PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
Upcoming SlideShare
Loading in...5
×
 

PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting

on

  • 575 views

If you're like most IT practitioners, you are busy. You have a million things to do and preparing the reports needed to prove PCI DSS compliance requires time you just don't have. It doesn't have to ...

If you're like most IT practitioners, you are busy. You have a million things to do and preparing the reports needed to prove PCI DSS compliance requires time you just don't have. It doesn't have to be so hard. Join compliance experts from Terra Verde Services and AlienVault for this practical session on how to take the pain out of PCI DSS reporting.
You'll learn:
The key reporting requirements of the PCI DSS standard
The security technologies you need to collect the required data
How AlienVault USM can generate these reports in minutes, not days
How to use your audit reports to improve security on an on-going basis

Statistics

Views

Total Views
575
Views on SlideShare
553
Embed Views
22

Actions

Likes
2
Downloads
35
Comments
0

4 Embeds 22

http://mangastorytelling.tistory.com 12
https://twitter.com 8
http://www.hanrss.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Need to add their photos

PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting Presentation Transcript

  • @AlienVault PCI DSS Reporting Requirements for People Who Hate PCI Reporting
  • @AlienVault@AlienVault2 Meet today’s presenters Introductions Patrick Bedwell VP, Product Marketing AlienVault Brian Saenz SOC Supervisor Terra Verde Hoyt Kesterson Senior Security Architect & QSA Terra Verde
  • @AlienVault@AlienVault Key reporting requirements of the PCI DSS standard Security technologies needed to collect the required data How AlienVault USM generates these reports in minutes, not days How to use your audit reports to improve security on an on-going basis Agenda
  • @AlienVault@AlienVault Key reporting requirements of the PCI DSS standard
  • @AlienVault
  • @AlienVault Make an audit trail—follow the user 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. 10.2 Implement automated audit trails for all system components to reconstruct the following events: • 10.2.2 All actions taken by any individual with root or administrative privileges • 10.2.4 Invalid logical access attempts • 10.2.5 Use of identification and authentication mechanisms • 10.2.7 Creation and deletion of system level objects
  • @AlienVault Make an audit trail—and protect it 10.2.3 Verify that access to all audit trails is logged. 10.2.6 Verify that initialization of audit logs is logged. 10.5.1 Verify that only individuals who have a job-related need can view audit trail files. 10.5.2 Verify that current audit trail files are protected from unauthorized modifications 10.5.5 Verify the use of file-integrity monitoring or change-detection software for logs
  • @AlienVault Stuff to record 10.3.1 User identification 10.3.2 Type of event 10.3.3 Date and time • Time must be synchronized across all systems—10.4 10.3.4 Success or failure indication 10.3.5 Origination of event 10.3.6 Identity or name of affected data, system component, or resource.
  • @AlienVault Log Records
  • @AlienVault Gather ye log records while ye may 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter. 10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.
  • @AlienVault
  • @AlienVault Gaze upon your log records 10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). This is tough for a human to do. It’s been compared to drinking from a fire hose. Acquire a Security Information and Event Management tool and/or service. Its purpose is to continually analyze log records across all the systems. If it detects anomalous behavior, it will send a signal to someone.
  • @AlienVault@AlienVault
  • @AlienVault Pay attention to the bat signal 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel. That’s it—there’s no requirement to have a documented process to handle the alert. 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. How does an alert become an incident?
  • @AlienVault Oh No! Not Another Version!
  • @AlienVault Version 3.0 Three year development cycle Available for compliance in 2014 Mandatory for compliance beginning 2015
  • @AlienVault Pay better attention to the bat signal The PCI Security Standards Council is concerned that logs are used more for forensics after an attack instead of detecting and blocking the attack. They wanted to improve the “slow detection of compromise”. Version 3 of the PCI Data Security Standard provides more guidance on log reviews. New sub-requirement 10.6.3.a requires that procedures are defined for following up on exceptions and anomalies identified during the review process. New sub-requirement 11.5.1 requires the implementation of a process to respond to any alerts generated by the change-detection mechanism Revised sub-requirements 12.5.2–3 requires that • responsibilities are assigned for monitoring and analyzing security alerts and for informing the people responding to those alerts; and that the, • responsibility for establishing, documenting, and distributing the procedures to handle those alerts are also assigned.
