PCI DSS v3.2 AND BALABIT

Transcription

1 PCI DSS v3.2 AND BALABIT Organizations involved in payment card processing including those that store, process, or transmit credit cardholder data are required by credit card companies to implement The Payment Card Industry (PCI) Data Security Standard (DSS). PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. The content of this paper is based off of PCI-DSS 3.2 published in May The purpose of this document is to provide an oversight on the Balabit solutions and how they are beneficial in helping you comply with PCI DSS. The document is recommended for security professionals responsible for compliance, such as risk & compliance managers, auditors, CISOs and other security managers.

2 Supporting the PCI DSS compliance on two major fronts Secure log data with reliable collection, storage and centralized management. Authenticate, monitor and supervise high profile users with access clearance to cardholder data. Why log management is an essential investment? Log messages provide important information about the events of the network, the devices, and the applications running on these devices. Log messages document user and system activity and can be used to detect security incidents, operational problems, and other issues like policy violations, and are useful in auditing and forensics situations. Collecting, storing and reviewing logs is explicitly required in requirement 10 of PCI DSS, also log messages are excelling tools to prove compliance with the standard s other requirements. The syslog-ng product family The syslog-ng product line consists of two variants, the software (The syslog-ng Premium Edition) and the appliance (The syslog-ng Store Box) version. Possessing a set of identical and distinctive features described below. The syslog-ng Premium Edition (syslog-ng PE) application enables enterprises to collect, filter, normalize, forward, and store log messages from across their IT environment. Using syslog-ng PE, organizations can centralize and simplify their log management infrastructure to improve operations, gain visibility of security threats, and meet compliance requirements. The syslog-ng Store Box (SSB) is a high-performance, high-reliability log management appliance that builds on the strengths of syslog-ng PE. With SSB, on top of the syslog-ng PE features you are able to index log data, perform complex searches in its built in GUI, secure sensitive information with granular access policies, generate reports to demonstrate compliance, and forward log data to 3rd party analysis tools. The benefits of using syslog-ng to meet PCI DSS Logs function as the primary source of information during a network or security event. Securing logs from altering or loss is vital for guaranteeing integrity and reliability. Zero message loss policy such as disk based buffering, client side failover and application-level acknowledgment, logs are guaranteed to reach their destination without disruption or loss. The integrity of logs are most vulnerable during storage and transfer. During transfer encrypted channels are used while during storage logs are compressed, indexed, encrypted, digitally signed, timestamped and converted into binary format. Making logs only accessible to authorized personnel. Real-time search and reporting is necessary for demonstrating compliance and providing evidence. It also allows for better visibility on managed log files as it appears in an arranged order within the SSB GUI making audits and forensics much more efficient. Why privileged access management is vital to address? As privileged users possess the ability to manage and operate with cardholder data, supervision is necessary to guarantee data integrity and to prevent malicious actions from occurring. Privileged access management allows to oversee access to critical systems, real-time monitor privileged user activities and to generate reliable evidence of performed actions in the form of session records. Who are privileged users? Privileged users are not limited to IT administrators. Privileged users have more authority and access to an Information System than general users. These can range from super users who have all or almost all privileges on a system, to third party providers with elevated privileges and senior employees who have accumulated privileges over time. Shell Control Box Shell Control Box (SCB) is a device that controls, monitors, and audits remote administrative access to servers. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from clients and servers. SCB records all administrative traffic into audit trails. The recorded audit trails can be replayed like a movie recreating all actions of privileged user. All audit trails can be indexed, enabling fast forwarding during replay, searching for events and texts seen by the administrator. SCB has full control over SSH, RDP, Telnet, TN3270, Citrix ICA, and VNC connections, giving a framework for the work of the administrators. The benefits of using Shell Control Box to meet PCI DSS Compliance wise SCB functions as a safeguard, and demonstrative tool. Guaranteeing that no privileged user activity is performed unnoticed or unsupervised. SCB is a proxy based, agentless, man in the middle solution that sits between the client and the designated server. All connections to a critical server goes through SCB for authentication. The 4-eyes authorization allows security specialists to monitor privileged users in real-time during the entirety of the remote session with the ability to terminate the connection in case of any policy violations. The recorded audit trails store the metadata of the sessions containing all executed commands. The records upon playback provide a highlight on crucial events allowing less time to be spent on reviewing. Session records act as a demonstration tool for compliance, policy enforcement and forensics.

