI-DSS is a multifaceted security standard that Much of the PCI-DSS standard is focused on the policies and procedures used to protect card holder data. As the monitoring and recording systems. Our cyber security includes requirements for security management, network is the most pervasive element of any organisation s infrastructure, it becomes a focal point to be able to monitoring solution is based on our multi-application policies, procedures, network architecture, software verify, detect, monitor, block, protect and alert when card holder information is in transit. One hundred percent platform, which enables organisations to captures design, and other critical protective measures. It packet capture provides the foundation with which to build both security solutions and technology, packets reliably and consistently across their entire governs the secure handling of credit card data in and to simply work out what the network is doing and how we can make it run better. network (at speeds up to 100Gb/s) and use a range the aspects of storage, processing and transmission. of different applications to analyse the traffic for intrusions, anomalies, specific events, vulnerabilities and more. Arguably, PCI-DSS has done more for security awareness than any other initiative over the past few decades; even so, we still have a long way to At the core of our cyber security monitoring solution go. Credit card companies waving a very large stick is a high-performance IDS that is based on open- (USD$500K fine) for non- is what it source SNORT with integrated network analytics actually took for many companies to sit up and pay and forensic capabilities. attention. Endace Systems support a range of native applications ENDACE APPLICATION DOCK In addition to the wide range of cyber security tools we have available, including our powerful IDS functionality, you may consider deploying a range of other third-party, custom or open-source applications on your Endace Systems via the Endace Application Dock. The Application Dock is a unique and highly optimised virtual application hosting environment. as well as a unique multi-application open-hosting environment Endace Application Dock which allows multiple network monitoring, security and tools, running simultaneously to access a single, authoritative and 100% accurate source of captured network traffic. WHAT DOES PCI-DSS COVER? CONTROL OBJECTIVES PCI-DSS REQUIREMENTS Build and maintain a secure network 1. Install and maintain a firewall configuration to protect card holder data Protect card holder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters CONCLUSION Achieving, regardless of the standard, is ultimately about ensuring security. As such, is a product of your strategic security goals, not a tactical move to 3. Protect stored card holder data satisfy a regulatory body. That means that if 4. Encrypt transmission of card holder data across open, public networks is an issue for you then there s a good chance that you are missing some vital Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to card holder data by business need-to-know Implement strong access control measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to card holder data Regularly monitor and test networks Maintain an information security policy 10. Track and monitor all access to network resources and card holder data parts of your overall security strategy. By building your security solution on a foundation of 100% packet capture, becomes a much easier objective to attain, and one that stems naturally from your network infrastructure rather than being a tick-box element added as an afterthought. 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security For more information on Endace products visit or us at info@endace.com How an Endace Monitoring and Recording Fabric aids corporate Page 4 of 6 Endace How an Endace Monitoring and Recording Fabric aids corporate Page 5 of 6 Endace

4 APPENDIX A. MAPPING PCI-DSS TO ENDACE S AND REDEYE S CYBER SECURITY MONITORING SOLUTION Not only can we provide joint solutions that will assist your with particular sections of the standard as detailed below, but with the 100% packet capture and storage, we can deliver visibility throughout the network, expanding the scope of the solution to increase it beyond basic. Endace RedEye ASSIST ACHIEVE ASSIST ACHIEVE PCI-DSS REQUIREMENT ENDACE CAPABILITY TO ASSIST / DELIVER COMPLIANCE REDEYE CAPABILITY TO ASSIST / DELIVER COMPLIANCE SECTION 1: BUILD AND MAINTAIN A SECURE NETWORK 1.1 Documented list of ports, services, and protocols needed for business - Standard router configuration Endace Analytics can identify and report on the ports, services, and protocols used in the network at the point of interception. RedEye proactively builds a list of all active IP addresses, open ports and services running A formal process for approving and testing all network connections and changes to the firewall and router configurations EndaceProbes using Capture/Replay capability can be used to perform network testing on the organization s own captured traffic and PCAPs. It can then be accurately replayed to test and validate rule changes. EndaceProbes running Endace Analytics can view both sides of a network device and provide repeatable traffic comparisons. RedEye can scan each network for connectivity following every firewall and router config change Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment RedEye scans daily and alerts on any disallowed network connectivity. 