W H I T E P A P E R. Cb PROTECTION

Transcription

1 W H I T E P A P E R Cb PROTECTION SECURITY SOLUTION TE CHNO LOGY

2 TABLE OF CONTENTS Overview... 3 Audience... 3 PCI DSS Compliance Overview... 4 Compensating Controls... 5 Methodology... 5 Summary Findings... 5 Application Architecture and Security... 6 Cb Protection Architecture Diagram... 7 Technical Assessment... 8 Use Case 1:... 8 Use Case 2:... 9 Use Case 3:... 9 Validation Findings for Cb Protection...10 Conclusion...15 Cb Protection Security Solution Technology White Paper 2

3 OVERVIEW Carbon Black contracted with Coalfire Systems, Inc. (Coalfire), to conduct an independent assessment of their Cb Protection architecture as it pertains to security and Payment Card Industry Data Security Standard (PCI DSS) scope. Coalfire is certified by the Payment Card Industry Security Standards Council (PCI SSC) as a Qualified Security Assessor Company and is a leading industry provider of IT security, governance and regulatory compliance services. The purpose of this white paper is to provide an overview of Coalfire s assessment of the Cb Protection architecture and to confirm to what extent Cb Protection helps satisfy PCI DSS requirements. The scope of the PCI DSS controls selected for validation was derived through collaboration with Carbon Black compliance individuals and Coalfire assessors. The review and testing was performed based on the use cases generated for validation of PCI DSS requirements that are addressed when Cb Protection is utilized. The assessment performed included the following components: Review overall design and architecture of Cb Protection Software. Technical Testing and related evidence collection for the use cases provided: o o o Re-performance testing of the solution Observation of the solution including installation, configuration and functional capabilities Forensics analysis to confirm no cardholder data is ever captured by Cb Protection. Interviews with Subject Matter Experts (SMEs). Review and feedback of supporting documentation. There are no known inhibitors identified with the Cb Protection solution which would prevent an organization from implementing the solution in a PCI environment. Additionally, there are features within the solution which facilitate meeting certain PCI DSS requirements. Every organization has unique business, technical and security governance requirements, as a result this paper does not provide detailed recommendations for how to configure Cb Protection to meet the applicable portions of the PCI DSS and merchants should consult with their QSA to ensure proper implementation. Cb Protection provides the flexibility to enable, manage, and meet PCI DSS requirements in many areas. Cb Protection helps organizations with various PCI requirements such as file-integrity monitoring /control, change monitoring and alerting, and audit trail retention. The solution can also support the development of compensating controls for requirements such as anti-virus and patching (protection of unpatched systems). Cb Response is a complementary security solution that can also help satisfy PCI DSS requirements in areas such as establishing a process to identify security vulnerabilities, file-integrity monitoring and alerting. The focus of this particular paper however is only on the Cb Protection product. The Cb Response product was not tested for this whitepaper. AU D I E N CE This white paper has various target audiences: QSA and Internal Audit Community: This audience may be evaluating Cb Protection to assess merchant or service provider environment for PCI DSS. Cb Protection Security Solution Technology White Paper 3

4 Administrators and Other Compliance Professionals: This audience may be evaluating Cb Protection for use within their organization for compliance requirements other than PCI DSS. Merchant and Service Provider Organizations: This audience is evaluating Cb Protection for deployment in their cardholder data environment and what benefits could be achieved from using this solution. P CI DS S CO MP LIAN C E O VERV IEW PCI DSS applies to all organizations that store, process or transmit cardholder data. This includes entities such as merchants, service providers, payment gateways, data centers and outsourced service providers. PCI Standard is mandated by the card brands and administered by the PCI SSC Council. The PCI DSS standard specifies 12 requirements for compliance organized into six major control objectives. CONTROL OBJECTIVES Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program PCI DSS REQUIREMENTS 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know Implement Strong Access Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks Maintain an Information Security Policy 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Cb Protection Security Solution Technology White Paper 4

