Whitepaper

ArcSight Logger and PCI DSS 1.2

Research 028-053110-02

ArcSight, Inc.

5 Results Way, Cupertino, CA 95014, USA www.arcsight.com info@arcsight.com

Corporate Headquarters: 1-888-415-ARST EMEA Headquarters: +44 (0)844 745 2068 Asia Pac Headquarters: +65 6248 4795

Whitepaper: ArcSight Logger and PCI DSS 1.2

Background
Digital fraud and identity theft incidents have made the protection of payment card information more critical than ever. Cardholder security programs started as early as 2001, and credit card issuers joined together in 2004 to publish the first Payment Card Industry (PCI) Data Security Standard (DSS). Visa, MasterCard, American Express, Discover Bank and JCB all now endorse the standard. The PCI DSS is unique from other information security regulations as it receives governance from private industry rather than elected officials, which means the PCI Security Standards Council (SSC) retains the authority of managing the DSS. The DSS is comprised of a list of twelve requirements to which members, merchants and service providers must adhere. It applies to any organization that stores, processes or transmits cardholder data. The requirements include the use of data encryption, end-user access controls and activity monitoring and logging, as well as the need to regularly test security systems and processes. Companies face stiff fines or even may be barred from the card acceptance program if they do not comply. The PCI DSS extends to all system components of these organizations, which means all technology involved with or connected to cardholder data is considered applicable to the standard.

ArcSight Logger and PCI DSS 1.2

ArcSight Logger is delivered in a slim appliance form-factor that supports ease of configuration and deployment. It provides high-performance log collection from any source into highly-compressed yet easily-searchable and self-managing log data repository. ArcSight Logger addresses the growing need for collection, storage and analysis of data for all sizes and types of organizations. It can function both as a standalone appliance to achieve log management as well as a complement to the ArcSight ESM platform, which provides a foundation for IT risk and compliance management. The DSS requires implementation of a robust information security management system including monitoring and maintaining audit trails. Version 1.1 of the DSS was published in September 2006 with an Appendix B: compensating controls. This appendix addresses the complexity of encryption and that controls often cannot be immediately absorbed by entities facing compliance. Compensating controls, such as advanced logging capabilities to protect keys and enhance identity management, increase the relevance of logs. Version 1.2 was released on Oct 1, 2008, as the Security Standards Council uses a two year lifecycle, and provides clarifications to make it easier for organizations to interpret and implement the DSS without losing the intent. Combined together, Appendix B and the changes in version 1.2 make it clear that log management serves as a foundation for PCI compliance. The importance of maintaining a trail of who, what, where, and when of cardholder data should not be underestimated. Even policy and risk assessment depend to a degree on data that is collected in logs and analyzed in a timely fashion. Requirement 10 is perhaps the most obvious as it calls on organizations to track and monitor all access to network resources and cardholder data. ArcSight Logger is the industry leading solution for Requirement 10. It establishes a process to link user access to systems, especially for privileged accounts such as root and administrator. Additionally, it implements automated assessment trails for all system components to reconstruct specified events, records specified assessment trail entries for all system components for each event, secures the assessment trails so they cannot be altered, provides numerous storage options to retain history for more than one year, and provides a user-friendly interface and powerful reporting engine for daily review of all system component logs. ArcSight Logger also goes beyond Requirement 10 and assists members, merchants and service providers that store, process or transmit cardholder data by making the rest of their PCI compliance program more efficient, effective and auditable. It automatically collects information from system components covered under PCI and provides an intelligent logging solution for analysis, audit and retention requirements including payment applications.

