WHITE PAPER. PCI and PA DSS Compliance with LogRhythm

PCI and PA DSS Compliance with LogRhythm April 2011

PCI and PA DSS Compliance Assurance with LogRhythm The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS standards apply to all organizations that store, process or transmit cardholder data and all affected organizations must be PCI compliant. The Payment Application Data Security Standard (PA DSS) is derived from PCI DSS, and its individual requirements align with PCI DSS requirements. The PCI DSS standards are enforced by the founding members of the PCI Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The first PCI DSS standard is a combined effort from the results of several independent company data protection standards. The Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The first PCI DSS standard was released on December 15, 2004 and its latest revision was released on October 28, 2010. LogRhythm is a participating organization in the PCI Security Standards Council and as such, will work with the Council to evolve the PCI Data Security Standard (DSS) and other payment card data protection standards. The collection, management, and analysis of log data are integral to meeting PCI audit requirements. IT environments include many heterogeneous devices, systems, and applications that all report log data. Millions of individual log entries can be generated daily, if not hourly. The task of simply assembling this information can be overwhelming in itself. The additional requirements of analyzing and reporting on log data render manual processes or homegrown remedies inadequate and costly. LogRhythm has extensive experience in helping organizations improve their overall security and compliance posture while reducing costs. Log collection, archive, and recovery Protecting Cardholder Data are fully-automated across the entire IT infrastructure. The Six Domains of PCI DSS Requirement LogRhythm automatically performs log data categorization, identification, and normalization to facilitate easy analysis Network and reporting. LogRhythm s best-of-breed log management Security capabilities enable automatic identification of the most Devices critical events and notification of relevant personnel through its powerful Alarming capabilities. Monitor And Test Networks Information Security Policy Cardholder Data Systems Vulnerability Management Access Control Systems LogRhythm provides out-of-the-box PCI compliance support. As part of the PCI Compliance Package, enterprise assets are categorized according to Network Security, Cardholder Data, Vulnerability Management, Access Control, Network Monitoring and Testing, and Information Security Policy. LogRhythm s PCI DSS Compliance Package can be used to help meet PA DSS standards as well. LogRhythm s extensive support for both commercial and custom payment applications enables comprehensive and efficient collection, processing, review and reporting of all log sources specified in both the PCI and PA data security standards. To ensure compliance with PCI requirements, information systems and payment applications are monitored in realtime. Investigations, Reports and Alarm Rules are provided, allowing for immediate notification and analysis of conditions that impact the integrity of the organization s cardholder data. Areas of non-compliance can be identified in real time. Additional Investigations, Reports and Alarm Rules are provided as part of LogRhythm s standard Knowledge Base to further augment the usefulness of the log data. Reports can be generated as needed by the PCI Security Assessor and scheduled to run at pre-determined intervals. 2

The table below explains how LogRhythm and the PCI Compliance Package address the six sections of the standard: PCI Section and Purpose Build and Maintain a Secure Network LogRhythm Compliance Support LogRhythm supports most popular firewall products and associated network protection systems such as intrusion protection systems, unified threat managers, and content inspection systems. Also specified is the removal of default passwords and to enforce the secure deployment of equipment in the organization. LogRhythm provides monitoring for insecurity such as use of default passwords. Alarming is provided when they are detected. Protect Cardholder Data LogRhythm monitors for proper operations and configuration changes that may jeopardize the security of cardholder data. Alarms are provided to identify suspicious network activity in real-time. Maintain a Vulnerability Management Program Anti-virus software can be monitored for proper signature updates. Malicious software is centrally reported. Investigations can be launched to identify activities related to malware infections to assess exposure, incident handling and response. Vulnerabilities may be detected by systems and collected in real-time, allowing for faster awareness than spotcheck vulnerability assessments. Implement Strong Access Control Measures Access to card holder systems and data, changes in permissions and access rights, and suspicious behavior are all collected in real-time by LogRhythm. Investigations can be rapidly performed for any suspected abuses or compromises to PCI DSS protected data. Shared account usage can be easily spotted, as well as after-hours access or unusual account access frequency. Access successes and failures to systems, applications, and objects are collected and processed by LogRhythm. Regularly Monitor and Test Networks LogRhythm establishes the automated audit trail for all system components as mandated by PCI DDS Requirements 10.2-10.7, covering one of the most difficult-to-attain requirements. By converting this information to useful data, LogRhythm meets both the conditions and the spirit of these requirements. Maintain an Information Security Policy Most organizations need a security policy that extends into all areas of the business, and these environments may mirror the PCI standards or use more robust policies such as CobiT or ISO 27001/27002. LogRhythm supports enterprise-class systems that can be far more diverse than just the organization s PCI environment and ensure compliance with other security frameworks and regulations. The tables on the subsequent pages outline how LogRhythm directly meets requirements of the PCI sections. The requirements listed come directly from the PCI compliance documents located at the PCI Security Standards Council web site (http://www.pcisecuritystandards.org). The column describes the capabilities LogRhythm provides that will meet, support or augment PCI compliance. 3

