PCI and PA DSS Compliance Assurance with LogRhythm

Transcription

1 WHITEPAPER PCI and PA DSS Compliance Assurance PCI and PA DSS Compliance Assurance with LogRhythm MAY 2014

2 PCI and PA DSS Compliance Assurance with LogRhythm The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS standards apply to all organizations that store, process or transmit cardholder data. All affected organizations must be PCI compliant. The Payment Application Data Security Standard (PA DSS) is derived from PCI DSS, and its individual requirements align with PCI DSS requirements. The PCI DSS standards are enforced by the founding members of the PCI Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The first PCI DSS standard is a combined effort from the results of several independent company data protection standards. The Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The first PCI DSS standard was released in December 15, 2004 and its latest revision, version 3.0, was released in November LogRhythm s PCI DSS Compliance Automation Suite is designed to optimize the Security Intelligence Platform in support of requirements set forth by the PCI Security Standards Council. The collection, management, and analysis of log data are integral to meeting PCI audit requirements. IT environments include many heterogeneous devices, systems, and applications that all report log data. Millions of individual log entries can be generated daily, if not hourly. The task of simply assembling this information can be overwhelming in itself. The additional requirements of analyzing and reporting on log data render manual processes or homegrown remedies inadequate and costly. LogRhythm has extensive experience in helping organizations improve their overall security and compliance posture while reducing costs. Log and machine data collection, archive, and recovery are fully-automated across the entire IT infrastructure. LogRhythm automatically performs log data categorization, identification, and normalization to facilitate easy analysis and reporting. LogRhythm s best-of-breed log management capabilities enable automatic identification of the most critical events and notification of relevant personnel through its powerful Alarming capabilities. LogRhythm provides out-of-the-box PCI compliance support. As part of the PCI Compliance Automation Suite, enterprise assets are categorized according to Network Security, Cardholder Data, Vulnerability Management, Access Control, Network Monitoring and Testing, and Information Security Policy. LogRhythm s PCI-DSS Compliance Automation Suite can be used to help meet PA DSS standards as well. LogRhythm s extensive support for both commercial and custom payment applications enables comprehensive and efficient collection, processing, review and reporting of all log sources specified in both the PCI and PA data security standards. To ensure compliance with PCI requirements, information systems and payment applications are monitored in real-time. AI Engine Rules, Alarms, Investigations, Reports, reporting packages, and tails are provided, allowing for immediate notification and analysis of conditions that impact the integrity of the organization s cardholder data. Areas of non-compliance can be identified in real time. Reports can be generated as needed by or scheduled to run at pre-determined intervals via reporting packages. Additionally, the elements in the PCI-DSS suite are provided as part of LogRhythm s standard Knowledge Base to further augment the usefulness of the log data. Monitor And Test Networks Protecting Cardholder Data The Six Domains of PCI DSS Requirement Information Security Policy Network Security Devices Cardholder Data Systems Vulnerability Management Access Control Systems PAGE 3

3 The table below explains how LogRhythm and the PCI Compliance Package address the six sections of the standard: PCI Section and Purpose LogRhythm Compliance Support Build and Maintain a Secure Network Protect Cardholder Data LogRhythm supports most popular firewall products and associated network protection systems such as intrusion protection systems, unified threat managers, and content inspection systems. Also specified is the removal of default passwords and to enforce the secure deployment of equipment in theorganization. LogRhythm provides monitoring for insecurity such as use of default passwords. Alarming is provided when they are detected. LogRhythm monitors for proper operations and configuration changes that may jeopardize the security of cardholder data. Alarms are provided to identify suspicious network activity in real-time. Maintain a Vulnerability Management Program Anti-virus software can be monitored for proper signature updates. Malicious software is centrally reported. Investigations can be launched to identify activities related to malware infections to assess exposure, incident handling and response. Vulnerabilities may be detected by systems and collected inreal-time, allowing for faster awareness than spotcheck vulnerability assessments. Implement Strong Access Control Measures Regularly Monitor and Test Networks Access to cardholder systems and data, changes in permissions and access rights, and suspicious behavior are all collected in real-time by LogRhythm. Investigations can be rapidly performed for any suspected abuses or compromises to PCI DSS protected data. Shared account usage can be easilyspotted, as well as after-hours access or unusual account access frequency. Access successes and failures to systems, applications, and objects are collected and processed by LogRhythm. LogRhythm establishes the automated audit trail for all system components as mandated by PCI DDS Requirements , covering one of the most difficultto-attain requirements. By converting this information to useful data, LogRhythm meets both the conditions and the spirit of these requirements. Maintain an Information Security Policy Most organizations need a security policy that extends into all areas of the business, and these environments may mirror the PCI standards or use more robust policies such as CobiT or ISO 27001/ LogRhythm supports enterprise-class systems that can be far more diverse than just the organization s PCI environment and ensure compliance with other security frameworks and regulations. PAGE 4

