Professional Documents
Culture Documents
ArcSight, Inc.
Corporate Headquarters: 1-888-415-ARST EMEA Headquarters: +44 (0)844 745 2068 Asia Pac Headquarters: +65 6248 4795
Background
Digital fraud and identity theft incidents have made the protection of payment card information more critical than ever. Cardholder security programs started as early as 2001, and credit card issuers joined together in 2004 to publish the first Payment Card Industry (PCI) Data Security Standard (DSS). Visa, MasterCard, American Express, Discover Bank and JCB all now endorse the standard. The PCI DSS is unique from other information security regulations as it receives governance from private industry rather than elected officials, which means the PCI Security Standards Council (SSC) retains the authority of managing the DSS. The DSS is comprised of a list of twelve requirements to which members, merchants and service providers must adhere. It applies to any organization that stores, processes or transmits cardholder data. The requirements include the use of data encryption, end-user access controls and activity monitoring and logging, as well as the need to regularly test security systems and processes. Companies face stiff fines or even may be barred from the card acceptance program if they do not comply. The PCI DSS extends to all system components of these organizations, which means all technology involved with or connected to cardholder data is considered applicable to the standard.
ArcSight 1
1. ArcSight Logger enables you to meet specific PCI requirements out of the box. 2. The ease of implementation means you can quickly demonstrate to auditors that you not only meet control requirements but also you have a process for continuous tracking and monitoring of access, and ensuring the integrity of audit trails. 3. ArcSight Logger PCI Compliance Package comes with pre-defined reports and alerts for the PCI requirements, which reduce the cost of configuration and consulting. 4. ArcSight Logger leverages security standards (e.g. NIST, ISO/IEC), enabling you to leverage your investment beyond PCI and towards other IT governance and compliance requirements. ArcSight Logger incorporates best practices to meet and exceed security, audit and litigation requirements. Raw data collection, for example, is subject to integrity checks based on the NIST 800-92 (Log Management Standard) approved SHA-1 hashing algorithm. Automation allows the system to consistently manage retention policies without the risk of error from manual review and intervention. The system also can be managed with role-based access controls and multiple retention policies, providing a rich and powerful platform for log management at any size organization and for multiple regulations.
ArcSight 2
Requirement 1
ArcSight Logger provides a centralized repository to store and analyze firewall, router and other secure network device logs for extended time. This can help reveal and troubleshoot control gaps and uncover traffic from un-trusted hosts. It can alert you to unauthorized/unknown protocols, as well as define and enforce DMZ requirements. ArcSight Logger, when configured properly to interface with network monitoring and control systems, will also help to define and enforce perimeter designs including database and application segmentation. DSS 1.2 clarifies that the requirement applies to both routers and firewalls, and that rules now may be reviewed semi-annually instead of quarterly.
Requirement 2
Vendor defaults can be highlighted in the logs by evidence of activity by generic accounts such as administrator or root. ArcSight Logger provides a central system where system default use can be easily identified. There is much less or even no more need to scour each individual system for proper settings when they log activity into a centralized system such as ArcSight Logger. ArcSight Logger also helps update to the DSS 1.2 changes that prohibit WEP and expand the scope of controls to all wireless environments attached to or transmitting cardholder data.
ArcSight 3
Requirement 3
Log management is essential to the proper handling of Requirement 3. For example data retention and disposal policies can be measured and investigated based on records that appear in the logs. Many instances of PCI violations of Requirement 3 come from data being retained in logs that are not being monitored adequately. Compliance with 3.2-3.4 is clearly made easier with a centralized logging system that demonstrates that sensitive authentication data and cardholder information is not being stored. Likewise, the key management aspects of Requirement 3 can be greatly assisted with a log management solution. The split knowledge and establishment of dual control of keys is intended to help prevent key misuse but it implies a level of detective controls to help enforce prevention. Adding careful logging to key use enhances this significantly and can even provide a compensating control option for those who are still working towards a more complete solution.
Requirement 4
DSS 1.2 specifies industry best practices for wireless authentication and transmission of data. Administrators need to be able to see that cardholder information is never sent via email, and that the cryptography used on open, public networks is strong. WEP must be turned off by June 30, 2010 and new implementations will be barred from using WEP after March 31, 2009. Logs are an effective way to keep evidence of secure communication handshakes and transmission that reveal crypto versions and type. Centralized logs are even more effective, as they can provide a single report on violations throughout a global enterprise. They also may reveal flaws in configurations. A system that reviews services and banners, for example, could easily generate an audit trail for SSLv2 or WEP.
