Article published/updated by: Drew Brunson, Senior Information Security Consultant, Quadrant Information Security
Difficulty achieving compliance with the Payment Card Industry Data Security Standard, the PCI DSS, sometimes can seem to spring from parts of the standard that seem fairly simple at first reading.
The requirement to track and monitor all access to network resources and to cardholder data does not, at first, seem complicated. Most companies already use audit logs of some kind and give their employees user IDs and passwords. What often happens, however, is that actually being able to meet the specific requirements of the PCI DSS stretches budgets, staffing, and capabilities beyond what the company can handle.
Under Requirement 10, the company must implement audit trails, record information about specific events, use time synchronization, write audit logs to a central log management system, monitor file integrity of audit logs, review audit logs daily and retain the log information for at least a year.
Requirement 11 requires monitoring of an Intrusion Prevention and/or an Intrusion Detection System (IPS/IDS) and making sure alerts get sent to the right people when needed.
And with Requirement 12 the company must make sure that information security event alerts are integrated into its incident response procedures.
How can your company make it all work? It is fairly easy to get any individual system – Windows, Linux, AIX, Cisco IOS – to record the required audit trail information, and most modern systems are easy to configure to use time synchronization. That’s where it begins to become difficult.
- Systems record log data in different formats – syslog, event log, SNMP trap, Cisco Netflow. Is there existing expertise to easily configure each of them to talk to and transfer data to a central log server?
- What about collecting relevant application data and moving it from public servers such as Web Servers, DNS Servers, and Mail Servers promptly and securely into an internal environment?
- In a retail environment, are you prepared to collect and protect the log data from your Point of Sales systems?
- If you store cardholder data do your Database Administrators and system administrators have time to add the necessary responsibilities to their workloads?
- Where will you place and configure file integrity monitoring?
- Do you have the resources to monitor the logs daily, recognize threats, and respond?
- How much data will have to be stored to meet the retention requirements?
- Can you capture IPS/IDS alerts, evaluate them quickly, integrate them into your log workflow, and make sure critical staff is notified in a timely manner?
The real question for any company dealing with compliance requirements is “how can we minimize the impact of compliance on our core business processes and budget and still maximize the results?”
Quadrant Information Security and its Sagan Technology Security Information and Event Management (SIEM) system provides the answer to that question and makes compliance with Requirement 10, 11, and 12 of the PCI Standard much easier to achieve.
Quadrant has the expertise to analyze your environment and implement our Sagan solution directly into your environment, configured to meet your exact need. By placing our Sagan appliance, or multiple appliances, in your environment we remove the need for sensitive information to ever leave your control and we have the expertise to bring audit information directly from your core systems and integrate it into the Sagan engine, where it is dynamically evaluated. Our Security Operations Center (SOC) monitors this process 24/7/365 and alerts for anomalies and threats are generated automatically and manually. Alerts can be tailored according to pre-defined levels. Some alerts may only be listed in a daily report, others in an email to on-call personnel, others may generate a phone call from our SOC to on-call and/or management to ensure immediate notification and response.
From a PCI requirement perspective, Quadrant helps your company address each of the sub-requirements of Requirement 10.
- 10.1 Inventory – We help you inventory your systems and ensure that all systems are generating the appropriate logs.
- 10.2 Event Reconstruction – We can help you “tune” the audit trails from each system to ensure that the information captured will allow the reconstruction of required security events.
- 10.3 Auditable Events – It’s easy to miss recording certain events and Quadrant can help you ensure and validate that each system is recording each of the events required by the PCI DSS.
- 10.4 Time Sync – Time synchronization is critical to Quadrant and we help ensure that time synchronization is active and accurate.
- 10.5 Secure Log Environment – Our Quadrant appliance provides a secure environment for all systems capable of writing syslog, event log, SNMP trap, or Cisco Netflow events.
- 10.6 Review and Monitoring – Our Security Operations Center provides around the clock real-time monitoring of the auditable events that are configurable according to your priorities.
- 10.7 Audit Retention – Our systems are configured to retain your log data for a minimum of 53 weeks. Well in compliance with the PCI DSS.
- 10.8 Policy & Process – While your company retains responsibility for the policy component of this sub-requirement, our processes for monitoring your network resources and cardholder data are documented and available in compliance with this area.
It also helps address parts of Requirements 11 and 12.
- 11.4 IDS/IPS – We can capture and evaluate the reports from your IDS/IPS system(s) and make sure alerts get sent when and where you need them.
- 11.5 Change Detection – Information from your change detection systems can also be captured and alerts generated for action.
- 12.10 Incident Response – All of the information, reports, and alerts that are collected and analyzed can easily be integrated into your incident response plan.
We are flexible in our ability to manage events from a diverse population of assets. Some of the systems we can manage include:
- Routers (Cisco, etc.)
- Managed network switches
- Firewalls (Sonicwall, Fortigate, etc.)
- IDS/IPS systems (Cisco, Fortigate, etc.)
- Linux and Unix systems (services, kernel messages, etc.)
- Windows based networks (Event logs, etc.)
- Specified Application events (Webservers, Point of Sale)
- Wireless access points (Cisco, D-Link, etc.)
- Host based IDS systems (HIDS) (AIDE, OSSEC, etc.)
- Detection of rogue devices on networks (via Arpalert, etc.)
Our Sagan Technology SIEM, combined with our Managed Security Services solution, provides real time monitoring of your most valuable assets. Each event from an asset is written in real time to the Sagan appliance and these entries are evaluated as they come in on the wire. Combined with its clean and easy to use security console, available to authorized users in your company, it is a proven solution. We use the solution in house to manage our 24/7 Managed IDS / IPS services for customers.
Sagan Technology gives us a broad range of devices, services, applications that we can monitor. For example, if your organization is a “Cisco shop” and you don’t want to deploy Snort based IDS/IPS sensors, it really doesn’t matter to our staff. We can monitor the Cisco devices just as we would a Snort based IDS/IPS solution.
With our security console our users can take advantage of a number of unique features to strengthen their company’s security posture and remain within PCI DSS compliance. More specifically, we can provide robust reporting tools to report uniquely on PCI as well as overall network activity. The Sagan console also provides log search functionality, our reputation database and threat intelligence.
We offer a FREE 21 day POC, so contact us to schedule a Sagan demo!