3 PCI DSS structure The policies and procedures described in PCI-DSS v3.2 consists of six control objectives. Each objective embodies two to three major requirement groups that are further distributed into a number of security requirements. I. Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters II. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks III. Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications IV. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data V. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes VI. Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

4 How to achieve compliance with Balabit solutions? The following sections provide a detailed description about the requirements of the Payment Card Industry Data Security Standard (based on PCI DSS version 3.2) and how Balabit can aid organizations in meeting its obligations. syslog-ng PCI DSS requirements Shell Control Box Creates a trusted path of logs from the firewalls to the log server that provides tamper proof, digitally signed, timestamped log storage to have an audit trail of every configuration change. Manages the life cycle of the audit logs, including: collection, transfer, safe and secure storage, backup, archiving and cleanup. Search the collected logs quickly using the web interface or the API 1.1.1: A formal process for approving and testing all network connections and changes to the firewall and router configurations Flag logs from unknown programs on the host, right at the source of the message, and route them differently, or create alerts based on them. Generate customized reports detailing server functions with SSB : Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. Allows to oversee remote-access connections. Other applications cannot be installed on SCB. Logs from disabled services are filtered from normal log traffic to alert security analysts : Enable only necessary services, protocols, daemons, etc., as required for the function of the system. 2.3: Encrypt all non-console administrative access using strong cryptography. Enforces encryption on remote access to servers. Allowing remote connections to be fully auditable and reviewable. Supporting a vast list of protocols: SSH, RDP, Citrix ICA, Telnet, VMware View, and VNC. 3.3: Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN. Raises an alert about such events, or automatically terminate the connection of the user, before such information is displayed.

5 Rewrites any logs containing cardholder data to mask any numbers, optionally using strong, cryptographically secure hashing. Rewriting can be done right at the message source to make sure that the cardholder data never leaves the system. Logs are stored in an encrypted, time-stamped binary format to ensure data security. Only authorized users can access the decryption key. 3.4: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography, (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN) Index tokens and pads (pads must be securely stored) Strong cryptography with associated key-management processes and procedures. The audit trails of SCB are encrypted using strong public-key cryptography, making any PAN displayed in the recorded audit trails accessible only to the authorized personnel. Applies TLS encryption between the clients and the log server, to protect the integrity of the messages also prevents third-parties from accessing or modifying the communication. The communication between the client and the log server can be mutually authenticated using X.509 certificates to verify the identity of the communicating parties, and prevent attackers from injecting fake messages into the log files. 4.1: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Collects logs from a wide variety of log sources including anti-virus tools. Filters and parses log messages to generate custom reports based on relevant data. 5.2: Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans Generate audit logs which are retained per PCI DSS Requirement Collects logs directly from applications using various formats (Plain text, JSON, RFC3164, RFC5424) and various methods (Read from file, UNIX domain sockets, TCP, fetch directly from SQL, and the built-in logging facilities of the operating systems). Allows developers and operators to monitor their custom applications for proper operation through its search interface and API. The PatternDB functionality allows to write patterns for custom applications that identify security events. 6.3: Develop internal and external software applications (including webbased administrative access to applications) securely, as follows: In accordance with PCI DSS (for example, secure authentication and logging) Based on industry standards and/or best practices. Incorporating information security throughout the softwaredevelopment life cycle Secures and controls access to remote applications. Real-time monitoring allows to supervise all remote sessions performed on either internal or external applications.

6 Collects and processes logs from a variety of security devices including firewalls, and IDSs. PatternDB allows to create alerts for known attack patterns. The search capabilities is used to look for known attack patterns in the logs of these systems automatically or manually. 6.6: For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. Restricts access to logs using strong authentication and granular access policies. All log messages are encrypted using public-key encryption on the central log server in a so-called logstore file. Digitally signature and a timestamp is also added to the log files. 7.1: Limit access to system components and cardholder data to only those Individuals whose job requires such access : Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities : Assignment of privileges is based on individual personnel s job classification and function. Controls remote-access connections using role-based access control model. Retrieves the group memberships of the users from LDAP databases and grant access to a connection or a specific feature of a protocol based on these roles. The access rights of SCB are entirely based on ACLs and group memberships. It is greatly customizable, and compatible with an LDAP database. 7.2: Establish an access control system for systems components with multiple users that restricts access based on a user s need to know, and is set to deny all unless specifically allowed. Restrict access to the remote servers and applications only to users who are members of selected LDAP or Active Directory user groups, or specifically listed in a user list. It is also possible to restrict access based on the IP address of the client. Control access to the channels of the administrative protocol, for example, it can disable access to the shared drives when accessing Windows Terminal servers, or enable port-forwarding in SSH connections only to selected users. Pairs successful login and logout logs to create session events which facilitate tracking user access using the PatternDB feature. Generates custom reports showing access to system components. Connects usernames to an AD or LDAP database. Applies strong authentication to ensure accountability for those accessing logs potentially containing cardholder data. 8.1: Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows: 8.1.1: Assign all users a unique ID before allowing them to access system components or cardholder data. Authenticates your users using their own, unique user ID even when they are accessing shared accounts, such as administrator or root. Stores login credentials locally in SCB to simplifying the use of shared accounts and managing account changes. SCB allows authentication via a password management system.