5 Compensating Controls Compensating controls can be utilized by merchant or service provider organizations to achieve compliance for PCI DSS requirements when an entity cannot currently meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls. 1 Compensating controls are however required to satisfy the following listed criteria: 1. The intent and rigor of the original PCI DSS requirement has to be met. 2. A similar level of defense as the original PCI DSS requirement has to be provided, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. 3. Be above and beyond other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) This whitepaper assumes that the reader is familiar with PCI DSS and relevant guidance publications, card brand requirements and any other supplemental documents from PCI SSC council. M E THODOLOGY Coalfire conducted this validation through rigorous technical testing in our compliance validation labs using common PCI environmental scenarios. The outcome of this testing provides verification that customers implementing Cb Protection will be able to meet specific PCI DSS control requirements in their real world cardholder data environments. Each PCI requirement was assessed by validating the output or state of the Cb Protection product as deployed in our lab scenario. A broad spectrum of network, system and application scenarios was used in our validation testing. Test results and lab configurations are summarized in the technical section of the white paper. S U M M AR Y FINDINGS Cb Protection architecture and implementation requirements can be deployed in a PCI environment allowing a customer to meet PCI requirements. When implemented properly, Cb Protection can provide protection against current malware that target Point of Sale Systems, fixed function devices. When properly deployed and configured, Cb Protection can satisfy specific PCI DSS requirements or support the development of compensating controls to meet PCI DSS requirements: 1 Cb Protection Security Solution Technology White Paper 5

6 PCI Requirement Directly Meets Requirements Supports the Development of Compensating Controls a APPLICATION ARCHITECTURE AND SECURITY Cb Protection is a comprehensive and widely deployed endpoint threat protection and compliance solution. Combining a trust-based and policy-driven approach to application control with real-time threat intelligence, Cb Protection continuously monitors and records all endpoint and server activity to prevent, detect and respond to cyber threats that evade traditional security defenses. 2 With open APIs and a broad partner ecosystem, Cb Protection provides exceptional flexibility to seamlessly integrate with both in-house and third-party tools. Cb Response is another security solution that provides endpoint threat detection and rapid response solutions for Security Operations Center (SOC) and Incident Response (IR) teams. 3 When Cb Protection and Cb Response are used in combination they provide functionality for continuous monitoring and recording of all activities on endpoint servers for various organizations. Instant Visibility: Cb Protection agent provides administrators with real-time visibility into all executable type files running across the environment. Trust ratings can be used to identify and automatically take action against the files that could be malicious. Cb Response can also provide visibility into files, executions, network connections, critical system resources on each system and the relationships between them. Prevention with Flexibility: Using Cb Protection s proactive prevention capabilities, Cb Protection security platform can reduce an organization s attack surface providing administrators with flexibility to ensure right balance between protection and access. Advanced Detection: It includes automated and cloud delivered advanced threat detection technologies to quickly identify and stop attacks. Using Cb Protection + Cb Collective Defense Cloud, Cb Protection can continuously monitor and detect malicious activity across all endpoints in the organization environment. Rapid Response: Cb Protection provides tools to help organization rapidly respond, log and investigate security incidents once an attack is detected Cb Protection Security Solution Technology White Paper 6

7 Open API architecture: Cb Protection can be integrated with third party security products like Security Information and Event Management (SIEM), Network, Endpoint, operations for improved automation, reporting and faster security response times. Please note that Cb Response solution was not evaluated and tested for this whitepaper work. Cb Protection Architecture Diagram Cb Protection Architecture consists of the following components: Cb Protection Server Software provides central file security management, event monitoring and a live inventory of files of interest on all agent systems Cb Protection Agent Software runs on desktops, laptops, virtual machines and fixed function devices. The agent software monitors files and either blocks or permits execution based on security policy settings. Cb Protection Software Reputation Service: compares new files introduced on computers running Cb Protection agent to a database of known files, providing information on threat level, trust factor and software categorization. Cb Protection can be integrated with third party products like Splunk and other network security products. Cb Protection Security Solution Technology White Paper 7

