PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting

@AlienVault
PCI DSS Reporting Requirements for
People Who Hate PCI Reporting

@AlienVault@AlienVault2
Meet today’s presenters
Introductions
Patrick Bedwell
VP, Product Marketing
AlienVault
Brian Saenz
SOC Supervisor
Terra Verde
Hoyt Kesterson
Senior Security Architect & QSA
Terra Verde

@AlienVault@AlienVault
Key reporting requirements of the PCI DSS standard
Security technologies needed to collect the required
data
How AlienVault USM generates these reports in
minutes, not days
How to use your audit reports to improve security on
an on-going basis
Agenda

Key reporting requirements of
the PCI DSS standard

@AlienVault
Make an audit trail—follow the user
10.1 Establish a process for linking all access to system components
(especially access done with administrative privileges such as root)
to each individual user.
10.2 Implement automated audit trails for all system components to
reconstruct the following events:
• 10.2.2 All actions taken by any individual with root or administrative
privileges
• 10.2.4 Invalid logical access attempts
• 10.2.5 Use of identification and authentication mechanisms
• 10.2.7 Creation and deletion of system level objects

@AlienVault
Make an audit trail—and protect it
10.2.3 Verify that access to all audit trails is logged.
10.2.6 Verify that initialization of audit logs is logged.
10.5.1 Verify that only individuals who have a job-related
need can view audit trail files.
10.5.2 Verify that current audit trail files are protected
from unauthorized modifications
10.5.5 Verify the use of file-integrity monitoring or
change-detection software for logs

@AlienVault
Stuff to record
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
• Time must be synchronized across all systems—10.4
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system
component, or resource.

@AlienVault
Gather ye log records while ye may
10.5.3 Promptly back up audit trail files to a centralized
log server or media that is difficult to alter.
10.5.4 Write logs for external-facing technologies onto a
log server on the internal LAN.
10.7 Retain audit trail history for at least one year, with a
minimum of three months immediately available for
analysis.

@AlienVault
Gaze upon your log records
10.6 Review logs for all system components at least daily. Log reviews
must include those servers that perform security functions like
intrusion-detection system (IDS) and authentication, authorization, and
accounting protocol (AAA) servers (for example, RADIUS).
This is tough for a human to do. It’s been compared to drinking from
a fire hose.
Acquire a Security Information and Event Management tool and/or
service.
Its purpose is to continually analyze log records across all the systems.
If it detects anomalous behavior, it will send a signal to someone.

@AlienVault
Pay attention to the bat signal
12.5.2 Monitor and analyze security alerts and information, and
distribute to appropriate personnel.
That’s it—there’s no requirement to have a documented process to
handle the alert.
12.5.3 Establish, document, and distribute security incident
response and escalation procedures to ensure timely and effective
handling of all situations.
How does an alert become an incident?

@AlienVault
Oh No!
Not Another
Version!

@AlienVault
Version 3.0
Three year development cycle
Available for compliance in 2014
Mandatory for compliance beginning 2015

@AlienVault
Pay better attention to the bat signal
The PCI Security Standards Council is concerned that logs are used more for
forensics after an attack instead of detecting and blocking the attack.
They wanted to improve the “slow detection of compromise”.
Version 3 of the PCI Data Security Standard provides more guidance on log reviews.
New sub-requirement 10.6.3.a requires that procedures are defined for following up
on exceptions and anomalies identified during the review process.
New sub-requirement 11.5.1 requires the implementation of a process to respond to
any alerts generated by the change-detection mechanism
Revised sub-requirements 12.5.2–3 requires that
• responsibilities are assigned for monitoring and analyzing security alerts and for
informing the people responding to those alerts; and that the,
• responsibility for establishing, documenting, and distributing the procedures to
handle those alerts are also assigned.

@AlienVault
One more thing about logging
AlienVault USM can only operate on the log records provided.
10.2.1 [Implement automated audit trails for all system components to
reconstruct] All individual accesses to cardholder data
User access to cardholder data (CHD) is typically implemented as follows:
• User is authenticated
• User’s request is processed by one or more intermediate applications.
• These applications are well known, e.g. WebLogic, bespoke, or legacy.
• Those applications send commands, typically SQL, to access the
database and potentially CHD.
Each of these components must generate log records that link the identity of
the user to the specific CHD accessed.

@AlienVault
Looking for bad stuff
Look for unauthorized wireless access points
• 11.1.d If automated monitoring is utilized (for example, wireless IDS/IPS,
NAC, etc.), verify the configuration will generate alerts to personnel.
11.2 Run internal and external network vulnerability scans at least quarterly
and after any significant change in the network …
• 11.2.1 Perform quarterly internal vulnerability scans.
• 11.2.1.c [The scan must be] performed by a qualified internal resource(s)
or qualified external third party, and if applicable, organizational
independence of the tester exists (not required to be a QSA or ASV).

@AlienVault
What you need from a SIEM
You need to be told if a critical event has been detected.
You need reports to help manage the environment.
You need reports to be provided as evidence to an auditor.

Security technologies needed
to collect the required data

What
functionality
do I need for
PCI DSS?

Identify
systems &
applications
What
functionality
do I need for
PCI DSS?

Identify
systems &
applications
Document
vulnerable
assets
What
functionality
do I need for
PCI DSS?

Identify
systems &
applications
Document
vulnerable
assets
Find threats on
your network
What
functionality
do I need for
PCI DSS?

Identify
systems &
applications
Document
vulnerable
assets
Find threats on
your network
Look for
unusual
behavior
What
functionality
do I need for
PCI DSS?

Correlate
the data &
respond
Identify
systems &
applications
Document
vulnerable
assets
Find threats on
your network
Look for
unusual
behavior
What
functionality
do I need for
PCI DSS?