2.2B Verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.2 RedEye reports on new vulnerabilities published in its vulnerability database that are relevant to the systems being used in the cardholder data environment. 2.2C Verify that system configuration standards are applied when new systems are configured RedEye can be configured with baseline profiles for all configuration standards. New machines are scanned against baseline before deployment. SECTION 4: ENCRYPT TRANSMISSION OF CARD HOLDER DATA ACROSS OPEN, PUBLIC NETWORKS 4.1 Use strong cryptography and security protocols such as SSL / TLS or IPSEC to safeguard sensitive card holder data during transmission over open, public networks Via capture, trace files can be audited and encrypted transmission can be verified. In the event of non-encrypted transmission, an alert can be raised and the event recorded. RedEye can scan key servers and a custom alert configured to be triggered on the presence of NON SSL / TLS / VPN connections. 4.2 Never send unencrypted PANs by end-user messaging technologies (e.g., , instant messaging or chat) Via SNORT rules an alert can be raised if a PAN is unencrypted during transmission in those technologies and the session can be recorded / terminated. SECTION 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS 6.2 Establish a process to identify newly discovered security vulnerabilities. Update configuration standards as required by PCI-DSS Requirement 2.2 to address new vulnerability issues. EndaceProbes support third-party applications to be deployed within the network to address specific requirements. Solutions to meet this requirement may include PVS from Tenable. RedEye receives updates of new vulnerabilities and rescans the network on a DAILY basis Testing of all security patches and system and software configuration changes before deploying EndaceProbes with Capture/Replay capability can use actual network traffic in order to test and validate changes. RedEye tests that all security patches have been applied prior to deployment Validation of secure communications EndaceProbes with Capture/Replay capability can use actual network traffic in order to test and validate secure communications. RedEye scans key servers and alerts on nonsecure communications. SECTION 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARD HOLDER DATA Automated audit trails all individual accesses to cardholder data Endace supports this requirement by monitoring and triggering events of all non-authorised network access to database servers; in addition, full packet capture is available to investigate any unauthorized access Review logs of all systems components at least daily. Log reviews must include those servers that perform security functions like intrusion detection systems and authentication, authorization and accounting protocol. EndaceProbes support external log aggregation. SECTION 11: REGULARLY TEST SECURITY SYSTEMS AND PROCESSES 11.2 Quarterly vulnerability scans EndaceProbes support third-party applications to be deployed within the network to address specific requirements. Solutions to meet this requirement may include PVS from Tenable. To be used in conjunction with an approved scanning vendor. RedEye is very thorough - we support MONTHLY or WEEKLY website scanning and DAILY IP vulnerability scanning Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification Penetration testing can be performed by the RedEye security consultants Use intrusion detections systems, and/or intrusion prevention systems to monitor all traffic in the card holder data environment and alert personnel to suspected compromises. Keep all intrusion and prevention engines up-to-date. EndaceProbes with Cyber Security Monitoring comply with the IDS requirement. When configured with RedEye, the Endace IDS is even more powerful, with integrated auto-rules creation and vulnerability scanning on demand. Endace Security Manager provides easy access to the configuration of the sensors and alerting process. Endace Security Manager provides easy access to the configuration of the sensors and rule update and synchronization process. SECTION 12: MAINTAIN AN INFORMATION SECURITY POLICY Monitor and analyse events Priority (high, medium and low) assigned to the event makes it possible to analyse events based on the relative risk Incident response and reporting Endace Cyber Security supports alerting and response on security incidents. Full packet capture allows investigators post-event access to every packet involved in the incident, where the incident has occurred on a monitored network and the capture file is accessed in a timely fashion. When configured alongside Endace IDS, RedEye initiates data capture as soon as a vulnerability is found, enabling targeted data capture.

5