8 TECHNICAL ASSESSMENT Coalfire assessor configured Windows 2008 R2 Server as Cb Protection Server with necessary software like Internet Information Services (IIS), SQL Server,.NET Framework as per instructions in the server set up guide. The Cb Protection agent was then installed on the Cb Protection Windows 2008 server as well as a separate database server with Windows 2008 R2. The scope of the assessment was defined with the following tasks: Understand product functionality, architecture, implementation and operation Review installation guidance and supporting documentation Test Cb Protection product for required controls in the lab environment Review and verify Cb Protection software hardening best practices Review Cb Protection server configurations and capabilities Verification of solution for security and compliance Review and testing to confirm no cardholder data is ever captured or managed by the solutions Review and validate how Cb Protection provides compliance support for organizations. o o o o Review and testing of configurations for File-integrity monitoring control Review and testing for use of product as compensating control to replace antivirus Review and testing for use of product as compensating control for not having current patches on End of Life (EOL) operating systems for e.g. Windows XP, Windows 2003 Review and testing of controls that require monitoring and alerting for log and critical files. The assessment was focused on the product s ability to satisfy certain PCI DSS requirements and was not a complete review of the Cb Protection product. The following use cases were tested during the assessment. Please note that Cb Protection agent was not installed on all operating systems as noted in use cases below, but the requirements testing that were to be validated was accomplished using the product specified, and specific rules and settings noted. U SE CAS E 1: Operating Systems: Windows 7, Windows XP standard and Embedded Requirement to Accomplish: Needed to meet PCI standard 11.5 for File Integrity Monitoring. Needed to utilize Cb Protection as a compensating control for Requirement 6.2 and ensure that unsupported systems are locked down and protected in the absence of patches and support. Product employed: Cb Protection Policy specific Settings and Rules: File Integrity Rules created to block unauthorized access to core critical system files (i.e. *. Sys, *.cmd, *.cfg) Cb Protection Security Solution Technology White Paper 8

9 U SE CAS E 2: Operating Systems: Windows XP standard and Embedded, Windows 2003 Server Requirement to Accomplish: PCI DSS Requirement 5.x, 6.2, 11.5 Replace burdensome AV with Cb Protection. Needed to satisfy requirement 5.x using Cb Protection as a compensating control to AV. Needed to ensure that unsupported systems are locked down and protected in the absence of patches and support. Product Employed: Cb Protection Policy specific Settings and Rules: Systems were set to a High enforcement policy and combined with both custom memory and registry rules to protect the unsupported fixed function endpoints. File Integrity Rules created to block unauthorized access to core critical system files (i.e *. Sys, *.cmd, *.cfg) U SE CAS E 3: Operating Systems: Windows XP, Windows 7 and Windows 8 Requirement to Accomplish: PCI Requirement 5.x, 6.2, 11.5 Needed to meet PCI standard 6.2 in order to ensure the protection of their XP systems first. File risk ranking was done through Cb Protection which provided reporting on the threat and trust of the entire file infrastructure. They needed to protect their ATM machines, many of which were running windows XP without any form of advanced protection other than AV. Product employed: Cb Protection Policy specific Settings and Rules: File integrity rules for memory and registry as well as unauthorized change. Endpoint systems were put into a high enforcement Policy. Cb Protection Security Solution Technology White Paper 9

10 VALIDATION FINDINGS FOR Cb PROTECTION PCI Requirement How Cb Protection Supports PCI Compliance Test Procedure PCI DSS Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. Cb Protection can be used in developing a compensating control to replace the antivirus software OR Cb Protection can be used alongside anti-virus software solutions. Deployed Cb Protection and set up policies using High, Medium and Low enforcement combined with both custom memory and registry rules. Cb Protection can stop cyber threats that evade antivirus and other traditional defenses using zero-day and targeted attacks. Cb Protection provides prevention by giving organizations visibility into everything running on their endpoints and servers. Cb Protection provides signatureless detection and prevention of advanced threats Attempted to install various software including malicious software on the system with Cb Protection installed and configured (with High enforcement). Cb Protection was able to block the attempt and provided alert notification in the Cb Protection dashboard For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. Cb Protection provides recorded history of all endpoint and server activity to rapidly respond to alerts and incidents Cb Protection can be used on servers not affected commonly by malicious software to evaluate threats on such systems Cb Protection provides prevention by giving organizations visibility into everything running on their endpoints and servers. Cb Protection provides signatureless detection and prevention of advanced threats Deployed Cb Protection and set up policies using High, Medium and Low enforcement combined with both custom memory and registry rules. 5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically Cb Protection can be used in developing a compensating control to replace the antivirus software OR Cb Protection can be used alongside antivirus software. Deployed Cb Protection agents on servers and attempted to stop Cb Protection Service and uninstall Cb Protection software, assessor was unable to do so. Cb Protection Security Solution Technology White Paper 10

