Carbon Black PCI Compliance Mapping Checklist

Transcription

1 Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and Carbon Black Enterprise Response support adherence to the requirement. PCI Requirement Addressed Test Definition per PCI Validation Plan Carbon Black Solution and Coverage PCI DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data PCI DSS Requirement 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. Personnel need to be aware of and following security policies and operational procedures to ensure firewalls and routers are continuously managed to prevent unauthorized access to the network. Via its notification facility, Cb Enterprise Protection provides end users and company personnel dynamic feedback relevant to each type of endpoint security policy. Cb Enterprise Protection will provide branded templates for training and testing of security policies and maintain an audit record of both acknowledgement of and compliance with security policy and training. PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. PCI DSS Requirement 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Cb Enterprise Protection controls the execution of software and ensures that systems are prevented from drifting from their desired state. Software and configuration drift can be closely monitored within the Cb Enterprise Protection Console so you can measure any compliance risk at any time. Cb Enterprise Protection tracks changes to system configurations as well as the removal of applications, utilities and drivers. PCI DSS Requirement 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. Solutions need to be put in place that can help identify vulnerabilities and configuration deltas on systems. Cb Enterprise Response s threat intelligence and capabilities can assist in keeping endpoint configurations in check by finding vulnerable applications in the enterprise. Cb Enterprise Response is always on, and can tell you if the vulnerable application has ever been seen, when it was last seen, and on which computers. Cb Enterprise Response can also create an alert whenever a vulnerable application is executed within the environment Cb Enterprise Response makes it easy to identify the existence of any vulnerable application, without scanning. This means a much greater detection rate in a shorter amount of time. Cb Enterprise Response s alerting features ensure real time notice the instant the enterprise becomes vulnerable or drifts outside of the system configurations. Cb Enterprise Response can utilize feeds from US CERT s National Vulnerability Database providing intelligence on and checking the current list of vulnerable software by CVE to identify and track the presence of vulnerable applications within the enterprise. PCI DSS Requirement PCI DSS Requirement Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system. Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary Web servers. Cb Enterprise Protection s policy-driven security approach enforces this on all desired endpoints, only allowing approved software (scripts, drivers, subsystems, Web applications) to execute. This ensures only approved services and software are allowed to run, according to the policy established for each endpoint.

2 Requirement 5: Protect all systems against malware and regularly update anti-virus PCI DSS Requirement Ensure that all antimalware programs are capable of detecting, removing and protecting against all known types of malicious software. Cb Enterprise Protection stops cyber threats that evade antivirus and other traditional defenses including zero-day and targeted attacks. Cb Enterprise Protection s real-time sensor and recorder and real-time enforcement engine deliver the most reliable form of prevention. This combination gives organizations immediate visibility into everything running on their endpoints and servers; signature-less detection and prevention of advanced threats; and a recorded history of all endpoint and server activity to rapidly respond to alerts and incidents. PCI DSS Requirement For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require antivirus software. Cb Enterprise Protection can protect both in-scope and outof-scope systems, enabling your organization to exceed this requirement. PCI DSS Requirement 5.3 Ensure that all antivirus mechanisms are current, actively running, and generating audit logs. Cb Enterprise Protection is the only solution that continuously monitors and records all activity on endpoints and servers. While antivirus software can easily be deactivated on client endpoints, Cb Enterprise Protection cannot be disabled, ensuring that your organization meets this requirement. PCI DSS Requirement 5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. Cb Enterprise Protection s advanced threat protection can help distribute and enforce compliance policies and put mechanisms in place to inform and educate end users on those established policies.