Requirement 5
The advantage of using ArcSight Logger for centralized reporting of anti-virus installation and updates is the ability to generate a high-performance, normalized and consolidated view over distributed and unique anti-virus software and programs. Most companies now have, or will benefit from, multiple anti-virus programs. Defense-in-depth, as well as some technology limitations, can mean reports from at least two anti-virus systems need to be combined. DSS 1.2 states all operating system types must use anti-virus software and address all known types of malicious software. A vendor and platform neutral logging solution is an efficient and effective way to pull together malware reports. The business is best served when it generates consistent and independent reports for security monitoring even when it operates across a diverse set of underlying technology.
Requirement 6
There are numerous opportunities for log management in secure systems development, such as success/fail review status, patch-level reporting, vulnerability reporting and trends over time. PCI DSS 1.2 has made Requirement 6.6 mandatory, which means web application firewalls and vulnerability assessment logs will need to be collected and analyzed on a regular basis. In addition under Requirement 6, patching systems produce a number of alerts and errors that can be cross-referenced with the system logs to determine false positives or uncover a business-impact issue. Feedback from systems being patched becomes increasingly valuable under the PCI DSS 1.2 guidance that companies may use a risk-based approach to prioritize their patches.
Requirement 7
This requirement established a need-to-know standard for access to cardholder data. Also referred to as role-based-access, this type of control depends heavily on logging to detect violations. The second half of the requirement requires a deny all unless specifically allowed, which of course benefits greatly from the system described in Requirement 10 that logs and reports suspicious activities.
Requirement 8
ArcSight Logger provides centralized repository to store and analyze user activity, such as activity by revoked/disabled identities, suspicious activity, or the use of generic or vendor default identities. Test procedures under DSS 1.2 now state that passwords must be unreadable when stored and in transmission. All logs therefore must be reviewed for violations of password security requirements. A centralized and high-performance solution like ArcSight Logger provides the best platform to maintain log compliance with Requirement 8.
ArcSight 4
Requirement 9
ArcSight Logger provides a central repository for physical security system audit trails and for monitoring access and access control changes that can help tie-in physical activity to computer and network-related events. DSS 1.2 specifies that storage locations offsite must be visited at least annually. This can be recorded and reported in the logs. DSS 1.2 also relaxes the camera requirements, which means detailed text logs regarding physical access may be a suitable control in lieu of visual data.
Requirement 10
A proper configuration of ArcSight Logger will by itself complete the PCI DSS 1.2 Requirement 10, which primarily deals with implementation of a system to collect, analyze and retain assessment trails. DSS 1.2 clarifies that all external facing technology must now copy logs to an internal log server and also that the audit trail history must be quickly accessible (online, archived or restorable from backup). This emphasizes the requirement for a dedicated log management solution that provides at least one year, with a minimum of three months immediately available for analysis and removes the word online. ArcSight Logger provides numerous high-performance and enterprise-scalable options to provide immediate or quickly accessible audit trail access. Subsections of Requirement 10 mandates all access to system components be linked individual users, especially for administrative-level access. They also require automated assessment trails with detailed entries for all system components to reconstruct events, and security to prevent the trails from alteration. These system logs must be reviewed daily, especially on intrusion detection and authentication, authorization and accounting systems. All combined, ArcSight Logger is designed to provide a complete solution with the highest-performance, most-scalable centralized log management system that meets or exceeds PCI DSS 1.2 compliance. Subsection 4 (time synchronization) is the only area of Requirement 10 where logs are not directly applicable as a solution. However, even here ArcSight Logger assists with management of time by providing a centralized point to show time synchronization across all systems, which will identify excessive drift and alert administrators to systems with incorrectly configured time.
Requirement 11
Regular tests of security systems and processes will generate data that can be stored in ArcSight Logger for centralized and convenient archival purposes. The normalization of the data will make the process of managing test data and reporting considerably more efficient.
Requirement 12
Many daily operational procedures are linked to security policies. A status check on policy compliance, or the pressure for revision, can be automated through analyzing logs, using routing notifications and instructions, and by creating a system for distribution of alerts to appropriate personnel. ArcSight Logger can provide insight into audit trails that reveal the status of policies for information security management. DSS 1.2 now includes remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs) in the list of critical employee-facing technologies that must be monitored.
Conclusion
The ArcSight approach makes it easier to protect stored cardholder data by centrally auditing and altering administrators to security issues enhancing solutions across all twelve requirements. Broad device support and high-performance aggregation means a more centralized view and more integrity in the collection of log data. Using a source of origin approach, ArcSight Logger provides end-to-end reliability and availability of audit trails. This mean a turnkey, scalable log management solution that can easily be rolled out and managed across hundreds or even thousands of locations to ensure complete collection of all enterprise event data.
ArcSight 5