1. Install and maintain a firewall configuration to protect data LogRhythm collects logs from firewall devices to ensure and validate compliance. 1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure 1.1.6 Requirement to review firewall and router rule sets at least every six months. 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. 1.2.2 Verify that router configuration files are secure and synchronized. 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ. 1.3.3 Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment. 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. LogRhythm provides monitoring and investigations to perform testing procedures 1.1.5a and 1.1.5b by showing the use of protocols in the network environment. Testing requires verification that all used services, protocols and ports have a business need. LogRhythm supports intrusion detection and protection systems, including SourceFire, Cisco, Tipping Point, ISS, McAfee, and others. Events collected from these systems can be analyzed at all boundary points and correlated against other log sources to provide deep investigations of boundary traffic. Long term trending and analysis is achieved with the LogMart database which can be used to quickly view trended information for days, weeks and months. Attacks Detected Compromises Detected Top Attackers Top Targeted Applications Top Targeted Hosts Verification that inbound and outbound traffic is properly controlled (limited and/or denied) for the cardholder data environment. LogRhythm detects and alerts on inbound internet activity within the cardholder data environment, providing verification of proper and the presence of improper network activities. LogRhythm identifies synchronization events and can be used to verify the proper functioning of routers, firewalls, or other collaborative network devices. Reports provide a consolidated review of internal/external activity and threats. Firewall And Router Policy Synchronization LogRhythm detects and alerts on inbound and outbound internet activity not restricted to the DMZ, identifying non-compliant network traffic or attempts to access services inside the DMZ that are not approved for Internet accessibility. LogRhythm can detect and alert on activity where internal addresses are not passed from the Internet into the DMZ. LogRhythm detects and alerts on any outbound activity not necessary for the payment card environment. Any accesses to IP addresses to unauthorized networks can be quickly identified. 4

2. Do not use vendor-supplied defaults for system passwords and other security parameters LogRhythm monitors the network for indications of improper behavior and signs of weak security configuration. 2.1 Always change vendor-supplied defaults before installing a system on the network for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts. 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for webbased management and other non-console administrative access. LogRhythm can alarm on detected use of default passwords or known default accounts that should not be used in a secure deployment. Example Alarms: Alarm On Default Account Usage Alarm On Anonymous Or Guest Account Usage LogRhythm provides a record of all services used and can alarm on the use of nonencrypted protocols. Use Of Non-Encrypted Protocols 3. Protect stored cardholder data LogRhythm provides monitoring of changes in the cardholder environment and can alarm on changes to security critical resources. 3.6.7 Prevention of unauthorized substitution of cryptographic keys. LogRhythm may alarm on actions that affect specific files or objects, including cryptographic keys. The details of who, when and where a key was altered will be available in real-time to the custodian(s). File Integrity Monitoring Activity 4. Encrypt transmission of cardholder data across open, public networks LogRhythm monitors network use to ensure that only the proper protocols are being used in the cardholder data environment. 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open public networks. 4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission. Note: The use of WEP as a security control was prohibited as of 30 June 2010. LogRhythm records which protocols are being used in the cardholder data environment, showing when any unauthorized protocols or unencrypted services are used. In addition, LogRhythm is capable of alarming on conditions where a system observes unencrypted information passed when expecting only encrypted traffic. LogRhythm can observe and report on detected wireless networks, identifying wireless access points that communicate with the cardholder data environment. Wireless Access Points 5

