AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have come under increasing legal and industry regulation. However these regulations evolve they will always imply the need for diligence on the part of network owners and operators. Diligence is most easily demonstrated by proving that you have exercised all reasonable efforts at monitoring your information system and ensuring that it has the requisite technologies deployed and policies enforced on it. Monitoring your network is what Security Information and Event Management (SIEM) solutions like the AlienVault Professional SIEM are all about. The AlienVault Professional SIEM includes hundreds of automated compliance reports and a Report Wizard that allows for unlimited customization to fit your unique needs. Raw logs and other data is stored forensically in the AlienVault Logger with full chain-of-custody and digital signatures to ensure validity. As we will discuss below, AlienVault provides built-in functionality for many controls under PCI and other regulatory regimes. But first let us take a look at how we got here. It is the best way to determine where you are and to see the road ahead. History of Regulatory Compliance in Information Security Gramm-Leach-Bliley Act of 1999 - While not chronologically the first piece of regulation to in some way address the policies and practices of information security, the evolution of regulatory regimes impacting information security in the United States can nonetheless be effectively seen as beginning with the Gramm-Leach-Bliley Act of 1999, commonly referred to as GLBA or Glibba. While designed to establish processes and address information stored on paper more so than electronically networked information, GLBA established a precedent for how we think about responsibility and liability regarding information security. GLBA was most notable for replacing portions of the 1933 Glass-Steagall Act, allowing financial institutions to combine functions previously reserved for separate institutions. Due to this sharing of functions within the financial community GLBA also included enforceable legal mandates impacting the management and security of customer information. This was broken down into three major areas: 1. The Financial Privacy Rule This rule required financial organizations to tell customers what data they collected, who it was shared with, what is done with the information and how it is being protected. 2. The Safeguards Rule The Safeguards Rule required organizations to create a written security policy describing how customer data will be protected. Most notably for our purposes here and for understanding the on-going thrust of information security regulations, the Safeguards Rule of GLBA also required the regulated organizations to develop, monitor and test a program to secure the pertinent information. This intent of monitoring and testing your organization s information security solution is found throughout all regulations that follow GLBA, as should not be surprising. The act of simply implementing an information security solution is in the end pointless if this solution is not subject to constant monitoring and testing to ensure that it is achieving the goal of protecting the subject information. 3. Pretexting Protection Industry Pretexting is another word for social engineering or any of the more traditional words for bluffing or Copyright AlienVault, LLC, 2010 info@alienvault.com USA, Spain, Germany, Mexico +1 408 465-9989
impersonating to gain unauthorized access to personal information. This requirement in GLBA and other regulatory structures has helped promote authentication systems in IT and led to significant testing and auditing of processes. The intent noted under GLBA s Safeguards Rule - that any acceptable solution deployed by an organization subject to the law must include aspects of monitoring and testing - is the first clear indication that SIEM would become central to any regulatory compliance effort. Without the ability to know what you have and to see what it is doing, for the present and for the past, there should be no real reason to believe that your information system has been secure or that you could consistently demonstrate its security to others. The Sarbanes Oxley Act of 2002, commonly referred to as SOX, is a United States federal law regarding accounting practices which was in part brought about by the notorious events at Enron, WorldCom and other companies of the preceding period. SOX created requirements for publicly traded accounting firms to increase transparency into their operations, and the controls they have built into them, through a regime of reporting. The sections of SOX which most directly or implicitly impact Information Technology are 302, 404 and 409. SOX Section 302 Corporate Responsibility for Financial Reports - places responsibility on the company s officers to verify accuracy of quarterly and annual financial statements. SOX Section 404 Management Assessment of Internal Controls requires submission of an annual report to the Securities Exchange Commission detailing the effectiveness of internal controls over accounting practices. Control over the IT systems that these accounting practices are performed on and in is implicit in SOX 404 compliance. SOX Section 409 Real-Time Issuer Disclosures requires regulated organizations to be diligent about maintaining awareness of the controls on their operations and on the financial condition of their organization, and to report within 48 hours any material changes to them. Security breaches of the information systems that the financial information is contained within are well within the definition of material changes to these controls and can dramatically impact an accounting firm s financial condition. SOX was one of the first regulatory regimes to drive a significant adoption of SIEM technologies as companies sought to secure their ability to demonstrate adequate controls over their accounting data. AlienVault Professional SIEM contains built-in SOX reporting capabilities. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was intended to protect the health insurance coverage of workers when they changed employers (HIPAA Title I) and additionally created the requirement to provide a structure for managing the security of patient records and other medical data (HIPAA Title II). The Privacy Rule provision of HIPAA Title II came into effect in the spring of 2003, providing regulation and disclosure of how organizations handle patient records including medical records themselves as well as patient financial records. Protected Health Information (PHI) must be secured and organizations must be able to demonstrate to auditors that they are capable of managing the security of their systems. As Health Information Technology (HIT) efforts increase and automation at last spreads throughout healthcare providers in the United States, HIPAA compliance will become a much more common concern. Healthcare providers are today digitizing patient medical records at a historic and increasing pace and industry-wide communications are emerging. The need for management and monitoring of the transmission and handling of data as sensitive as individual medical and genetic information will without doubt drive increased demand for robust and sophisticated SIEM deployments throughout the medical community. AlienVault Professional SIEM contains built in HIPAA/HIT reporting capabilities. - Page 2 -