11 PCI Requirement authorized by management on a case-by-case basis for a limited time period. How Cb Protection Supports PCI Compliance Cb Protection can continuously monitor and record all activity on endpoint and servers. Cb Protection can be configured as such that end users cannot disable the software- unless authorized administrator grants that access. Test Procedure Cb Protection tamper protection is enabled by default, Only Cb Protection administrators can enable/disable the tamper protection feature from within the Cb Protection software. 5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. Cb Protection can be used in developing a compensating control to assist organizations with ensuring the policies and procedures are operational Advanced threat detection can help distribute and enforce compliance policies and put mechanisms in place to inform and educate end users on established policies Observed and tested various configurations within Cb Protection software like below Tamper protection feature, High, medium and low enforcement policies combined with custom memory and registry rules PCI DSS Requirement 6: Develop and maintain secure systems and applications 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. Cb Protection can be used in developing a compensating control for not having current patches on the systems or for systems that do not have patches available (e.g. Windows XP, Windows 2003 servers) Only allowed executables can be allowed to run on devices/ systems by blocking execution of software Untrusted software can be continuously blocked Customers can then use riskbased approach to prioritize installations. Advanced Threat indicators can provide additional intelligence on controlled endpoints and alert personnel in event of critical Systems were set to a High or Medium enforcement policy and combined with both custom memory and registry rules to protect the unsupported fixed function endpoints. File-Integrity Rules created to block unauthorized access to core critical system files (i.e. *. Sys, *.cmd, *.cfg). Assessor attempted to install unknown/malicious executable files on the system, Cb Protection software was able to block the execution of the software. Assessor also tried to make modifications in the core critical system files on the Windows Operating System and was unable to make any changes. Cb Protection Security Solution Technology White Paper 11

12 PCI Requirement How Cb Protection Supports PCI Compliance system change that can impact security and compliance. Test Procedure PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data Use file-integrity monitoring or changedetection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). Cb Protection provides file-integrity control to Block unauthorized writes to log files and any critical files on the systems Ensures that only authorized processes can write or update the log files and critical files Alerts can be sent out in case unauthorized processes changes data log files and critical files Configured file-integrity monitoring to report actions when log data and critical files are changed. Notifications were available through the Cb Protection console dashboard. notifications were also configured through the Cb Protection console. Assessor tried to make modifications in the core critical system files on the Windows Operating System that were registered through Cb Protection and was unable to make any changes. Performed forensics using AccessFTK for the operating system with Cb Protection product and a sample payment application on the system. Cb Protection does not capture, store or transmit any cardholder data, only hash of the files are calculated and stored in the Cb Protection database Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). Using Cb Protection, all audit trail history can be retained within the server for 3 months. The data can be immediately available for analysis. After 3 months the data can be forwarded to Security Information and Event Management (SIEM) from within Cb Protection. Cb Protection settings were observed to confirm that the event log can be configured for retention of 3 months. After 3 months, customers have to configure Cb Protection to have the logs forwarded to SIEM. Cb Protection can hold event log files and data can be backed-up by customer to centralized server. Retention can be online Cb Protection Security Solution Technology White Paper 12

13 PCI Requirement How Cb Protection Supports PCI Compliance Test Procedure for 90 days and after 3 months it can be backed up. PCI DSS Requirement 11: Regularly test security systems and processes 11.5 Deploy a changedetection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. Cb Protection file-integrity control prevents unauthorized modification of critical system files and content files while ensuring only authorized processes can write to these files. File Integrity Rules were created to block unauthorized access to core critical system files (i.e. *. Sys, *.cmd, *.cfg). Reports were generated for the events occurred and provided details on the changes that occurred on specific files. Results were reviewed through the weekly report generated. Assessor tried to make modifications in the core critical system files on the Windows Operating System that were registered through Cb Protection and was unable to make any changes. Performed forensics using AccessFTK for the operating system with Cb Protection product and a sample payment application on the system. Cb Protection does not capture, store or transmit any cardholder data, only hash of the files are calculated and stored in the Cb Protection database a Verify the use of a change-detection mechanism within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities. Cb Protection file-integrity control prevents unauthorized modification of critical system files and content files while ensuring only authorized processes can write to these files. Files can be monitored by selecting the specific folders and reporting the changes. Advanced Threat Indicators functionality can be used to identify file changes. Configured file-integrity control to report actions when critical system files and content files are changed. Reports were generated for the events occurred and provided details on the changes that occurred on specific files. Results were reviewed through the weekly report generated. Cb Protection Security Solution Technology White Paper 13