The AlienVault approach

Asset Discovery
• Active Network Scanning
• Passive Network Scanning
• Host-based Software
Inventory

Asset Discovery
Inventory
Vulnerability
Assessment
• Network Vulnerability Testing
• Remediation Verification

Asset Discovery
Inventory
Vulnerability
Assessment
Threat Detection
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring

Asset Discovery
Inventory
Vulnerability
Assessment
Threat Detection
• Network IDS
• Host IDS
• Wireless IDS
Behavioral Monitoring
• Log Collection
• Netflow Analysis
• Service Availability Monitoring

Asset Discovery
Inventory
Vulnerability
Assessment
Threat Detection
• Network IDS
• Host IDS
• Wireless IDS
Behavioral Monitoring
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
Security Intelligence
• SIEM Event Correlation
• Incident Response

AlienVault Server to
aggregate data and
manage the
deployment
AlienVault Sensor to
collect data from the
infrastructure
AlienVault
Logger for long
term storage and
reporting
AlienVault All-in-One
to collect, aggregate,
and store data as well
as manage
Three components

Three components, three form factors
AlienVault Server to
aggregate data and
manage the
deployment
AlienVault Sensor to
collect data from the
infrastructure
AMIVirtual AppliancePhysical Appliance
AlienVault
Logger for long
term storage and
reporting
AlienVault All-in-One
to collect, aggregate,
and store data as well
as manage

Integrated threat intelligence
36
• Free Tools
• OSSIM
• USM

AlienVault Labs threat intelligence
Coordinated analysis, actionable guidance
 Weekly updates to coordinated rule sets:
 Network IDS
 Host IDS
 Asset discovery / inventory database
 Vulnerability database
 Event correlation
 Report modules and templates
 Incident response templates / “how to” guidance for each alarm
 Plug-ins to accommodate new data sources

Unified Security Management in action

How AlienVault USM generates
these reports in minutes, not days

@AlienVault
Log correlation is critical
Log correlation is about constructing rules that look for sequences and
patterns in log events that are not visible in the individual log sources.
System logs don’t say “Help! I’m being broken into with a compromised
account!”
• They say “Successful Login from Authenticated User”
They describe analysis patterns that would require human interpretation
otherwise, tied together by Logical Operators.
• “IF a new user IS created on the domain AND a new change control ticket IS
NOT created in the change control database”

@AlienVault
Why You Need Log Correlation
It monitors incoming logs for logical sequences, patterns and values to identify
events that are invisible to individual systems.
Log correlation:
• Performs analysis that would otherwise be done by repetitive human analysis.
• Identify things happening that are unusual for your business processes.
• Provide more context and certainty as to what is happening on your infrastructure by
comparing events from multiple sources
• Prioritize investigation and analysis work by filtering log events into meaningful alerts
and reports

@AlienVault
Different, Everybody is the Same
Log correlation allows for the creation of alerts that represent what is
important to your business processes and security risks.
Done correctly, Log Correlation is the difference between reacting to:
 “POSSIBLE-EXPLOIT: mssql improperly formed packet headers”
Or
 “User In Accounting Department seen logging into Financial Database from a
workstation in Customer Support Department”

Quickly create groups of assets
• E.g., in-scope devices
Enables, fast, easy analysis
• Run vulnerability scans
against this host group
• Create reports only for hosts
belonging to the host group.
• Review all alarms, events,
other data just for that group
Power of groups

How to use your reporting to
demonstrate PCI DSS compliance

Reports are easily configured and customized.
Key is mapping signatures to requirements.
Using views to limit what you want to see then create
reporting modules.
Insert and group reporting modules together to build a
report with the information you require.
Easily automate and schedule reports.
Reports

AlienVault allows you to quickly generate a report to
track actions taken by AlienVault Web interface users.
Provides accountability.
Value extends out of PCI such as when investigating
sources of activity.
AlienVault User Activity Report – PCI 10.2.3

AlienVault User Activity Report – PCI 10.2.3

PCI requirement of 1 year of log retention.
Report will show aggregate count of total logs per
month for 365 days as bar graph.
Allows for quick review of compliance.
New configuration allows for log expiration.
AlienVault Log Retention - PCI 10.7.b

AlienVault Log Retention - PCI 10.7.b

Mapping requirements to modules is key.
One module per requirement to demonstrate compliance.
Can combine modules together to create one report with
pertinent information.
Access Control Report - PCI 10.2.X

Access Control Report - PCI 10.2.X

Easy to follow, available in different formats.
Preference of PDF versus Excel.
Must have run at least one scan or imported a
previous scan.
Vulnerability Scanning Report 11.X

Vulnerability Scanning Report 11.X

View date and time, host, what was changed, and
statistics such as size and hash values.
Easy to set up with OSSEC.
OSSEC FIM - PCI 10.5.5

OSSEC FIM - PCI 10.5.5

Schedule reports and send to email.
Full report will be attached.
Scheduling Reports

Scheduling Reports

In summary
The evidence the QSA wants What to give the QSA
Logs are held for one year Report showing 12 months of log counts
Modifications of, access to, and actions
on, logs are restricted and reported
AlienVault User Activity report of recent
authentications and actions is example
Recorded events—who had access to
CHD, login success or failure, privileged
access, creation or deletion of system
objects,
User account enabled or created,
Windows Logon Failure and Success,
Log file size reduced, User account
enabled or created, FIM as examples
Each record shows who did what to what,
when, was successful or not
Show any log record like Access Control
Report to demonstrate compliance
Logs reviewed daily with events reported Show example of automated alert that
triggers investigation

Now for some Q&A…
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site

PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting

More Related Content

What's hot (20)

Viewers also liked (18)

Similar to PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting (20)

More from AlienVault (20)

Recently uploaded (20)

PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting

Editor's Notes