5. Use and regularly update anti-virus software or programs LogRhythm collects and can alarm on detected malware and compromises in the cardholder data environment. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. LogRhythm detects and alerts on any error conditions originating from anti-virus applications, when the services are started and stopped, as well as identifies when new signatures are installed. Alarming can be configured to inform the custodian(s) of when any malware is detected inside the cardholder data environment. Malware Detected Anti-Virus Signature Update Report Example Alarms: Alarm On Malware 6. Develop and maintain secure systems and applications 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release. 6.3 Develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices, and incorporate information security throughout the software development life cycle. 6.4.2 Separation of duties between development/test and production environments. 6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes. 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications LogRhythm can track and report on when patches are installed on devices, showing which systems have had patching within the past month, or any other time frame as dictated by organizational policy. Patches Applied LogRhythm provides intelligence for logs written by custom software. By providing an intelligence system for logs to be sent to, rules can be created to provide proper alarming, reporting, and enhancement to the abilities of any custom application to be used in the cardholder data environment. LogRhythm can report on communications between production and development environments to ensure separation. Vulnerabilities outlined in section 6.5 can be detected by real-time examination tools or by using compatible vulnerability scanning systems. Attempts to attack the web applications, such as by a cross-site scripting vulnerability (XSS), can be alarmed on in real-time by LogRhythm. Vulnerabilities Detected LogRhythm can address either solution by working in conjunction with web exploit sensitive systems, such as Intrusion Detection Systems, Web-Application Firewalls, Stateful Inspection Firewalls, Web Servers, and other log sources to analyze detected potential abuses as well as provide a way to investigate suspected breaches. Suspicious Activity by User Top Targeted Hosts Suspicious Activity by Host Top Targeted Applications Top Suspicious Users Vulnerabilities Detected 6

7. Restrict access to cardholder data by business need to know LogRhythm monitors access privilege assignments and suspicious data accesses. 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access to cardholder data can be monitored by the custodian(s) of the data in real-time by collecting access control system data. Account creation, privilege assignment and revocation, and object access can be validated using LogRhythm. Host Authentication Summary Disabled Accounts Summary Applications Accessed by user Removed Account Summary 8. Assign a unique ID to each person with computer access LogRhythm helps identify shared account usage in the network, including unobvious accounts with more than one user. 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data. Account creation can be monitored through reporting and investigations of logs pertaining to the creation and modification of accounts. Accounts that have more than one user may be identified through investigations of frequent and/or suspicious login activities. Account Creation Activity Account Modification Activity 10. Track and monitor all access to network resources and cardholder data LogRhythm automates collection, centralization and monitoring of logs from servers, applications, security and other devices, significantly reducing the cost of compliance. 10.2 Implement automated audit trails for all system components to reconstruct PCI Standard specified events. 10.2.2 Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges. LogRhythm s core capabilities are centralization and proper management of audit log data. Reports can be produced to show all audit activity from account creation, through account activity, to account removal. Support for reporting on log data from custom applications containing portions of the audit trail is easily achieved using LogRhythm s built in rule building tools. Account Creation Activity User Authentication Summary User Access Summary Account Modification LogRhythm collects all account management activities. LogRhythm reports ensures policy adherence by providing an easy-to-review record of all account management activity. Account Creation Activity Account Modification Activity User Access Summary Host Access Granted & Revoked 7

10.2.4 Implement automated audit trails for all system components to reconstruct all invalid logical access attempts. 10.3 Record user identification, type of event, date and time for each audit trail entry. LogRhythm identifies failed access and authentication attempts for enterprise networked devices. LogRhythm automates the process of identifying high-risk activity and prioritizes based on asset risk. High-risk activity can be monitored in real-time or alerted on. LogRhythm reports provide an easy-to-review record of inappropriate, unusual and suspicious activity. Disabled Accounts Summary Removed Account Summary Audit Exceptions Event Summary User Object Access Summary Failed Host Access By User Failed Application Access By User LogRhythm timestamps and classifies each event received to match this requirement, as well as extract useful information such as user identification, IP addresses and host names, objects accessed, vendor message ids, amounts affected (bytes, monetary values, quantities, durations), affected applications and other details useful for forensic investigation of the audit logs. 10.4 Synchronize all critical system clocks and times. Many environments cannot synchronize system clocks to a single time standard, so LogRhythm independently synchronizes the timestamps of all collected log entries, ensuring that all log data is time-stamped to a standard time regardless of the time zone and clock settings of the logging hosts. 10.5.1 Limit viewing of audit trails to those with a jobrelated need. LogRhythm includes discretionary access controls allowing you to restrict the viewing of audit logs to individuals based on their role and Need-To-Know. 10.5.2 Protect audit trail files from unauthorized modifications. Using LogRhythm helps ensure audit trails are protected from unauthorized modification. LogRhythm collects logs immediately after they are generated and stores them in a secure repository. LogRhythm servers utilize access controls at the operating system and application level to ensure that log data cannot be modified or deleted. 10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter. LogRhythm automatically collects audit trails and stores them in a central and secure repository. When a log is collected, it is stored in a database for analysis and reporting and a copy is written to an archive file. The archive copy of the log also serves as a backup. Archive files can be written to SAN, NAS, or other central location providing for additional redundancy. Segregation can be performed by allowing only log traffic to pass through LogRhythm via firewall, filter control on a router, or configuring the LogRhythm appliance s firewall to reject unanticipated connections. 10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. LogRhythm can securely collect logs from the entire IT infrastructure including external-facing technologies for storage on an internal LAN Network where a LogRhythm appliance resides. 8