4 The following table outlines the PCI control requirements LogRhythm either directly meets or provides support for the testing process. The requirements listed come directly from the PCI compliance documents located at the PCI Security Standards Council web site ( PCI-DSS v3.0 Control Requirement Directly Meets Requirements Augments Control Process 1. Install and Maintain a firewall configuration to protect data 1.1.1, 1.1.6a b, 1.1.7, a, b, 1.2.2, 1.3.1, 1.3.2, 1.3.3, 1.3.5, 1.4.a 2. Do not use vendor-supplied defaults for system passwords and other security parameters a, b, 2.3.b 3. Protect stored cardholder data N/A Encrypt transmission of cardholder data across open, public networks N/A Protect All Systems Against Malware and Regularly Update Anti-virus Software or Programs 5.2.d 5.1, 5.2.b, 5.2.c 6. Develop and maintain secure systems and applications 6.2.a 6.2.b, 6.3.a, 6.4.1, 6.4.2, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.7, 6.5.8, 6.5.9, Restrict access to cardholder data by business need to know N/A 7.1.2, Identify and Authenticate Access to System Components N/A 8.1.1, 8.1.2, 8.1.3, 8.1.4, a, b, a, a, a, 8.5.a, 8.7.a 9. Restrict physical access to cardholder data N/A 9.1, c 10. Track and monitor all access to network resources and cardholder data 10.2, , , , , , , , , , , , , , 10.4.a, , , , , , 10.6.a, 10.7.a N/A 11. Regularly test security systems and processes 11.5.a, 11.5.b 11.1.d, 11.4.b 12. Maintain a policy that addresses information security for employees and contractors N/A , , The tables on the subsequent pages outline how specifically LogRhythm supports requirements of the PCI sections. The How LogRhythm Supports Compliance column describes the capabilities LogRhythm provides that will meet, support or augment PCI compliance. PAGE 5