7 8.1.3: Immediately revoke access for any terminated users. When authenticating users to your central LDAP database SCB immediately denies the access of the user as soon as their privileges or relevant group memberships are revoked. Access to shared accounts or devices that cannot authenticate the user to LDAP is also denied immediately : Manage IDs used by third parties to access, support, or maintain system components via remote access as follows: Enabled only during the time period needed and disabled when not in use. Monitored when in use. Creates Time Policies enabling a client to access the protected servers only during the specified time-frame, for example, the scheduled maintenance hours. Connections coming from clients out of maintenance hours are automatically disable. Oversee and control what an individual does on the system, with the 4-eyes authorization, where the user can access the system only if authorized by someone operating SCB. The feature allows to real-time observe the session or later in the Audit Player application. In the event of any misuses or harmful activity the session can be terminated on the fly : Limit repeated access attempts by locking out the user ID after not more than six attempts. Generates an alert based on failed log in attempts. Prolongs login periods each time of a failed attempt : If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. Automatically terminates sessions that do not generate network traffic after a specified period. 8.2: In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric. Centrally authenticates the audited connections to a central LDAP or RADIUS server. Enforces the use of strong authentication methods, including passwords, public-keys or certificates, and smart cards. SCB is integratable with third-party password vaults and credential stores.

8 8.2.1: Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. Supports LDAPS encryption, as well as strong authentication methods in the audited connections : Passwords/phrases must meet the following: Require minimum length of at least seven characters Contain both numeric and alphabetic characters Uses password policies to enforce minimal password strength and expiry : Change user passwords/passphrases at least every 90 days 8.3: Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. Controls and audits remote access connections. Authenticates the users independently of the accessed server, and supports strong authentication methods such as public-key authentication, X.509 certificates, and also authentication to RADIUS and LDAP databases. Users can be requested to authenticate SCB web interface to access a connection, therefore providing a protocol-independent, out band authentication method. Integration capability with 3 rd party multi-factor authentication tools via open API. 8.5: Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: Generic user IDs are disabled or removed. Shared user IDs do not exist for system administration and other critical functions. Prohibits the use of generic user IDs, but it can also link generic and shared user IDs to the actual, unique user ID of the user accessing the shared account. SCB can also be configured to authenticate on the audited device or server without the user actually knowing the required credentials. Shared and generic user IDs are not used to administer any system components.

9 8.7: All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: All user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). Controls and audits the remote access of administrators to the protected servers. Provides control over the most common applications and protocols used in remote server administration, including SSH, RDP, VNC, VM View, and WTS, HTTP, and Citrix. Acts as a central authentication gateway between client and host. All remote administrative connections to applications are recorded in audit trail form. Collects and stores logs for such audit trails. Using the PatternDB feature, logs can be filtered based on content including special events such as logins by privileged users and access to log data. 10.1: Implement audit trails to link all access to system components to each individual user. Records sessions as an audit trail and indexes the contents of audit trails. The contents of the audit trails can be searched from the web interface. Collects and stores logs for such audit trails. Using the PatternDB feature, logs can be filtered based on content including special events such as logins by privileged users and access to log data. 10.2: Implement automated audit trails for all system components to reconstruct the following events: : All individual user accesses to cardholder data : All actions taken by any individual with root or administrative privileges Controls and audits the remote access of administrators to the protected servers. The recorded audit trails are replayable in a movie-like fashion to review the events exactly as they occurred. Every action of the administrators is visible in the audit trail. SCB automatically processes and indexes the contents of the audit trails, allowing to search for specific commands used or texts displayed in the connections. SCB can create custom reports based on the recorded sessions. Collects and stores logs for such audit trails. Using the PatternDB feature, logs can be filtered based on content including special events such as logins by privileged users and access to log data : Access to all audit trails Stored audit trails are accessable only by authorized personnel. Downloading audit trails is logged. The audit trails are encrypted, with a single or multiple encryption keys. When encrypted with multiple keys, the audit trail can be viewed only if every required decryption key is available.