14 PCI Requirement How Cb Protection Supports PCI Compliance Test Procedure Assessor tried to make modifications in the core critical system files on the Windows Operating System that were registered through Cb Protection and was unable to make any changes. Performed forensics using AccessFTK for the operating system with Cb Protection product and a sample payment application on the system. Cb Protection does not capture, store or transmit any cardholder data, only hash of the files are calculated and stored in the Cb Protection database Implement a process to respond to any alerts generated by the changedetection solution. Cb Protection provides proactive approach to organizations to analyze data in realtime so that critical system files, configuration files or content files can be protected. Process for responding to alerts received remains the responsibility of the merchant/ service provider organization. Configured file-integrity control to report actions when critical system files and content files are changed. Reports were generated for the events occurred and provided details on the changes that occurred on specific files. Notifications through Cb Protection were available through the Cb Protection console dashboard. notifications were also configured through the Cb Protection console. Cb Protection Security Solution Technology White Paper 14

15 CONCLUSION After reviewing the requirements of PCI DSS, Coalfire has determined through review of business impact and technical assessment that Cb Protection as outlined in this document meets several PCI DSS requirements. The ability to achieve overall compliance with any regulation or standard will be dependent upon the specific design and implementation of the Cb Protection product in the context in which it is implemented. Cb Protection demonstrated high level of flexibility for customization of policies, software rules, events and indicators. The flexibility makes Cb Protection adaptable to different environments and capable of addressing compliance requirements. Cb Protection is a direct or compensating control for several PCI DSS requirements (as detailed on page 5), helping organizations meet the evolving compliance and security needs of their environments. Cb Protection aligns with compliance requirements related to: File-integrity monitoring and alerting Audit trail retention for 3 months Antivirus requirements Patch requirements (protection of unpatched/end-of-life systems) Cb Protection Security Solution Technology White Paper 15

16 ABOUT COALFIRE As a trusted advisor and leader in cybersecurity, Coalfire has more than 15 years in IT security services. We empower organizations to reduce risk and simplify compliance, while minimizing business disruptions. Our professionals are renowned for their technical expertise and unbiased assessments and advice. We recommend solutions to meet each client s specific challenges and build long-term strategies that can help them identify, prevent, respond, and recover from security breaches and data theft. Coalfire has offices throughout the United States and Europe. Copyright Coalfire Systems, Inc. All Rights Reserved. Coalfire is solely responsible for the contents of this document as of the date of publication. The contents of this document are subject to change at any time based on revisions to the applicable regulations and standards (HIPAA, PCI-DSS et.al). Consequently, any forward-looking statements are not predictions and are subject to change without notice. While Coalfire has endeavored to ensure that the information contained in this document has been obtained from reliable sources, there may be regulatory, compliance, or other reasons that prevent us from doing so. Consequently, Coalfire is not responsible for any errors or omissions, or for the results obtained from the use of this information. Coalfire reserves the right to revise any or all of this document to reflect an accurate representation of the content relative to the current technology landscape. In order to maintain contextual accuracy of this document, all references to this document must explicitly reference the entirety of the document inclusive of the title and publication date; neither party will publish a press release referring to the other party or excerpting highlights from the document without prior written approval of the other party. If you have questions with regard to any legal or compliance matters referenced herein you should consult legal counsel, your security advisor and/or your relevant standard authority. Legal Disclaimer: Coalfire is solely responsible for the contents of this document as of the date of publication. The contents of this document are subject to change at any time based on revisions to the applicable regulations and standards (HIPAA, PCI-DSS et.al). Consequently, any forward-looking statements are not predictions and are subject to change without notice. While Coalfire has endeavored to ensure that the information contained in this document has been obtained from reliable sources, there may be regulatory, compliance, or other reasons that prevent us from doing so. Consequently, Coalfire is not responsible for any errors or omissions, or for the results obtained from the use of this information. Coalfire reserves the right to revise any or all of this document to reflect an accurate representation of the content relative to the current technology landscape. In order to maintain contextual accuracy of this document, all references to this document must explicitly reference the entirety of the document inclusive of the title and publication date; Neither party will publish a press release referring to the other party or excerpting highlights from the document without prior written approval of the other party. If you have questions with regard to any legal or compliance matters referenced herein you should consult legal counsel, your security advisor and/or your relevant standard authority. Published: September 15, 2015 Cb Protection Security Solution Technology White Paper 16

