WHITE PAPER. Achieve PCI Compliance and Protect Against Data Breaches with LightCyber

Transcription

1 WHITE PAPER Achieve PCI Compliance and Protect

2 LightCyber Magna Validated for PCI DSS Requirement #11.4 Executive Summary LightCyber engaged HALOCK Security Labs, a PCI Qualified Security Assessor (QSA), to evaluate whether the LightCyber Magna Behavioral Attack Detection platform met the intrusion detection requirements in the Payment Card Industry Data Security Standard (PCI DSS). This paper describes the PCI requirements for intrusion detection and compares signature and behavior-based intrusion detection solutions. It describes HALOCK s PCI testing methodology and reveals the results of HALOCK s assessment of LightCyber Magna for intrusion detection. It also explains how LightCyber Magna pinpoints network intrusions with a high level of accuracy and a low number of security alerts. Read this paper to learn how to satisfy PCI requirement 11.4 and stop active attackers using LightCyber Magna. PCI DSS Compliance Requirements The five leading payment brands Visa, MasterCard, American Express, Discover, and JCB developed the PCI standard to bolster the security of cardholder data. The PCI standard consists of twelve high-level requirements and hundreds of subrequirements that organizations must address to lower the risk of credit card fraud and data loss. To document compliance, organizations must engage a PCI-certified QSA or complete a self-assessment questionnaire, depending on how many credit card transactions they process. While PCI compliance can seem daunting at first, organizations that focus on developing a robust security strategy that includes a combination of proactive defenses and continuous monitoring, will achieve PCI compliance and be able to demonstrate to partners, customers, and their board of directors that they are secure. PCI DSS Compliance Requirements PCI requirement 11 governs how organizations test their security systems and processes. It consists of over a dozen sub-requirements, including requirement 11.4, which requires organizations to Use intrusion-detection and/or intrusionprevention techniques to detect and/or prevent intrusions into the network. According to the testing procedures and guidance of the PCI standard, the intrusion detection or prevention system must: Be deployed at the perimeter and at all critical points in the cardholder data environment Compare traffic with known signatures or behaviors of thousands of compromise types such as hacker tools, Trojans, and other malware Send alerts or stop an attempted attack as it happens The PCI standard also states that security defenses, including engines, signatures, and baselines, should be up-to-date. To be PCI compliant, organizations must deploy an intrusion detection or prevention system. These systems can be signaturebased or behavioral-based. Achieve PCI Compliance and Protect 2

3 Signature vs. Behavioral-based Intrusion Detection There are two main types of intrusion detection: signature-based and behavioral-based. While these two types of intrusion detection can incorporate elements of one another, they differ in some important ways. By understanding the features and the advantages of both approaches to intrusion detection, organizations can decide which type of solution to deploy at different points in their network. Signature-based intrusion detection inspects network traffic for known attack patterns, such as operating system exploits and known actions performed by malware. Most intrusion detection signatures require inspecting packet contents for specific attack strings or patterns. Signature-based solutions are ideally suited for identifying known threats or virtually patching vulnerable systems. For example, a signature-based intrusion prevention system (IPS) can block attempts to exploit a known WordPress vulnerability, virtually patching the WordPress application until a patch can be installed. In addition, signature-based solutions can detect endpoint exploits, such as a malicious iframe in a web page. Signature-based solutions often focus on stopping initial intrusions, not on detecting the later stages of an attack such as lateral movement or data exfiltration. Behavior-based intrusion detection uses machine learning techniques to profile user and device activity and learn expected behavior. It augments network monitoring with agentless endpoint interrogation to determine which executables and system files are commonly installed and which are rare and potentially suspicious in a particular network. By monitoring both network traffic and endpoints, it discovers behavioral anomalies generated by attackers and malware that have circumvented signature-based solutions. Behavior-based intrusion detection can spot all stages of an attack, but it is best suited for finding post-intrusion activity, such as reconnaissance and lateral movement. In addition, behavior-based systems can detect zero-day attacks for which no signature exists and are impervious to simple, signature evasion techniques. Behavioral-based detection also uncovers malicious or unintentional insider activity that can put credit card data and personally identifying information at risk. Achieve PCI Compliance and Protect 3

4 Comparison of Signature and Behavior-based Intrusion Detection Yes Partial No Capability Behavior-based Intrusion Detection Signature-based Intrusion Detection Attack Detections Application or System Exploit Command & Control No behavior-based checks Reconnaissance Basic static thresholds Lateral Movement Malware-only Data Exfiltration Endpoint Interrogation Reliability and Accuracy Can detect zero-day attacks Can detect attacks without decrypting traffic Resilient to signature evasion Accuracy based on percentage of alerts reviewed or resolved 43% of all alerts 99% of confirmed alerts 4%* of security alerts, including alerts from IDS, IPS, firewall, and advanced threat protection Deployment Operation Non-inline IDS: non-inline IPS: inline Placement Internal, between users and servers IDS: Internal, between users & servers IPS: Perimeter, between local users and the Internet or between external users and Internet-facing servers ** Incident Response Log, , and syslog alerts Remediation Third-party integration with NAC, firewall and orchestration systems; malicious file termination IPS: Block attacks IDS: Optional third-party integration; TCP resets * The Cost of Malware Containment, Ponemon Institute, 2015 ** Placement of intrusion detection and prevention may vary. Achieve PCI Compliance and Protect 4