  • @AlienVault One more thing about logging AlienVault USM can only operate on the log records provided. 10.2.1 [Implement automated audit trails for all system components to reconstruct] All individual accesses to cardholder data User access to cardholder data (CHD) is typically implemented as follows: • User is authenticated • User’s request is processed by one or more intermediate applications. • These applications are well known, e.g. WebLogic, bespoke, or legacy. • Those applications send commands, typically SQL, to access the database and potentially CHD. Each of these components must generate log records that link the identity of the user to the specific CHD accessed.
  • @AlienVault Looking for bad stuff Look for unauthorized wireless access points • 11.1.d If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to personnel. 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network … • 11.2.1 Perform quarterly internal vulnerability scans. • 11.2.1.c [The scan must be] performed by a qualified internal resource(s) or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
  • @AlienVault What you need from a SIEM You need to be told if a critical event has been detected. You need reports to help manage the environment. You need reports to be provided as evidence to an auditor.
  • @AlienVault@AlienVault Security technologies needed to collect the required data
  • @AlienVault@AlienVault What functionality do I need for PCI DSS?
  • @AlienVault@AlienVault Identify systems & applications What functionality do I need for PCI DSS?
  • @AlienVault@AlienVault Identify systems & applications Document vulnerable assets What functionality do I need for PCI DSS?
  • @AlienVault@AlienVault Identify systems & applications Document vulnerable assets Find threats on your network What functionality do I need for PCI DSS?
  • @AlienVault@AlienVault Identify systems & applications Document vulnerable assets Find threats on your network Look for unusual behavior What functionality do I need for PCI DSS?
  • @AlienVault@AlienVault Correlate the data & respond Identify systems & applications Document vulnerable assets Find threats on your network Look for unusual behavior What functionality do I need for PCI DSS?
  • @AlienVault@AlienVault The AlienVault approach
  • @AlienVault@AlienVault Asset Discovery • Active Network Scanning • Passive Network Scanning • Host-based Software Inventory The AlienVault approach
  • @AlienVault@AlienVault Asset Discovery • Active Network Scanning • Passive Network Scanning • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification The AlienVault approach
  • @AlienVault@AlienVault Asset Discovery • Active Network Scanning • Passive Network Scanning • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring The AlienVault approach
  • @AlienVault@AlienVault Asset Discovery • Active Network Scanning • Passive Network Scanning • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring The AlienVault approach
  • @AlienVault@AlienVault Asset Discovery • Active Network Scanning • Passive Network Scanning • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Security Intelligence • SIEM Event Correlation • Incident Response The AlienVault approach
  • @AlienVault@AlienVault AlienVault Server to aggregate data and manage the deployment AlienVault Sensor to collect data from the infrastructure AlienVault Logger for long term storage and reporting AlienVault All-in-One to collect, aggregate, and store data as well as manage Three components
  • @AlienVault@AlienVault Three components, three form factors AlienVault Server to aggregate data and manage the deployment AlienVault Sensor to collect data from the infrastructure AMIVirtual AppliancePhysical Appliance AlienVault Logger for long term storage and reporting AlienVault All-in-One to collect, aggregate, and store data as well as manage
  • @AlienVault@AlienVault Integrated threat intelligence 36 • Free Tools • OSSIM • USM
  • @AlienVault@AlienVault AlienVault Labs threat intelligence Coordinated analysis, actionable guidance  Weekly updates to coordinated rule sets:  Network IDS  Host IDS  Asset discovery / inventory database  Vulnerability database  Event correlation  Report modules and templates  Incident response templates / “how to” guidance for each alarm  Plug-ins to accommodate new data sources
  • @AlienVault@AlienVault Unified Security Management in action
  • @AlienVault@AlienVault How AlienVault USM generates these reports in minutes, not days