17 W H I T E P A P E R Cb Protection P CI DS S AN T I -V IRUS W HITE P AP E R Andrey Sazonov Senior Consultant

18 TABLE OF CONTENTS Executive Summary...19 About Cb Protection...19 Methodology...19 Summary Findings...20 Assessor Comments...20 Technical Assessment...20 Assessment Methods...20 Cb Protection Components...21 Assessment Environment...21 Tools and Techniques...21 References...21 Appendix A: PCI Requirements Coverage Matrix...22 Appendix B: Executed Test Plan...25 Cb Protection PCI Requirement 5 White Paper 18

19 EXECUTIVE SUMMARY Carbon Black, Inc. (Carbon Black) engaged Coalfire Systems Inc. (Coalfire), a respected Qualified Security Assessor (QSA) for the Payment Card Industry (PCI) and Payment Application Qualified Security Assessor (PA-QSA) company, to conduct an independent technical assessment of their Cb Protection nextgeneration endpoint security platform. Coalfire conducted assessment activities including technical testing, architectural assessment, and compliance validation. In this paper, Coalfire will describe that the Cb Protection platform met the PCI Data Security Standard (PCI DSS) v3.2 anti-malware requirement based on the sample testing and evidence gathered during this assessment. AB O U T C b PRO TE C TION Cb Protection is a next-generation application whitelisting and anti-virus solution for desktops, laptops, and servers that protects computers from the full spectrum of modern cyber-attacks, using a combination of endpoint agent, Server back-end and cloud-based technologies. Additionally, application whitelisting functionality allows to restrict any process and software from running on the system and therefore increase security of the system by minimizing risk of running any processes other than the ones intended by the administrator. The components included in the solution are as follows: 1. Cb Protection Agent Client-side process for monitoring and enforcing policies set within the Cb Console Server. 2. Cb Protection Console Server-side process for managing and enforcing policies for all systems in scope. This component is managing whitelisting application functionality, managing threats, managing all files on all systems and gaining an overall picture of an environment s threat landscape. The server communicates with the online service - Cb Collective Defense Cloud to verify none of the files are a known vulnerability threat to the systems in the environment. 3. Cb Collective Defense Cloud (CDC) Remote online service used to analyze files for malware, compare hashes of the files to any known malware and provide trust score on each file on each system. Besides application whitelisting technology, application s deep analytic approach inspects files and identifies malicious behavior to block both malware and increasingly common malware-less attacks that exploit memory and scripting languages like PowerShell. M E THODOLOGY Coalfire completed a multi-faceted technical assessment during the course of this project using the below industry and audit best practices. Coalfire conducted technical lab testing in our Colorado lab from September 4, 2017 to September 8, At a high level, testing consisted of the following tasks: 1. Technical review of the architecture of the full solution and its components. 2. Implementation of the Cb Protection agent and Cb Protection Console Server in the Coalfire lab environment. 3. Introduction of malware binaries on local systems with anti-virus agent software installed. 4. Confirmation of Cb Protection platform s ability to block and remove known malware samples. Cb Protection PCI Requirement 5 White Paper 3

20 S U M M AR Y FINDINGS The following findings are relevant highlights from this assessment: When properly implemented following vendor guidance, the Cb Protection platform provides coverage for PCI DSS Requirement 5 based on the sample testing and evidence gathered during this assessment. The Cb Protection platform was able to detect and effectively block the execution of the provided known malware samples. The Cb Protection platform was able to effectively remove all provided known malware samples. The Cb Protection platform adequately generated logs of events such that malicious activity could be traced in accordance with all PCI DSS requirements. Cb Protection can be prevented from being disabled by unauthorized users. Cb Protection provides policy protections to include application whitelisting/blacklisting, preventing unauthorized processes from starting, accessing network, scraping volatile memory, injecting code or modifying memory of another process, or trying to execute code from memory. AS S E SSOR CO MMENTS Our assessment scope put a significant focus on validating the use of Cb Protection in a PCI DSS environment, specifically to include its impact on PCI DSS Requirement 5. Cb Protection, when properly implemented following guidance from Carbon Black, can be utilized to meet the technical portions of PCI DSS Requirement 5. However, as most computing environments and configurations vary drastically, it is important to note that use of this product does not guarantee security and even the most robust anti-virus can fail when improperly implemented. A defense-in-depth strategy that provides multiple layers of protection should be followed as a best practice. Please consult with Carbon Black for policy and configuration questions and best practices. It should also not be construed that the use of Cb Protection guarantees full PCI DSS compliance. Disregarding PCI requirements and security best practice controls for systems and networks inside or outside of PCI DSS scope can introduce many other security or business continuity risks to the merchant. Security and business risk mitigation should be any merchant s goal and focus for selecting security controls. TECHNICAL ASSESSMENT AS S E SSMENT ME T HO DS The assessment used the following methods to assess the potential PCI DSS coverage of the solution: 1. Analysis of the architecture and configuration of the solution in accordance with vendor guidelines. 2. Deployment of Cb Protection agent software and Cb Protection Console server to test machines along with enablement of strict policies to enforce the detection and prevention of unauthorized files and known malware. Examination of components configurations to confirm protection cannot be turned off by non-administrators. 3. Execution of known malware samples (to include virus, ransomware, Trojans, rootkits, adware, and worms) deliberately propagated to test machines. Cb Protection PCI Requirement 5 White Paper 4