5 LightCyber Magna Behavioral Attack Detection The LightCyber Magna platform empowers organizations to stop targeted attacks, insider abuse, and malware. Using patentpending Behavioral Attack Detection technology, Magna learns the expected network behaviors of users and devices, and detects the anomalous attack behaviors that are exceptions from that learned behavioral baseline. When Magna detects an attack, it also interrogates the endpoint, identifies the source process that generated the suspicious activity, and determines whether the process is malware or riskware. Full Coverage of the Cyber Kill Chain The LightCyber Magna platform empowers organizations to stop targeted attacks, insider abuse, and malware. Using patentpending Behavioral Attack Detection technology, Magna learns the expected network behaviors of users and devices, and detects the anomalous attack behaviors that are exceptions from that learned behavioral baseline. When Magna detects an attack, it also interrogates the endpoint, identifies the source process that generated the suspicious activity, and determines whether the process is malware or riskware. Command and Control: Spot repeated access to rarely accessed sites, tunneled connections, domain generation algorithms, and access to known and unknown C&C servers Reconnaissance: Look for network scans, connection failures, and darknet scans Lateral Movement: Uncover new admin behavior, credential misuse, and credential scraping Data Exfiltration: Detect irregular, large, and suspicious data transfers Malware: Interrogate endpoints to find malware, riskware, and suspicious artifacts Advanced Machine Learning Machine learning empowers organizations to detect attacks that are not known vulnerability exploits or malware but are none-the-less extremely dangerous to organizations. Perhaps even more importantly, by performing unsupervised machine learning with the right inputs, behavior dimensions, and detection algorithms, LightCyber Magna can detect the anomalies and behavioral changes indicative of an attack. Achieve PCI Compliance and Protect 5

6 Detailed Security Alerts and Reports LightCyber Magna cuts through the noise of security alerts to finds the threats that matter. LightCyber builds a comprehensive model of user and device behavior with over 1,000 learned behavior dimensions to find anomalous activity, eliminating the need to pour over endless logs or define crude correlation rules. Magna s detailed alerts, which identify the endpoint source processes that generated attack behaviors using LightCyber s unique Network to Process Association (N2PA) technology, help security teams respond swiftly to threats. PCI Testing Methodology LightCyber engaged HALOCK to examine the configurations, functionality, security controls, processes, and procedures of the LightCyber Magna Behavioral Attack Detection platform and verify that the LightCyber Magna platform addressed requirement 11.4 and its sub-sections in the PCI DSS v3.2. HALOCK is a PCI-certified QSA headquartered in Schaumburg, IL. HALOCK has provided security consulting and PCI auditing services for a wide range of clients including mid-size to Fortune 100 companies and financial services, healthcare, legal, education, energy, and retail companies. HALOCK recognized that the opinion of a certified QSA is a prerequisite for many organizations looking to satisfy requirement 11.4 of the PCI DSS v3.2. As such, HALOCK evaluated the LightCyber Magna platform to confirm that it provided essential intrusion detection features, such as behavioral-based detection of attacks, malware and hacking tools, and that it generated security alerts to notify administrators of malicious activity. In rendering their opinion, HALOCK conducted interviews with engineers and technical staff and examined the following: LightCyber Magna system configuration and functionality LightCyber Magna technical documentation, including user guides, administration guides, and quick start guides SANS Product Review of the LightCyber Magna platform Achieve PCI Compliance and Protect 6

7 To assess the efficacy of the Magna platform, HALOCK observed the ability of the LightCyber Magna appliance to detect the following attacks: Command and control: Domain generation algorithm (DGA) Reconnaissance: network scanning, operating system identification, file share scanning Lateral movement: remote command execution, brute force attack on a database The following attack tools and applications were used to conduct the security efficacy tests: PowerShell Nmap Ncrack Window batch commands Data exfiltration: Large volume of data uploaded to a suspicious site HALOCK examined requirement 11.4 and its sub-section in the PCI DSS v3.2. Based upon HALOCK s review, it is their opinion that: The LightCyber Magna appliance meets the requirements of section 11.4 and its sub-sections within the PCI DSS v3.2. The LightCyber Magna appliance meets this requirement by providing behavioral-based detection and prevention of malicious behavior within the protected network and the protected systems. The opinion rendered by HALOCK has been offered in compliance with requirements of the Payment Card Industry ( PCI) Data Security Standard, ( DSS ) version 3.2. All items contained herein shall have the same meaning as ascribed to them in the PCI DSS. Achieve PCI Compliance and Protect 7