The Cybersecurity Act of 2009 (S.773) has, as of this writing, not yet passed into law. Whether or not it ultimately does become law it does provide strong indications of future directions for the evolution of regulatory compliance in the information security world: Purpose: To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes. Section 6 of S.773 specifically dwells on information security regulation, stating that the National Institute for Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks Of significant note as well in the Cybersecurity Act is the subsection 6(d)2: shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section. In other words: critical infrastructure comes to mean what the President says it means, and there are strong indications throughout the Act that this will include networks critical to the functioning of the United States other than the traditional power and water control system networks. We leave it as an exercise for the reader to interpret that statement, but it is certainly an implication that economic, educational, health and many other systems may well fall under this or other future regulatory regimes. Regulatory Compliance Detailed Example: AlienVault and PCI The Payment Card Industry Data Security Standard (PCI DSS) PCI emerged from VISA s earlier standards and is now maintained by the PCI Security Standards Council, an organization created by the major credit card brands in reaction to various highly publicized breaches of credit card information. The PCI DSS has prompted significant adoption of SIEM and other information security technologies and best practices for the simple reason that it has the type of teeth that strongly motivate business executives: financial. Failure to maintain PCI compliance can cost an organization on-going fines until compliance is reached and could result in an organization losing the ability to accept credit cards (which for most merchants is tantamount to a death sentence). If credit card holders information is compromised then the merchant organization could be held financially liable for the total losses and replacement costs for all parties involved, adding up potentially to many millions of dollars. PCI audits require the signature of a C- level executive, who bears personal responsibility for the accuracy of the compliance reports. The DSS imposes a variety of requirements on Merchant organizations (organizations which handle credit card transactions) based on the number of transactions they handle each year: Level 1 PCI Merchants are companies handling greater than six million credit card transactions per year. Level 2 PCI Merchants are companies handling between one and six million transactions per year. Level 3 PCI Merchants handle between twenty thousand and one million transactions per year. Level 4 PCI Merchants handle less than twenty thousand transactions per year. Level 4 merchants quite often outsource all of their credit card handling needs and can avoid incurring significant overhead due to PCI compliance. Level 1 Merchants will almost always need to perform significant diligence to comply with the PCI DSS. The PCI DSS - While SIEM is not specifically mentioned in the PCI standard documentation, all of the twelve sections implicitly require the functionality provided by AlienVault Professional SIEM. Section 1: Install and maintain a firewall configuration to protect cardholder data. - Page 3 -
AlienVault Professional SIEM allows you to determine what traffic is using your network at layers 1-7 to assist with the creation and enforcement of firewall configurations. Section 2: Do not use vendor supplied defaults for system passwords and other security parameters AlienVault Professional SIEM provides visibility into user login activity and detects the use of weak (unencrypted) logins. Section 3: Protect Cardholder Data AlienVault Professional SIEM detects out-of-policy access to cardholder data and provides the reporting and response platform for such incidents. Section 4: Encrypt transmission of cardholder data across open, public networks. AlienVault Professional SIEM is able to detect unencrypted traffic leaving areas of the network containing cardholder data. Section 5: Use and regularly update anti-virus software or programs. AlienVault Professional SIEM deployed on PCI networks can enable prioritization of antivirus, can confirm that updates are propagating regularly and can integrate antivirus alerts into network monitoring and correlation. AlienVault s NAC capability can integrate with network infrastructure to enforce antivirus update levels on laptops, hosts and workstations. Section 6: Develop and maintain secure systems and applications. SIEM is a virtual requirement to maintaining secure systems, providing the monitoring and reporting platforms to verify consistently applied security. Every aspect of the AlienVault Professional SIEM is specifically designed to ensure the maintenance of secure systems and applications. Section 7: Restrict access to cardholder data by business need to know. Confirmation of access policy application is provided by the AlienVault Professional SIEM, detecting and recording configuration changes to systems holding cardholder data and detecting and recording suspicious login attempts to these systems Section 8: Assign a unique ID to each person with computer access. AlienVault Professional SIEM monitors user logins to all systems in the PCI domain, detecting nonstandard login attempts and relating user IDs to originating IP and in some cases MAC addresses. Section 9: Restrict physical access to cardholder data. Areas that are controlled by card or biometric access can have these systems integrate with AlienVault Professional SIEM, providing confirmation of access by physical identification and correlation with events with occur on the information system before and after an individual physically accesses a controlled area. Section 10: Track and monitor all access to network resources and cardholder data. AlienVault Professional SIEM is designed specifically to track and monitor activities such as access to network resources and data stores. AlienVault Professional SIEM will by nature retain a complete audit trail of all access to all components in the PCI domain and provide the capability to alert on all out-ofpolicy access violations. Section 11: Regularly test security systems and processes. AlienVault Professional SIEM deployed in a PCI environment is an active and on-going test of the security of that information system. Constantly monitoring all aspects of the PCI domain and providing a central console to oversee and investigate the results of testing exercises, AlienVault Professional SIEM is the active testing center for PCI compliance. Section 12: Maintain a policy that addresses information security for employers and contractors. AlienVault Professional SIEM in a PCI environment provides an active representation of existing policies, a platform for detecting policy violations as well as a platform for determining necessary policy changes. - Page 4 -
For all aspects of PCI compliance, AlienVault Professional SIEM provides the reporting and forensics platform necessary to both demonstrate a given aspect of compliance as well as investigate any incident that occurs on the network. Conclusions Regulatory compliance is only going to increase in coming years. The criticality of information systems to the safety of the individual, the organization and the state will drive a continuous raising of the bar in terms of the diligence that those managing information systems will be mandated to demonstrate. Performing and demonstrating the diligence required by regulatory regimes calls for the visibilities embodied in SIEM technologies. The AlienVault Professional SIEM is specifically well suited for the task of regulatory compliance for organizations of all sizes. - Page 5 -