  • @AlienVault Log correlation is critical Log correlation is about constructing rules that look for sequences and patterns in log events that are not visible in the individual log sources. System logs don’t say “Help! I’m being broken into with a compromised account!” • They say “Successful Login from Authenticated User” They describe analysis patterns that would require human interpretation otherwise, tied together by Logical Operators. • “IF a new user IS created on the domain AND a new change control ticket IS NOT created in the change control database”
  • @AlienVault Why You Need Log Correlation It monitors incoming logs for logical sequences, patterns and values to identify events that are invisible to individual systems. Log correlation: • Performs analysis that would otherwise be done by repetitive human analysis. • Identify things happening that are unusual for your business processes. • Provide more context and certainty as to what is happening on your infrastructure by comparing events from multiple sources • Prioritize investigation and analysis work by filtering log events into meaningful alerts and reports
  • @AlienVault Different, Everybody is the Same Log correlation allows for the creation of alerts that represent what is important to your business processes and security risks. Done correctly, Log Correlation is the difference between reacting to:  “POSSIBLE-EXPLOIT: mssql improperly formed packet headers” Or  “User In Accounting Department seen logging into Financial Database from a workstation in Customer Support Department”
  • @AlienVault@AlienVault Quickly create groups of assets • E.g., in-scope devices Enables, fast, easy analysis • Run vulnerability scans against this host group • Create reports only for hosts belonging to the host group. • Review all alarms, events, other data just for that group Power of groups
  • @AlienVault@AlienVault How to use your reporting to demonstrate PCI DSS compliance
  • @AlienVault@AlienVault Reports are easily configured and customized. Key is mapping signatures to requirements. Using views to limit what you want to see then create reporting modules. Insert and group reporting modules together to build a report with the information you require. Easily automate and schedule reports. Reports
  • @AlienVault@AlienVault AlienVault allows you to quickly generate a report to track actions taken by AlienVault Web interface users. Provides accountability. Value extends out of PCI such as when investigating sources of activity. AlienVault User Activity Report – PCI 10.2.3
  • @AlienVault@AlienVault AlienVault User Activity Report – PCI 10.2.3
  • @AlienVault@AlienVault AlienVault User Activity Report – PCI 10.2.3
  • @AlienVault@AlienVault PCI requirement of 1 year of log retention. Report will show aggregate count of total logs per month for 365 days as bar graph. Allows for quick review of compliance. New configuration allows for log expiration. AlienVault Log Retention - PCI 10.7.b
  • @AlienVault@AlienVault AlienVault Log Retention - PCI 10.7.b
  • @AlienVault@AlienVault AlienVault Log Retention - PCI 10.7.b
  • @AlienVault@AlienVault Mapping requirements to modules is key. One module per requirement to demonstrate compliance. Can combine modules together to create one report with pertinent information. Access Control Report - PCI 10.2.X
  • @AlienVault@AlienVault Access Control Report - PCI 10.2.X
  • @AlienVault@AlienVault Access Control Report - PCI 10.2.X
  • @AlienVault@AlienVault Easy to follow, available in different formats. Preference of PDF versus Excel. Must have run at least one scan or imported a previous scan. Vulnerability Scanning Report 11.X
  • @AlienVault@AlienVault Vulnerability Scanning Report 11.X
  • @AlienVault@AlienVault Vulnerability Scanning Report 11.X
  • @AlienVault@AlienVault Vulnerability Scanning Report 11.X
  • @AlienVault@AlienVault View date and time, host, what was changed, and statistics such as size and hash values. Easy to set up with OSSEC. OSSEC FIM - PCI 10.5.5
  • @AlienVault@AlienVault OSSEC FIM - PCI 10.5.5
  • @AlienVault@AlienVault OSSEC FIM - PCI 10.5.5
  • @AlienVault@AlienVault Schedule reports and send to email. Full report will be attached. Scheduling Reports
  • @AlienVault@AlienVault Scheduling Reports
  • @AlienVault@AlienVault In summary The evidence the QSA wants What to give the QSA Logs are held for one year Report showing 12 months of log counts Modifications of, access to, and actions on, logs are restricted and reported AlienVault User Activity report of recent authentications and actions is example Recorded events—who had access to CHD, login success or failure, privileged access, creation or deletion of system objects, User account enabled or created, Windows Logon Failure and Success, Log file size reduced, User account enabled or created, FIM as examples Each record shows who did what to what, when, was successful or not Show any log record like Access Control Report to demonstrate compliance Logs reviewed daily with events reported Show example of automated alert that triggers investigation
  • @AlienVault@AlienVault
  • @AlienVault@AlienVault Now for some Q&A… Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site