8 PCI DSS Requirement 11.4 Testing Results PCI DSS Requirements 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. Testing Procedures Guidance LightCyber Magna Appliance 11.4.a Examine system configurations and network diagrams to verify that techniques (such as intrusiondetection systems and/or intrusion-prevention systems) are in place to monitor all traffic: At the perimeter of the cardholder data environment. At critical points in the cardholder data environment b Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion-prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection. Intrusion detection and/ or intrusion prevention techniques (such as IDS/ IPS) compare the traffic coming into the network with known signatures and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. The requirement is met by implementing the LightCyber Magna Appliance as follows: a) Spanning or tap ports at the perimeter of the cardholder data environment and all other critical points in the cardholder data environment. b) Configured alerts to notify personnel of suspected intrusion through anomalous behavior. c) Follow the LightCyber PCI Implementation Guide when configuring, maintaining and updating the appliance. The LightCyber Magna appliance monitors all traffic and compares the traffic to profiled user and device behavior to detect compromises such as hacker tools, Trojans, and malware. LightCyber Magna identifies: Command and control Reconnaissance Lateral Movement Data Exfiltration Malware LightCyber Magna s user and network profiles continually adapt to changes in the customer environment. LightCyber regularly updates attack detection algorithms to identify new types of attacks and malicious behaviors. When an attack is detected, LightCyber Magna will create a security alert detailing the anomalous behavior in the LightCyber Magna console. Optionally, Magna can send an notification or generate three types of syslog messages. Magna can also integrate with Microsoft Active Directory, network access control (NAC), firewall, or IT Process Automation platform to disable a user account or quarantine a compromised device. Using Malicious File Termination, Magna can also stop malicious processes running on endpoints. Achieve PCI Compliance and Protect 8

9 Besides evaluating the intrusion detection capabilities of the LightCyber Magna platform, HALOCK also reviewed Magna s management, deployment, and user administration features to verify that LightCyber Magna complied with all requirements set forth in the PCI DSS. To that end, HALOCK produced a LightCyber Magna PCI DSS Compliance Installation Guide. This guide provides instructions on how to configure and manage LightCyber Magna according to PCI DSS policies. Contact partners@lightcyber.com to obtain the LightCyber Magna PCI DSS Compliance Installation Guide. Conclusion The PCI DSS offers prescriptive and measurable guidelines to help organizations protect cardholder data. Achieving PCI compliance not only demonstrates security and dependability to customers, it also results in fewer penalties and fines and offers safe harbor in the event of a data breach. For many merchants and service providers, PCI is not an option it s a necessity. In addition, showing that an organization has exceeded PCI requirements by using behavioral-based detection may help it achieve a higher reputation level or rating by going above and beyond the industry norm. HALOCK Security Labs verified that LightCyber Magna addresses the intrusion detection requirements in PCI section Magna closes the gap in breach detection by accurately identifying post-intrusion activity, such as reconnaissance, lateral movement, command and control, and exfiltration. While traditional signature-based intrusion detection solutions are well-suited for finding malware and exploits at the network perimeter, they are less adept at spotting later stages of an attack. Detecting post-intrusion activity requires learning user and device behavior and looking for anomalies indicative of attack. LightCyber Magna not only provides these capabilities, it also discovers malware and riskware running on suspicious endpoints. According to the PCI standard, organizations should deploy intrusion detection or prevention at the perimeter and at critical points in the cardholder data environment. LightCyber Magna is the ideal solution to detect threats at critical points in the network, such as between endpoints and servers that store or process cardholder data. LightCyber Magna offers a laser-accurate solution for detecting advanced attacks, insider threats, malware, and risky behavior. Organizations that deploy it also benefit from detailed security alerts with rich investigative data and graphical reports that document security status. LightCyber Magna allows organizations to satisfy PCI compliance and close dangerous gaps in breach detection. Organizations also benefit by drastically reducing the typical flood of daily security alerts from signature-based intrusion detection systems that are mainly false positives. Achieve PCI Compliance and Protect 9

10 About HALOCK Founded in 1996, HALOCK Security Labs is a hybrid cyber-security firm with strengths in both management consulting and technical consulting. HALOCK s philosophy of Purpose Driven Security focuses on defining and implementing just the right amount of security not too much, not too little customized to each client s business purpose. HALOCK s services include: Security Risk Management, Governance and Compliance, Penetration Testing, Incident Response Planning, Incident Response & Forensics, Security Organization Development, Advanced Threat Diagnostics, and Engineering Security Product Solutions. HALOCK 1834 Walden Office Square, Suite 200 City: Schaumburg, IL United States About LightCyber LightCyber is a leading provider of Behavioral Attack Detection solutions that provide accurate and efficient security visibility into attacks that have circumvented traditional security controls. The LightCyber Magna platform is the first security product to integrated user, network and endpoint context to provide security visibility into a range of attack activity. Founded in 2011 and led by world-class cyber security experts, the company s products have been successfully deployed by top-tier customers around the world in the financial, legal, telecom, government, media and technology sector. LIGHTCYBER 5050 El Camino, Suite 226 Los Altos, CA Ph: (844) Achieve PCI Compliance and Protect 10