3 Requirement 6: Develop and maintain secure systems and applications PCI DSS Requirement 6.1 Develop and maintain secure systems and applications Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities and file assets. The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked. The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information. Cb Enterprise Response s threat intelligence and capabilities can assist in keeping endpoint configurations in check by finding vulnerable applications in the enterprise. Cb Enterprise Response is always on, and can tell you if the vulnerable application has ever been seen, when it was last seen, and on which computers. Cb Enterprise Response can also create an alert whenever a vulnerable application is executed within the environment Cb Enterprise Response makes it easy to identify the existence of any vulnerable application, without scanning. This means a much greater detection rate in a shorter amount of time. Cb Enterprise Response s alerting features ensure real time notice the instant the enterprise becomes vulnerable or drifts outside of the system configurations. Cb Enterprise Response can utilize feeds from US CERT s National Vulnerability Database providing intelligence on and checking the current list of vulnerable software by CVE to identify and track the presence of vulnerable applications within the enterprise. PCI DSS Requirement 6.1 Develop and maintain secure systems and applications Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities and file assets. Cb Enterprise Protection s Software Reputation Service, combined with internal IT approvals of established policies, enables organizations to apply real-time, proactive threat and trust measurements to the asset inventory, discover potential risky files and enforce policy-based control on all endpoints. Cb Enterprise Protection s asset reporting applies threat and trust ratings to every file within the infrastructure, providing immediate low-friction analysis and risk ranking of any potential file vulnerability discovered. You can discover and get alerts on any potentially compelling or suspicious file activity with Cb Enterprise Protection s advanced threat analysis report. PCI DSS Requirement 6.2 Develop and maintain secure systems and applications Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release. In the event that critical patches are no longer available or are unavailable, ensure that a compensating control is in place that ensure the protection of potentially vulnerable systems. Cb Enterprise Response can function very similar to a patch management solution, providing immediate intelligence on how many systems have successfully been updated and which are still pending. Cb Enterprise Response can quickly identify computers that are not up to date with the patch policy. A standard feature within Cb Enterprise Response is to record and retain critical data, identifying precisely what happened and where. The utilizing of a Cb Enterprise Response watchlist for vulnerable or dated applications allows for notification once they appear within the network. Vulnerable or dated applications will be identified immediately within the environment as soon as they appear. PCI DSS Requirement 6.2 Develop and maintain secure systems and applications Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release. Cb Enterprise Protection enables enterprises to set trusted software rules and proactively block the execution of any software that is not preapproved to run. With Cb Enterprise Protection, there is no scanning, no signature updates, and no need to install security patches based on the operating system s vendor schedule. Untrusted software is continuously blocked without the burden of keeping signature files up to date. Cb Enterprise Protection helps organizations apply a risk-based approach to prioritize patch installations. Cb Enterprise Protection can secure the system configuration and be a compensating control to extend the life of systems that are required to run unsupported versions of operating systems. Cb Enterprise Protection also can proactively identify configuration files that have drifted outside the specified requirements. Cb Enterprise Protection s Advanced Threat Indicators can provide additional intelligence on the controlled endpoints and alert personnel in the event of a critical system change that could impact security and compliance.

4 Requirement 6 (continued): Develop and maintain secure systems and applications PCI DSS Requirement Change control procedures for the implementation of security patches and software modifications must include the following: Examine documented change control procedures related to implementing security patches and software modifications and verify procedures are defined for: Documentation of impact Documented change approval by authorized parties Functionality testing to verify that the change does not adversely impact the security of the system Back-out procedures Cb Enterprise Response can function very similar to a patch management solution, providing immediate intelligence on how many systems have successfully been updated and which are still pending. Cb Enterprise Response can quickly identify computers that are not up to date with the patch policy. With this capability, Cb Enterprise Response can assist in both reviewing the documented change approval, by reviewing the listings of target files or watch list to determine which files should be changing and which should not. Intelligence can be gathered from the Cb Enterprise Response interface indicating the patch health of the systems. Cb Enterprise Response will record and retain critical data, identifying precisely what happened and where. The utilization of the Cb Enterprise Response watchlist for vulnerable or dated applications allows for notification once they appear within the network, this can further validate the documented patch levels as well as assist in the functionality testing helping to verify that changes are valid as well as not adverse to the system. Vulnerable or dated applications will be identified immediately within the environment as soon as they appear. Requirement 7: Restrict access to cardholder data by business need to know. PCI DSS Requirement 7.1 Restrict access to data Limit access to system resources, components, and cardholder information only to individuals with requirements that need such access. Cb Enterprise Protection ensures secure configuration of devices using file-integrity and registry controls. Cb Enterprise Protection sets controls on the ability to read/ write/execute software on portable storage devices, preventing information leakage and accidental loss of sensitive, confidential information. PCI DSS Requirement 7.2 Restrict access to data Establish an access control system for systems components that restricts access based on a user s need to know, and is set to deny all unless specifically allowed. When users log into a system running Cb Enterprise Protection, they are restricted by policy to run only preapproved applications. All other applications are restricted from use, based on policy and the user s need to know. Requirement 9: Restrict physical access to cardholder data PCI DSS Requirement 9 Restrict physical access to cardholder data Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. Cb Enterprise Protection s device control and policy settings can enforce and monitor access to systems and restrict access to portable storage devices that contain cardholder data. Cb Enterprise Protection s device control policies also ensure that only authorized staff is allowed to copy cardholder data to portable storage devices.