5 1. Install and maintain a firewall configuration to protect data LogRhythm collects logs from firewall devices to ensure and validate compliance. 1.1 Establish firewall and router configuration standards. LogRhythm provides investigations, reports, and tails to support PCI-DSS control requirement 1.1. LogRhythm directly supports the testing process for procedure by providing details of firewall/router configuration/policy changes via investigations, reports, and tails. LogRhythm directly supports testing procedure by providing details of allowed/denied secure/insecure network protocols/ports within the organizational network infrastructure via investigations, reports, and tails. LogRhythm augments the testing procedure by providing details of allowed/ denied secure/insecure network protocols/ports within the organizational network infrastructure via investigations, reports, and tails. Testing procedure 1.1 requires the establishment of firewall and router configuration standards that include a formal verification process for testing/approval of all network connections and changes to firewall and router configurations (1.1.1), documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure (1.1.6), and review firewall and router rule sets (1.1.7). 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. LogRhythm provides AIE rules, alarms, investigations, reports, and tails to support PCI-DSS control requirement 1.2. LogRhythm augments the testing process for procedure by providing details of allowed/denied inbound/outbound network traffic to the cardholder data environment via investigations, reports, and tails. LogRhythm augments the testing process for procedure by providing alarms on firewall synchronization critical/error conditions and also by providing details of firewall synchronization critical/error/informational conditions via investigations and reports. Testing procedure 1.2 requires the building of firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment by restricting inbound and outbound traffic to that which is necessary for the cardholder data environment (1.2.1) and securing and synchronizing router configuration files (1.2.2). 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. LogRhythm provides AIE rules, investigations, reports, and tails to support PCI-DSS control requirement 1.3. LogRhythm augments the testing process for procedure by providing details of allowed/denied network traffic between the DMZ environment and the organizations internal network environment via investigations, reports, and tails. LogRhythm augments the testing process for procedure by providing details of allowed/denied network traffic between the external Internet and the organizations internal network environment via investigations, reports, and tails. LogRhythm augments the testing process for procedure by providing details of allowed/denied network traffic inbound/outbound between the external Internet and cardholder data environment via investigations, reports, and tails. LogRhythm augments the testing process for procedure by providing details of allowed/ denied network traffic outbound from the cardholder data environment to the external Internet via investigations, reports, and tails. Testing procedure 1.3 requires the prohibiting of direct public access between the Internet and any system component in the cardholder data environment by implementing a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports (1.3.1); limiting inbound Internet traffic to IP addresses within the DMZ (1.3.2); not allowing any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment (1.3.3); and not allowing unauthorized outbound traffic from the cardholder data environment to the Internet (1.3.5). PAGE 6

6 1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network. LogRhythm provides AIE rules, alarms, investigations, and reports to support PCI-DSS control requirement 1.4. LogRhythm augments the testing process for procedure 1.4.a by providing alarms on host firewall critical/error conditions and also by providing details of host firewall critical/error/information conditions via investigations, and reports. Testing procedure 1.4.a requires verification that mobile and/or employee-owned computers with direct connectivity to the Internet, and which are used to access the organization s network, have personal firewall software installed and active. 2. Do not use vendor-supplied defaults for system passwords and other security parameters LogRhythm monitors the network for indications of improper behavior and signs of insufficient security configuration. 2.1 Always change vendor-supplied defaults before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts. LogRhythm provides AIE rules, investigations, and reports to support PCI- DSS control requirement 2.1. LogRhythm directly supports testing procedure 2.1 by providing AIE rule alarms and details of known vendor default account authentication failures/successes via investigations, and reports. Testing procedure 2.1 requires the verification that vendor supplied default accounts and passwords have been changed. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. LogRhythm provides AIE rules, investigations, reports, and tails to support PCI-DSS control requirement 2.2. LogRhythm augments the testing process for procedures by providing details of network protocols/services allowed/denied within the organizational network infrastructure via investigations, reports, and tails. Testing procedure 2.2 requires the development of configuration standards for all system components by requiring that only one primary function is implemented per virtual system component/device (2.2.1.b); only necessary services or protocols are enabled (2.2.2.a); and enabled insecure services are justified and that security features are documented and implemented (2.2.2.b). 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web- based management and other non- console administrative access. LogRhythm provides AIE rules, investigations, reports, and tails to support PCI-DSS control requirement 2.3. LogRhythm augments the testing process for procedure 2.3.b by providing details of insecure network protocols/ports allowed/denied within the organizational network infrastructure and insecure processes starting/stopping via investigations, reports, and tails. Testing procedure 2.3 requires encryption of all non-console administrative access using strong cryptography by requiring the review of services and parameter files on systems to determine that Telnet and other remote login commands are not available for use internally (2.3.b). PAGE 7