21 4. Review of backend component for verification of detection, execution prevention, and removal of all test samples. Also evaluate backend component for verification that agents are deployed, communicating, up-to-date, performing periodic scans, and protecting against real-time threats. C b PROTECTI ON COMPONE N TS Cb Protection is a platform comprised of three components: 1. Cb Protection Agent Client-side process for monitoring and enforcing policies set within the Cb Console Server. 2. Cb Protection Console Server-side process for managing and enforcing policies for all systems in scope. This component is managing whitelisting application functionality, managing threats, managing all files on all systems and gaining an overall picture of an environment s threat landscape. The server communicates with the online service - Cb Collective Defense Cloud to verify none of the files are a known vulnerability threat to the systems in the environment. 3. Cb Collective Defense Cloud (CDC) Remote online service used to analyze files for malware, compare hashes of the files to any known malware and provide trust score on each file on each system. AS S E SSMENT ENVIRONME NT Cb Protection agents were installed on the following machines: Cb Protection Agent was installed on Windows XP SP3 running in the virtual environment. Cb Protection Agent was installed on Dell Latitude E6420 laptop running a freshly installed copy of Windows 10 with all Windows updates installed and Windows Defender enabled and running. Cb Protection Console was installed in virtual environment on Microsoft Windows Server 2012 R2 Standard 64 bits with Microsoft SQL Server Express 2016 database engine and IIS 10 configured as a webserver. T OOLS AN D T ECHNIQUES Standard tools Coalfire utilized for this application security review included: TOOL NAME Live Malware Samples DESCRIPTION Sample binaries of known malware for Windows OS. Sample Windows malware obtained from thezoo aka Malware DB at Note Visiting and downloading from the above sites may lead to malware infection. It is highly recommended against doing so. R E FERENCE S Carbon Black Cb Protection website - PCI Data Security Standard, v3.2 Cb Protection PCI Requirement 5 White Paper 5

22 APPENDIX A: PCI REQUIREMENTS COVERAGE MATRIX PCI DSS REQUIREMENTS Key: Compliance directly supported via use of Cb Protection platform = Requires merchant action for full compliance = PCI REQUIREMENT PCI TESTING REQUIREMENTS COMPLIANCE SUPPORTED 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software For systems considered to be not commonly affected by 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that antivirus software is deployed if applicable anti -virus technology exists Review vendor documentation and examine anti-virus configurations to verify that anti-virus programs; Detect all known types of malicious software, Remove all known types of malicious software, and Protect against all known types of malicious software. Examples of types of malicious software include viruses, Trojans, worms, spyware, adware, and rootkits Interview personnel to verify that evolving malware threats are monitored and evaluated for systems COMMENTS Cb Protection allows users to directly deploy agents to Windows based systems. The CB Protection Console provides the status of monitoring for all enrolled devices. The Cb CDC is checks information on new and existing files from the customer to verify no known malware is present in the customer s environment. Cb Protection does signature checking against well-known virus repositories. This allows Cb Protection to get a reputation for all processes to detect those that are known malware, block them from running, and remove them as configured per policies. Testing showed that Cb Protection was able to detect, block, and remove several examples of viruses, Trojans, ransomware, rootkits and other known malware. This is a process/procedure requirement. Merchants Cb Protection PCI Requirement 5 White Paper 6