10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). LogRhythm includes an integrated file integrity monitoring capability that ensures our collection infrastructure is not tampered with. Additionally, LogRhythm servers utilize access controls at the operating system and application level to ensure log data cannot be modified or deleted. Alerts are customizable to prevent or allow alarms on a case-by-case basis, including not causing an alert with new data being added. 10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol. 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up). An audit history usually covers a period of at least one year, with a minimum of 3 months available online. LogRhythm supplies a one stop repository from which to review log data from across the entire IT infrastructure. Reports can be generated and distributed automatically on a daily basis. LogRhythm provides an audit trail of who did what within LogRhythm and a report which can be provided to show proof of log data review. LogRhythm Usage Auditing LogRhythm completely automates the process of retaining your audit trail. LogRhythm creates archive files of all collected log entries. These files are organized in a directory structure by day making it easy to store, backup, and destroy log archives based on your policy. 11. Regularly test security systems and processes LogRhythm can collect logs from intrusion detection/prevention systems and has integrated file integrity monitoring capabilities. The collection of IDS/IPS logs helps to ensure and validate compliance. LogRhythm s file integrity monitoring capabilities can be used to directly meet requirement 11.5. 11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date. LogRhythm collects logs from network and host based IDS/IPS systems. Its risk-based prioritization and alerting reduce the time and cost associated with monitoring and responding to IDS/IPS alerts. The Personal Dashboard feature can be used to monitor intrusion related activity in real-time. A powerful Investigator tool makes forensic search easy and efficient. LogRhythm combined with IDS/IPS is an extremely powerful tool in identifying and responding to intrusion related activity efficiently and accurately. Successful/Failed Host Access by User Successful/Failed Application Access by User Successful/Failed File Access by User Top Attackers Multiple Authentication Failures Suspicious Activity By User and Host 9

11.5 Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. LogRhythm agents include an integrated file integrity monitoring capability which can be used to detect and alert on the following for any file or directory: Reads; Modifications; Deletions; Permission Changes. This capability is completely automated. How often files are scanned is configurable. Files can be scanned at user defined frequencies such as every 5 minutes or once a night. File Integrity Monitoring Activity 12. Maintain a policy that addresses information security for employees and contractors LogRhythm provides centralized intelligence that can support the organizational security policy, including incident handling and response. Because policies are flexible, LogRhythm is ready to expand beyond the cardholder data environment to provide support to other areas of the organization that need its critical services. 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. LogRhythm provides a centralized management system capable of alarming, reporting and investigating security breaches to the network. LogRhythm supports an incident response plan by providing the real-time enterprise detection intelligence to address issues quickly to prevent damage and exposure. Example Alarms: Alarm On Attack Alarm On Compromise Alarm On Malware LogRhythm Headquarters 3195 Sterling Circle Boulder, CO 80301 303-413-8745 LogRhythm EMEA Siena Court, The Broadway Maidenhead Berkshire SL6 1NJ United Kingdom +44 (0) 1628 509 070 LogRhythm Asia Pacific Ltd. 8/F Exchange Square II 8 Connaught Place, Central Hong Kong +852 2297 2812 LogRhythm Inc. www.logrhythm.com PCIWP_1104 10