7 3. Protect stored cardholder data LogRhythm provides monitoring of changes in the cardholder environment and can alarm on changes to security critical resources Prevention of unauthorized substitution of cryptographic keys. LogRhythm provides AIE rules, investigations, reports, and tails to support PCI-DSS control requirement LogRhythm augments the testing process for procedure by providing details of key integrity activity via investigations, reports, and tails on LogRhythm s File Integrity Monitor Agent. LogRhythm s File Integrity Monitor can be configured to monitor key file or directory activity, deletions, modification, and permission changes. The file integrity capability is completely automated, the agent can be configured to either scan for files/directory changes on a schedule or the kernel level driver can automatically detect file integrity activity in real-time. Testing procedure requires the verification that key-management procedures are implemented to require the prevention of unauthorized substitution of keys. 4. Encrypt transmission of cardholder data across open, public networks LogRhythm monitors network use to ensure that only the proper protocols are being used in the cardholder data environment. 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. LogRhythm provides AIE rules, alarms, investigations, and reports to support PCI- DSS control requirement 4.1. LogRhythm monitors network use to ensure that only the proper protocols are being used in the cardholder data environment. Testing procedure 4.1 requires real-time monitoring and alerts on unauthorized or unencrypted services being used, and can report on detected wireless networks to help control access points. 5. Protect All Systems Against Malware and Regularly Update Anti-virus Software or Programs LogRhythm collects and alarms on detected malware and compromises in the cardholder data environment. 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). 5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs. LogRhythm provides AIE rules, alarms, investigations, and reports to support PCI-DSS control requirement 5.1/5.2. LogRhythm augments the testing process for procedure 5.1 and directly supports testing procedure 5.2 by providing alarms on antivirus critical/error conditions and also provides detailed information on malware detection and antivirus critical/error/information via investigations and reports. Testing procedure 5.1 requires the verification that anti-virus software is deployed if applicable anti-virus technology exists. Testing procedure 5.2.b requires the verification that the master installation of the antivirus software is enabled for automatic updates and periodic scans. Testing procedure 5.2.c requires the verification that all antivirus software is enabled for automatic updates and periodic scans. Testing procedure 5.2.d requires the verification that that anti-virus software log generation is enabled and that such logs are retained. PAGE 8

8 6. Develop and maintain secure systems and applications LogRhythm collects and alarms on detected vulnerabilities and software update activity. 62 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release. LogRhythm provides alarms, investigations, and reports to support PCI-DSS control requirement 6.2. LogRhythm directly supports testing procedure 6.2 by providing alarms on software update critical/error conditions and also by providing details on software update critical/error/information conditions via investigations and reports. Testing procedure 6.2.a requires the verification that current vendor patches are installed. Testing procedure 6.2.b requires the verification that all critical new security patches are installed within one month. 6.3 Develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices, and incorporate information security throughout the software development life cycle. LogRhythm provides intelligence for logs written by custom software to support PCI-DSS control requirement 6.3. LogRhythm augments the testing process for procedure 6.3 by providing an intelligence system for logs to be sent to, rules can be created to provide proper alarming, reporting, and enhancement to the abilities of any custom application to be used in the cardholder data environment. Testing procedure 6.3 requires the development of software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices, and incorporate information security throughout the software development life cycle. 6.4 Following change control processes and procedures for all changes to system components. LogRhythm provides AIE rules, alarms, investigations, reports, and tails to support PCI-DSS control requirement 6.4. LogRhythm augments the testing process for procedure 6.4.1/6.4.2 by providing details on allowed/denied network traffic between the test network environment and all other internal network environments via investigations, reports, and tails. Testing procedure 6.4 requires following of change control processes and procedures for all changes to system components including the requirement for development/test environments to be separate from the production environment, with access control in place to enforce the separation (6.4.1) and the requirement to separate duties between development/test and production environments (6.4.2). 6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes. LogRhythm provides alarms and investigations to support PCI-DSS control requirement 6.5. LogRhythm augments the testing process for procedure 6.5 by providing alarms and investigation details on detected vulnerabilities. Testing procedure 6.5 requires the prevention of common coding vulnerabilities in software development processes, including: injection flaws (6.5.1); buffer overflows (6.5.2); insecure cryptographic storage (6.5.3); insecure communications (6.5.4); improper error handling (6.5.5); all High vulnerabilities (6.5.6); Cross-site scripting (6.5.7); improper Access Control(6.5.8); cross-site request forgery (6.5.9). 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of publicfacing web applications. LogRhythm provides alarms and investigations to support PCI-DSS control requirement 6.6. LogRhythm augments the testing process for procedure 6.6 by providing alarms and investigation details on detected vulnerabilities. Testing procedure 6.6 requires the addressing of new threats and vulnerabilities on an ongoing basis for public-facing web applications and to ensure these applications are protected against known attacks. PAGE 9