10 Collects and stores logs for such audit trails. Using the PatternDB feature, logs can be filtered based on content including special events such as logins by privileged users and access to log data : Invalid logical access attempts Automatically logs all access attempts to remote servers or specific protocol channels that were denied : Initialization, stopping, or pausing of the audit logs It is transparent device, independent from the clients and the audited servers. The users of the remote servers do not need to have accounts on SCB, only users with explicit access to SCB can control the auditing : Creation and deletion of system-level objects. For its own configuration changes, SCB maintains a detailed changelog, and can require the administrators to describe the reasons of the modification. Collects and stores logs for such audit trails. Using the PatternDB feature, logs can be filtered based on content including special events such as logins by privileged users and access to log data : Access to all audit trails Stored audit trails are accessable only by authorized personnel. Downloading audit trails is logged. The audit trails are encrypted, with a single or multiple encryption keys. When encrypted with multiple keys, the audit trail can be viewed only if every required decryption key is available. Provides macros and message-rewriting capabilities to reformat and normalize the messages in order to convert them to a common format. With SSB events can be investigated in their context using the intuitive search interface. 10.3: Record at least the following audit trail entries for all system components for each event: : User identification : Type of event : Date and time : Success or failure indication : Origination of event : Identity or name of affected data, system component, or resource. Records all the enlisted data and other metadata as well about users accessing the protected servers using the supported protocols. Requests the users to authenticate on SCB using their normal usernames, making it possible to tie the connections that use general usernames to real accounts.

11 Converts the timestamps to a single format specified in the ISO 8601 standard. Automatically labels the date and time to received log messages. Timestamps log messages using a third-party TSA. Synchronizes its system clock to NTP servers. 10.4: Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time : Critical systems have the correct and consistent time : Time data is protected : Time settings are received from industry-accepted time sources Automatically synchronizes its system clock to a remote time server. That way the audit trails contain accurate time information. Encrypts all log messages using public-key encryption on the central log server in logstore file. Digitally signs the files, and request timestamps for the stored data from an external TSA. 10.5: Secure audit trails so they cannot be altered. All audit trails are digitally signed and encrypted using public-key encryption. The encryption can use multiple encryption keys as well. The audit trails can be timestamped using local or external TSA. SSB is configured to prevent unauthorized external access and make sure it acts as a secure log storage. Encrypted log messages are visible only if the user has the required encryption key. Restricts access to logs using strong authentication and granular access policies. Access to the logs can also be tied to group memberships, based on information from an AD or other LDAP server : Limit viewing of audit trails to those with a job-related need. Audit trails can only be downloaded by users who have the required clearance. Applies multiple encryption keys for audit trails. The upstream traffic of the communication can be encrypted separately, and is displayed only if the additional encryption key is available. Stores logs in an encrypted, timestamped, digitally signed, binary format to prevent modifications. The integrity of the messages are checked when transmitted from the client to the log server. The communication between the clients and the log server can be mutually authenticated using X.509 certificates : Protect audit trail files from unauthorized modifications. The audit trails are stored on the SCB appliance, which is physically independent from the audited servers. The audit trails are encrypted, timestamped, and signed to prevent any modification. They can be accessed directly only by authorized personnel.

12 Functions as a centralized log collector and server that securely stores the log messages in encrypted and digitally signed log files to prevent modifications, and handle the entire log life cycle, including archiving and backup. Supports TCP encryption, application level acknowledgement via the Reliable Log Transfer Protocol (RLTP) and Disk-based buffering : Promptly back-up audit trail files to a centralized log server or media that is difficult to alter. Extracts information from the network connection between the client and the user. Allows to generate a back-up of each recorded session that can be stored either locally or on a remote hard drive. Allows prompt archiving of the recorded audit trails. Pushes log messages from external-facing technologies such as wireless, firewalls, DNS, and mail servers to a centralized log server in real-time : Write logs for external facing technologies onto a secure, centralized, internal log server or media device. Supports both the legacy BSD-syslog and the latest IETF-syslog protocols, and can send the log messages to the log server via mutually authenticated and TLS-encrypted connections. Ensures that no messages are lost in collection and transfer of logs to the central log server with application-level acknowledgment using the Reliable Log Transfer Protocol (RLTP). Parses and filters the content of the log messages. Generates alerts based on the extracted data. Creates reports and statistics, to help you focus on the important logs during a review. Supports a wide variety of output formats, making it straightforward to integrate with third-party solutions. The search interface allows to perform regular manual reviews, supplemented by a fast indexing engine, and giving the possibility to create ad-hoc charts and timelines. The search API, allows to create scripted queries and to integrate with analysis tools. 10.6: Review logs and security events for all system components to identify anomalies or suspicious activity : Review the following at least daily: All security events Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/ intrusion-prevention systems (IDS/IPS), authentication servers, ecommerce redirection servers, etc.) : Review logs of all other system components periodically, based on the organization s policies and risk management strategy, as determined by the organization s annual risk assessment : Follow up exceptions and anomalies identified during the review process 10.6: Automatically generates daily reports about the audited connections. Applies automatic index to the contents of the recorded audit trails to make it possible to search for specific commands used or texts displayed in both terminal-based and graphical connections. Define automated searches for specific keywords and search queries, and include the results in custom reports. The content of the audited traffic can be forwarded to an external IDS/DLP. As for its own logs, SCB can send them to a remote log server or SIEM using encrypted connections : Greatly increases the effectiveness of regular reviews, as well as forensic investigations. Session reviews of privileged users in a movie-like fashion can also significantly decrease the time needed to determine exactly what happened on the server.