5 Requirement 10: Track and Monitor all access to network resources and cardholder data PCI DSS Requirement 10.5 Secure audit trails so they cannot be altered. Verify, through observation, monitoring, and interviewing the system administrator, that: Audit Trails are enabled and active for system and file components. Access to system components and files are linked to individual users. Cb Enterprise Response s Triple Threat visibility, detection and incident response solution is always-on, allowing the ability to actively monitor system and file components proactively and maintain audit trails of associated events. The lightweight sensor continuously monitors and records every endpoint in the enterprise building and storing audit trails for system and file components. Cb Enterprise Response s unmatched detection and response capabilities enable users to collect and retain the precise data points that are needed during an investigation including records of execution, file system modifications, registry modifications, network connections, and a copy of every unique binary executed on an enterprise machine. Most importantly, Carbon Black collects and retains the relationship among each of these data types, giving you the power to understand behaviors, not just individual events. PCI DSS Requirement Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed withoutgenerating alerts (although new data being added should not cause an alert). Examine system settings, monitored files, and results from monitoring activities to verify the use of fileintegrity monitoring or change-detection software on logs. Cb Enterprise Protection provides file-integrity control to: Block unauthorized writes to log data and critical files. Ensure only authorized processes write to log data and critical files. Cb Enterprise Protection custom rules for log files and log directories can be used to ensure protection of the full scope of critical files. PCI Requirement Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs. Cb Enterprise Response s unique ability to select and specify custom watchlists of files, track, monitor, and recording all event data associated, will enable the protection of critical and sensitive log data and configuration files. PCI Requirement 10.6 Review logs and security events for all system components to identify anomalies or suspicious activity. Regular log reviews by personnel or automated means can identify and proactively address unauthorized access to the cardholder data environment. The log review process does not have to be manual. The use of log harvesting, parsing, and alerting tools can help facilitate the process by identifying log events that need to be reviewed. Cb Enterprise Response s threat protection is always-on, allowing the ability to actively monitor system and file components proactively and maintain audit trails of associated events. The lightweight sensor continuously monitors and records every endpoint in the enterprise building and storing audit trails for system and file components. When reviewing security events Cb Enterprise Response provides the ability to rewind the tape to view the full spectrum of an event. Since Cb Enterprise Response is always recording, even if the IOC, anomaly, or suspicious activity has long since passed, Cb Enterprise Response will provide all the related activity to immediately determine what process caused the activity, and any other activity it performed. PCI Requirement 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Cb Enterprise Response acts like a surveillance camera, always recording the key data that incident responders need, so when an incident does occur, or review of any event requires analysis, historic recorded data can be combined into the event of choice from Cb Enterprise Response s data store to figure out precisely what happened and where. This analysis is immediately available for analysis. Cb Enterprise Response will display all the related activity on the event, immediately determining and uncovering what process caused this activity, and any other activity it performed. PCI Requirement 10.8 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. Examine documentation interview personnel to verify that security policies and operational procedures for monitoring all access to network resources and cardholder data are Documented, In use, and Known to all affected parties Cb Enterprise Response prepares the digital enterprise with full proof that a proactive solution is in place and targeted at the appropriate parties. Schematics and flows can be displayed in the Cb Enterprise Response interface to show utilization, as well as evidence of use. Cb Enterprise Response provides the enterprise with the precise answers required to prove usage, consumption, and enforcement, in order to deal with incidents and events swiftly and confidently, without jeopardizing the bottom line.

6 Requirement11: Regularly test security systems and processes PCI DSS Requirement 11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files Cb Enterprise Protection file-integrity control prevents unauthorized modification of critical system files and content files while ensuring only authorized processes can write to these files. PCI DSS Requirement 11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files Cb Enterprise Response s unique ability to select and specify custom watchlists of files, track, monitor, and recording all event data associated, will enable the protection of critical and sensitive log data and configuration files. PCI DSS Requirement 11.5a Verify the use of file-integrity monitoring tools within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities. Cb Enterprise Protection prevents unauthorized modification of critical system and content files. This means less change and less change data to analyze. Cb Enterprise Protection ensures only authorized processes can write to critical system and content files. Cb Enterprise Protection s compliance dashboard find file facility shows exclusive file attributes of monitored files. Bit9 s Advanced Threat Indicators can identify potentially compelling file changes. PCI DESS Requirement Implement a process to respond to any alerts generated by the change-detection solution. Cb Enterprise Protection s proactive approach provides organizations with analyzed data in real time so they can act immediately to guard and protect all critical systems and data. Requirement 12: Maintain a policy that addresses information security of all personnel PCI DSS Requirement 12.1 Policies and procedures Establish, publish, maintain and disseminate a security policy. PCI DSS Requirement Policies and Procedures PCI DSS Requirement 12.3 Policy and Procedures Review the security policy at least annually and update the policy when the environment changes. Develop usage policies for critical technologies and define proper use of these technologies. Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, usage and Internet usage. Cb Enterprise Protection will notify end users and company personnel of updated and new security policies. Cb Enterprise Protection will provide branded templates for training and testing of security policies and maintain an audit record of both acknowledgement of and compliance with security policy and training. About Carbon Black Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy the best prevention strategies for their business, and leverage the expertise of 10,000 professionals to shift the balance of power back to security teams. Only Carbon Black continuously records and centrally retains all endpoint activity, making it easy to track an attacker s every action, instantly scope every incident, unravel entire attacks and determine root causes. Carbon Black also offers a range of prevention options so organizations can match their endpoint defense to their business needs. Carbon Black has been named #1 in endpoint protection, incident response, and market share. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling security teams to: Disrupt. Defend. Unite Carbon Black is a registered trademark of Carbon Black. All other company or product names may be the trademarks of their respective owners MMC 1100 Winter Street Waltham, MA USA P F