9 7. Restrict access to cardholder data by business need to know LogRhythm monitors access privilege assignments and suspicious data accesses. 7.1 Limit access to system components and cardholder data to only those individuals whosejob requires such access. LogRhythm provides investigations and reports to support PCI-DSS control requirement 7.1. LogRhythm augments the testing process for procedure 7.1 by providing details on privileged access, host authentication, application access via investigations and reports. Testing procedure 7.1 requires access limitations to system components and cardholder data to only those individuals whose job requires such access, limitations include: restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities (7.1.2) and assignment of privileges based on individual personnel s job classification and function (7.1.3). 8. Identify and authenticate access to system components LogRhythm helps identify shared account usage in the network, including unobvious accounts with more than one user. 8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components. LogRhythm provides reports to support PCI-DSS control requirement 8.1. LogRhythm augments the testing process for procedure 8.1 by providing details on account management activity such as account creation, account deletion, and account modification via reports.logrhythm directly supports testing procedure by providing alarms on vendor account authentication failures and the granting of access to vendor accounts; LogRhythm also provides details on vendor account management and authentication activity via investigations and reports. Testing procedure 8.1 requires user identification and authentication management for non- consumer users and administrators on all system components as follows: control addition, deletion, and modification of user IDs, credentials, and other identifier objects (8.1.2); immediately revoke access for any terminated users (8.1.3); remove/disable inactive user accounts at least every 90 days (8.1.4); enable accounts used by vendors for remote access only during the time period needed. Monitor vendor remote access accounts when in use (8.1.5); limit repeated access attempts by locking out the user ID after not more than six attempts (8.1.6); set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID (8.1.7). 8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components. LogRhythm provides reports to support PCI-DSS control requirement 8.2. LogRhythm directly supports testing procedure by providing alarms on user accounts that have not had a password change within 90 days. Testing procedure 8.2 requires user identification and authorization for nonconsumer users and administrators on all systems by requiring users to change their password at least every 90 days (8.2.4). 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods. LogRhythm provides AIE rules, alarms, investigations, and reports to support PCI-DSS control requirement 8.5. LogRhythm augments the testing process for procedure 8.5 by providing alarms when the use of group, shared, or generic accounts and passwords are detected. Testing procedure 8.5 requires monitoring authentication methods such as the use of group, shared, or generic accounts and password. PAGE 10

10 8.7 Restrict access to any database containing cardholder data (including access by applications, administrators, and all other users). LogRhythm provides AIE rules, alarms, investigations, and reports to support PCI-DSS control requirement 8.7. LogRhythm augments the testing process for procedure 8.7 by restricting user direct access or databases queries to database administrators and authenticating all access to any database containing cardholder data. Testing for procedure 8.7 requires monitoring authentications to to databases containing cardholder data to restrict user access to database administrators. 9. Restrict physical access to cardholder data LogRhythm can monitor physical access control devices for access attempts to card holder data areas. 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. LogRhythm provides AIE rules, alarms, investigations, and reports to support PCI-DSS control requirement 9.1. LogRhythm augments the testing process for procedures 9.1/9.1.1 by providing alarms for physical access failures and details on other physical access activity via investigations and reports. Testing procedure 9.1 requires the use of facility entry controls to limit and monitor physical access to systems in the cardholder data environment. Testing procedure requires the use of video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. 10. Track and monitor all access to network resources and cardholder data LogRhythm automates collection, centralization and monitoring of logs from servers, applications, security and other devices, significantly reducing compliance costs Implement automated audit trails for all system components to reconstruct the following events: LogRhythm provides AIE rules, alarms, investigations, and reports to support PCI- DSS control requirement 10.2.LogRhythm directly supports testing procedure10.2 by providing the core function of centralized log collection, management, and archival. LogRhythm provides alarms on authentication failures from default\disabled\ terminated\privileged accounts, object disposal failures, and audit log initializations. LogRhythm provides details of user access failures/successes to audit log files, cardholder data files, system-level objects, and applications via investigations and reports. LogRhythm provides details of privileged account management such as creation/deletion/modification, authentication failures/successes, granting/revoking of access, privilege escalation, and failures/successes to access files, objects, and applications via investigations and reports. LogRhythm also provides details on the creation/deletion of system level objects and audit log initializations via investigations and reports. Testing procedure 10.2 requires the implementation of automated audit trails for all system components to reconstruct the following events: all individual accesses to cardholder data (10.2.1); all actions taken by any individual with root or administrative privileges (10.2.2); access to all audit trails (10.2.3); invalid logical access attempts (10.2.4); use of identification and authentication mechanisms (10.2.5); initialization of the audit logs (10.2.6); creation and deletion of system-level objects (10.2.7). PAGE 11