13 Stored log messages can be compressed and filtered into different containers to save disk space. The logstore allows log data immediately available for reviewing. Messages can be automatically archived to an external storage. Archived messages are still encrypted, but remain available in the web interface. Supporting NFS and SMB protocols for more storage space or to utilize existing 3rd party storage solutions. The search functionality was designed to handle terabytes of data. 10.7: Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). Extracts information from the network connection between the client and the user. Allows to generate a back-up of each recorded session that can be stored either locally or on a remote hard drive. Allows prompt archiving of the recorded audit trails : Activation of remote access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use. The connection policies of SCB can be easily enabled and disabled as needed. When using the 4-eyes authorization principle, every session of a connection policy must be authorized individually, with the possibility of monitoring the work of the user real-time. It is also possible to limit access to a connection to specific times of the day or week : For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements. Controls remote access connections on the channel level. SCB can fully audit SCP and SFTP file transfers, records every file operation, and can store a copy of the transferred files in the audit trail : Monitor and control all access to data. Controls and audits access to remote servers independently from the users and the server administrators, allowing to create a separate auditor layer above system administrators.

14 A.1.1: Restrict each entity s access and privileges to its own cardholder data environment only. Ensures that remote users can access only the servers that they are allowed to, and can also audit the remote access for several protocols. Providers can also use SCB to grant every entity access to its own audit trails. Collects and stored different log variants in separate log spaces. With the use of filtered log spaces only relevant data will be visible up on processing. A.1.3: Ensure logging and audit trails are enabled and unique to each entity s cardholder data environment and consistent with PCI DSS Requirement 10. Placed centrally into the provider s infrastructure, and can be configured to automatically collect audit trails for every remote access. SCB collects the audit trail of every session into separate files, and can organize them based on the parameters of the connection, thus ensuring that only the related entity has access to the audit trails. Encryption of the audit trails increases the security even more: only the personnel with the required decryption keys can open and replay the audit trails. A.1.4: Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider. Instant access to the recorded audit trails. Indexing the audit trails makes it possible to perform free-form searches on the contents of every audit trail, including the commands used in terminal connections, or any text displayed by the server in terminal or graphical connections. Movie-like audit trails also allows more efficient review and forensics capability.

15 Conclusion About Balabit Organizations tasked with managing and handling credit card information must undertake the PCI DSS requirements in order to establish a high level of security and at the same time to possess a demonstration capability for audit purposes. Balabit aims to aid organizations on two major fronts when it comes to cardholder data. Reliably manage logs and to supervise privileged users with clearance to cardholder data. Securing these fronts allow organizations to have an oversight on all actions done to cardholder data in real time. Balabit also highly focuses on real time prevention and capturing of APT attacks. This is achieved by combining our existing portfolio with our latest addition to the Balabit product family called Blindspotter a privileged user behavior analytic solution, which draws a comparison between current behavior of an individual and so far learnt behavior. This method allow to pinpoint and terminate sessions executed with hijacked accounts or malicious insider threats. Balabit is a leading provider of contextual security technologies with the mission of preventing data breaches without constraining business. Balabit s Contextual Security Intelligence platform protects organizations in real-time from threats posed by the misuse of high risk and privileged accounts. Solutions include reliable system and application Log Management with context enriched data ingestion, Privileged User Monitoring and User Behavior Analytics. Founded in 2000, Balabit has a proven track record, with 23 Fortune 100 customers and more than 1,000,000 corporate users worldwide. To learn more about commercial and open source Balabit products, request an evaluation version or find a reseller, visit the following links: The syslog-ng homepage: The Shell Control Box homepage: The Blindspotter homepage: Product manuals, guides, and other documentation: Find a reseller: