Article published by: Drew Brunson, Senior Information Security Consultant, Quadrant Information Security
For anyone tasked to ensure compliance with the 12 requirements contained in the Payment Card Industry Data Security Standard (PCI DSS), one requirement often causes unexpected difficulty, if only because of the variety of systems involved.
Requirement 10 of the PCI DSS requires companies to track and monitor all access to network resources and to cardholder data. On the surface that seems pretty easy. Implement audit trails, record information about specific events, use time synchronization, write audit logs to a central log management system, monitor file integrity of audit logs, review audit logs daily and retain the log information for at least a year.
But how can your company make it all work? It is fairly easy to get any individual system – Windows, Linux, AIX, Cisco IOS – to record the required audit trail information, and most modern systems are easy to configure to use time synchronization. That’s where it begins to become difficult.
The challenges to meeting PCI compliance requirements are significant and can have both technical and financial impact.
- Systems record log data in different formats – syslog, event log, SNMP trap, Cisco Netflow. Is there existing expertise to easily configure each of them to talk to and transfer data to a central log server?
- What about collecting relevant application data and moving it from public servers such as Web Servers, DNS Servers, and Mail Servers promptly and securely into an internal environment?
- In a retail environment, are you prepared to collect and protect the log data from your Point of Sales systems?
- If you store cardholder data do your Database Administrators and system administrators have time to add the necessary responsibilities to their workloads?
- Where will you place and configure file integrity monitoring?
- Do you have the resources to monitor the logs daily, recognize threats, and respond?
- How much data will have to be stored to meet the retention requirements?
The real question for any company dealing with compliance requirements is “how can we minimize the impact of compliance on our core business processes and budget and still maximize the results?”
Quadrant Information Security and its Sagan Technology Security Information and Event Management (SIEM) system provides the answer to that question and makes compliance with Requirement 10 of the PCI Standard easy to achieve.
Quadrant has the expertise to analyze your environment and implement our Sagan solution directly into your environment, configured to meet your exact need. By placing our Sagan appliance, or multiple appliances, in your environment we remove the need for sensitive information to ever leave your control and we have the expertise to bring audit information directly from your core systems and integrate it into the Sagan engine, where it is dynamically evaluated. Our Security Operations Center (SOC) monitors this process 24/7/365 and alerts for anomalies and threats are generated automatically and manually. Alerts can be tailored according to pre-defined levels. Some alerts may only be listed in a daily report, others in an email to on-call personnel, others may generate a phone call from our SOC to on-call and/or management to ensure immediate notification and response.
From a PCI requirement perspective, Quadrant helps your company address each of the sub-requirements of Requirement 10.
10.1 Inventory – We help you inventory your systems and ensure that all systems are generating the appropriate logs.
10.2 Event Reconstruction – We can help you “tune” the audit trails from each system to ensure that the information captured will allow the reconstruction of required security events.
10.3 Auditable Events – It’s easy to miss recording certain events and Quadrant can help you ensure and validate that each system is recording each of the events required by the PCI DSS.
10.4 Time Sync – Time synchronization is critical to Quadrant and we help ensure that time synchronization is active and accurate.
10.5 Secure Log Environment – Our Quadrant appliance provides a secure environment for all systems capable of writing syslog, event log, SNMP trap, or Cisco Netflow events.
10.6 Review and Monitoring – Our Security Operations Center provides around the clock real-time monitoring of the auditable events that are configurable according to your priorities.
10.7 Audit Retention – Our systems are configured to retain your log data for a minimum of 53 weeks. Well in compliance with the PCI DSS.
10.8 Policy & Process – While your company retains responsibility for the policy component of this sub-requirement, our processes for monitoring your network resources and cardholder data are documented and available in compliance with this area.
We are flexible in our ability to manage events from a diverse population of assets. Some of the systems we can manage include:
- Routers (Cisco, etc.)
- Managed network switches
- Firewalls (Sonicwall, Fortigate, etc.)
- IDS/IPS systems (Cisco, Fortigate, etc.)
- Linux and Unix systems (services, kernel messages, etc.)
- Windows based networks (Event logs, etc.)
- Specified Application events (Webservers, Point of Sale)
- Wireless access points (Cisco, D-Link, etc.)
- Host based IDS systems (HIDS) (AIDE, OSSEC, etc.)
- Detection of rogue devices on networks (via Arpalert, etc.)
Our Sagan Technology SIEM, combined with our Managed Security Services solution, provides real time monitoring of your most valuable assets. Each event from an asset is written in real time to the Sagan appliance and these entries are evaluated as they come in on the wire. Combined with its clean and easy to use security console, available to authorized users in your company, it is a proven solution. We use the solution in house to manage our 24/7 Managed IDS / IPS services for customers.
Sagan Technology gives us a broad range of devices, services, applications that we can monitor. For example, if your organization is a “Cisco shop” and you don’t want to deploy Snort based IDS/IPS sensors, it really doesn’t matter to our staff. We can monitor the Cisco devices just as we would a Snort based IDS/IPS solution.
With our security console our users can take advantage of a number of unique features to strengthen their company’s security posture and remain within PCI DSS compliance. More specifically, we can provide robust reporting tools to report uniquely on PCI as well as overall network activity. The Sagan console also provides log search functionality, our reputation database and threat intelligence.
Learn more about our Sagan Technology and our people + product approach to managed SIEM.
We offer a FREE 21 day POC, so contact us to schedule a Sagan demo!