11 Record at least the following audit trail entries for all system components for each event: LogRhythm s centralized log collection, management, and archival functionality supports PCI-DSS control requirement LogRhythm directly supports testing procedure10.3 by parsing account/login information, assigning each log event a specific classification type, specifying a centralized time stamp, extracting success/ failure information, identifying the host/ip/application/login originating each event, identifying affected data/components/resources, and other details useful for forensic investigation of the audit logs. Testing procedure 10.3 requires the recording of at least the following audit trail entries for all system components for each event: user identification (10.3.1); type of event (10.3.2); date and time (10.3.3); success or failure indication (10.3.4); origination of event (10.3.5); identity or name of affected data, system component, or resource (10.3.6) Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time. LogRhythm s centralized log collection, management, and archival functionality supports PCI-DSS control requirement 10.4 LogRhythm directly supports testing procedure 10.4 by independently synchronizes the timestamps of all collected log entries, ensuring that all log data is time-stamped to a standard time regardless of the time zone and clock settings of the logging hosts. Testing procedure 10.4 requires the use of time-synchronization technology, synchronize all critical system clocks and times and ensure that acquiring, distributing, and storing time is implemented Secure audit trails so they cannot be altered. LogRhythm s centralized log collection, management, and archival functionality supports PCI-DSS control requirement LogRhythm directly supports testing procedure 10.5 by using discretionary access controls which allow restriction of the viewing of audit logs to individuals based on their role and Need-To-Know. LogRhythm protects audit trails from unauthorized modification by immediately archiving/hashing/storing collected logs in a secure central repository. LogRhythm includes an integrated file integrity monitoring which can ensure that the collection infrastructure is not tampered with. Additionally, LogRhythm servers utilize access controls at the operating system and application level to ensure log data cannot be modified or deleted. Alerts are customizable to prevent or allow alarms on a case-by-case basis, including not causing an alert with new data being added. Log Rhythm securely collect logs from the entire IT infrastructure including externalfacing technologies for storage on an internal LAN Network where a LogRhythm appliance resides. Segregation can be accomplished by allowing only log traffic to pass through LogRhythm via firewall, filter control on a router, or configuring the LogRhythm appliance s firewall to reject unanticipated connections. Testing procedure 10.5 requires the securing of audit trails so they cannot be altered by limiting the viewing of audit trails to those with a job-related need (10.5.1); protecting audit trail files from unauthorized modifications (10.5.2); promptly backing up audit trail files to a centralized log server or media that is difficult to alter (10.5.3); writing logs for external-facing technologies onto a log server on the internal LAN (10.5.4); and using file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (10.5.5) Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). LogRhythm s auditing functionality provides support for PCI-DSS control requirement LogRhythm directly supports testing procedure10.6 by supplying a one stop repository from which to review log data from across the entire IT infrastructure. Reports can be generated and distributed automatically on a daily basis which provides an audit trail of who did what within LogRhythm and proof of log data review. Testing procedure 10.6 requires the review of logs for all system components at least daily. PAGE 12