23 PCI REQUIREMENT PCI TESTING REQUIREMENTS COMPLIANCE SUPPORTED malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. 5.2 Ensure that all anti-virus mechanisms are maintained as follows: Are kept current Perform periodic scans Generate audit logs which are retained per PCI DSS Requirement not currently considered to be commonly affected by malicious software, in order to confirm whether such systems continue to not require anti-virus software. 5.2.a Examine policies and procedures to verify that anti-virus software and definitions are required to be kept up to date. 5.2.b Examine anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are: Configured to perform automatic updates, and Configured to perform periodic scans. 5.2.c Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that: The anti-virus software and definitions are current. Periodic scans are performed. COMMENTS must periodically evaluate the systems they use to ensure they are not considered commonly affected. Cb Protection can support this by using agentless installs to monitor any system to include those that would be considered not commonly affected by malware. 5.2.a is a policy requirement. Cb Protection meets this by doing real-time checking of software against wellknown virus repositories. There are no definitions that must be stored locally on systems. Cb Protection Console provides the monitoring status of all enrolled devices and allows for the scheduling of scans. It also allows for configuration of master policies as they apply to system devices. There is no need for automatic updates as the software checks process signatures in real time against well-known virus repositories. See previous response. From the Cb Protection Console, admins can monitor the enrollment status of all systems. Cb Protection PCI Requirement 5 White Paper 7

24 PCI REQUIREMENT PCI TESTING REQUIREMENTS COMPLIANCE SUPPORTED 5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a caseby-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active. 5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. 5.2.d Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that: Anti-virus software log generation is enabled, and Logs are retained in accordance with PCI DSS Requirement a Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify the anti-virus software is actively running. 5.3.b Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that the anti-virus software cannot be disabled or altered by users. 5.3.c Interview responsible personnel and observe processes to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. Examine documentation and interview personnel to verify that security policies and operational procedures for protecting systems against malware are: Documented, In use, and Known to all affected parties. COMMENTS Cb Protection Console includes logging and alerts for all malware related alerts (as well as other policy violations). All logs can be configured in a manner that is PCI DSS compliant as well as it can be configured with centralized logging system. Cb Protection Console shows the monitoring status of all enrolled devices. Cb Protection Console shows the monitoring status of all enrolled devices. It also can be configured to prevent users from disabling agents from running locally. Requirement 5.3.c involves interviews of responsible personnel who can show/verify with Cb Protection Console that antivirus is active, running, and cannot be turned off except when needed for limited time. This is a policies and procedures based requirement. While Cb Protection can help to meet the requirements for protecting against malware, it is up to administrators to create the specific policies as required. Cb Protection PCI Requirement 5 White Paper 8

25 APPENDIX B: EXECUTED TEST PLAN PCI DSS REQUIREMENTS V3.2 REQUIREMENT 5 (PROTECT ALL SYSTEMS AGAINST MALWARE AND REGULARLY UPDATE ANTI- VIRUS SOFTWARE OR PROGRAMS) 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. TEST DEFINITION PER PCI VALIDATION PLAN 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that antivirus software is deployed if applicable anti-virus technology exists Review vendor documentation and examine anti-virus configurations to verify that anti-virus programs; Detect all known types of malicious software, Remove all known types of malicious software, and Protect against all known types of malicious software. Examples of types of malicious software include viruses, Trojans, worms, spyware, adware, and rootkits. CURRENT Cb PROTECTION PCI AV STATUS Produced a report or log record that indicated that the Cb Protection agent was installed, active, and gathered events to detect and prevent threats from endpoints that are in-scope for PCI. 1. Detect "KNOWN" types of malware: Listings from malware feeds provided this type of data assurance and complied. 2. Remove all KNOWN types of malware: Demonstrated that Cb Protection deleted files that were detected as malware and/or triggered a batch that deleted or moved files that were detected as malware. 3. Protect against all "KNOWN" types of malware: For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software Interview personnel to verify that evolving malware threats are monitored and evaluated for systems not currently considered to be commonly affected by malicious software, in order to confirm whether such systems continue to not require anti-virus software. Demonstrated how the solution detects and then banned or blocked known malware that was part of the known malware list either from malware feeds or from the Cb Protection policy. Demonstrated how Cb Protection agent was deployed on any given system (OS coverage and implementation features). Also illustrated how any given system was assessed even though it was not part of the in-scope PCI systems. Cb Protection PCI Requirement 5 White Paper 9