12 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis. LogRhythm s centralized log collection, management, and archival functionality supports PCI-DSS control requirement LogRhythm directly supports testing procedure 10.7 by automating the process of retaining audit trails. LogRhythm creates archive files of all collected log entries which are organized in a directory structure by day making it easy to store, backup, and destroy log archives based on retention policy. Testing procedure 10.7 requires the retention of audit trail history for at least one year, with a minimum of three months immediately available for analysis. 11. Regularly test security systems and processes LogRhythm can collect logs from intrusion detection/prevention systems and has integrated file integrity monitoring capabilities. The collection of IDS/IPS logs helps to ensure and validate compliance. LogRhythm s file integrity monitoring capabilities can be used to directly meet requirement Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis. LogRhythm provides alarms, investigations, and reports to support PCI-DSS control requirement LogRhythm augments the testing process for procedure 11.1 by providing alarms on the detection of rouge access points and by providing details on detected rouge access points via investigations and reports. Testing procedure 11.1 requires testing for the presence of wireless access points and detection of unauthorized wireless access points on a quarterly basis Use intrusion-detection systems, and/or intrusionprevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up-todate. LogRhythm provides alarms, investigations, reports, and tails to support PCI-DSS control requirement LogRhythm augments the testing process for procedure 11.4 by collecting logs from network and host based IDS/IPS systems. Its risk-based prioritization and alerting reduce the time and cost associated with monitoring and responding to IDS/IPS alerts. LogRhythm provides built-in alarms which can alert on IDS/IPS detected events such as attacks, compromises, denial of services, malware, reconnaissance activity, suspicious activity, and IDS/IPS signature update failures. LogRhythm provide details around these critical IDS/IPS events via investigations, reports, and tails. Testing procedure 11.4 requires the use of intrusion-detection systems, and/ or intrusion-prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises and keeping all intrusion-detection and prevention engines, baselines, and signatures up-to-date Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. LogRhythm provides AIE rules, investigations, reports, and tails to support PCI-DSS control requirement LogRhythm directly supports testing procedure 11.5 by providing details of key integrity activity via investigations, reports, and tails on LogRhythm s File Integrity Monitor Agent. LogRhythm s File Integrity Monitor can be configured to monitor key file or directory activity, deletions, modification, and permission changes. The file integrity capability is completely automated, the agent can be configured to either scan for files/directory changes on a schedule or the kernel level driver can automatically detect file integrity activity in real-time. Testing procedure 11.5 requires the deployment of file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. PAGE 13

13 12. Maintain a policy that addresses information security for employees and contractors LogRhythm provides centralized intelligence that can support the organizational security policy, including incident handling and response. Because policies are flexible, LogRhythm is ready to expand beyond the cardholder data environment to provide support to additional areas of the organization that need its critical services Develop usage policies for critical technologies (for example, remote- access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), usage and Internet usage) and define proper use of these technologies. LogRhythm provides AIE rules, investigations, reports, and tails to support PCI- DSS control requirement 12.3 LogRhythm augments the testing process for procedure 12.3 by providing alarms on vendor authentication failures and on vendor account accounts access granting. LogRhythm provides details on vendor account management activity, vendor authentication successes/failures, and remote session time outs via investigations and reports. Testing procedure 12.3 requires the development of usage policies for critical technologies and defining proper use of these technologies. Ensuring the usage policies require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity (12.3.8) and activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use (12.3.9) Implement an incident response plan. Be preparedto respond immediately to a system breach. LogRhythm provides AIE rules, alarms, investigations, reports, and tails to support PCI-DSS control requirement LogRhythm augments the testing process for procedure by providing real-time enterprise detection intelligence to address issues quickly to prevent damage and exposure. LogRhythm provides alarms and detail on security events such as attacks, compromises, denial of services, malware, reconnaissance activity, suspicious activity, and IDS/IPS signature update failures via investigations, reports, and tails. Testing procedure requires the implementation of an incident response plan. Include alerts from intrusion- detection, intrusion-prevention, and firewalls, and fileintegrity monitoring systems ( ) INFO@LOGRHYTHM.COM PAGE LogRhythm Inc. Whitepaper - PCI and PA DSS Compliance Assurance