ArcSight 1

Whitepaper: ArcSight Logger and PCI DSS 1.2

1. ArcSight Logger enables you to meet specific PCI requirements out of the box. 2. The ease of implementation means you can quickly demonstrate to auditors that you not only meet control requirements but also you have a process for continuous tracking and monitoring of access, and ensuring the integrity of audit trails. 3. ArcSight Logger PCI Compliance Package comes with pre-defined reports and alerts for the PCI requirements, which reduce the cost of configuration and consulting. 4. ArcSight Logger leverages security standards (e.g. NIST, ISO/IEC), enabling you to leverage your investment beyond PCI and towards other IT governance and compliance requirements. ArcSight Logger incorporates best practices to meet and exceed security, audit and litigation requirements. Raw data collection, for example, is subject to integrity checks based on the NIST 800-92 (Log Management Standard) approved SHA-1 hashing algorithm. Automation allows the system to consistently manage retention policies without the risk of error from manual review and intervention. The system also can be managed with role-based access controls and multiple retention policies, providing a rich and powerful platform for log management at any size organization and for multiple regulations.

Four Categories of Logs

PCI Requirements can be organized into four types of logs: Configuration Logs Policy Logs Activity Logs Encryption (Key) Logs Configuration logs are an audit trail for technology with particular and detailed setup and tuning requirements. Firewalls and routers for example will reveal security-related information and errors in their logs, which can lead to modifications for a more secure network (Requirement 1). Servers and databases likewise are meant to be configured a way so that their logs will show gaps or suspicious events that indicate the need for configuration changes (Requirement 3). Policy logs help a company keep track of audit trails related to internal policy and procedures. Remote authentication outof-hours, for example, may be accompanied by a follow-up on-line verification and explanation of authorized activity. Failure to complete the verification would be an auditable event, which would alert management to a policy violation related to Requirement 12. Activity logs reveal errors in human behavior based on configurations. An audit trail should be reviewed for non-unique account activity, such as root or administrator. It also should be used to monitor for vendor and unauthorized activity after passwords and configurations have been changed, as highlighted in Requirement 2 and Requirement 8. Encryption (Key) logs are an emerging space as companies adopt new and different key management systems to protect payment card information throughout their systems. Monitoring who, what and when for key usage is an indispensible part of Requirement 4.

ArcSight 2

Whitepaper: ArcSight Logger and PCI DSS 1.2

PCI Requirements and ArcSight Logger

PCI DSS 1.2 Requirement
Build and Maintain a Secure Network 1: Install and maintain a rewall conguration to protect data 2: Do not use vendor supplied defaults for system passwords and other security parameters Protect Cardholder Data 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5: Use and regularly update anti-virus software 6: Develop and maintain secure systems and applications Implement Strong Access Control Measure 7: Restrict access to cardholder data by business need-to-know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes Maintain an Information Security Policy 12: Maintain a policy that addresses information security

Cong Policy Activity Key Logs Logs Logs Logs

Requirement 1

ArcSight Logger provides a centralized repository to store and analyze firewall, router and other secure network device logs for extended time. This can help reveal and troubleshoot control gaps and uncover traffic from un-trusted hosts. It can alert you to unauthorized/unknown protocols, as well as define and enforce DMZ requirements. ArcSight Logger, when configured properly to interface with network monitoring and control systems, will also help to define and enforce perimeter designs including database and application segmentation. DSS 1.2 clarifies that the requirement applies to both routers and firewalls, and that rules now may be reviewed semi-annually instead of quarterly.

Requirement 2

Vendor defaults can be highlighted in the logs by evidence of activity by generic accounts such as administrator or root. ArcSight Logger provides a central system where system default use can be easily identified. There is much less or even no more need to scour each individual system for proper settings when they log activity into a centralized system such as ArcSight Logger. ArcSight Logger also helps update to the DSS 1.2 changes that prohibit WEP and expand the scope of controls to all wireless environments attached to or transmitting cardholder data.

ArcSight 3

Whitepaper: ArcSight Logger and PCI DSS 1.2

Requirement 3

Log management is essential to the proper handling of Requirement 3. For example data retention and disposal policies can be measured and investigated based on records that appear in the logs. Many instances of PCI violations of Requirement 3 come from data being retained in logs that are not being monitored adequately. Compliance with 3.2-3.4 is clearly made easier with a centralized logging system that demonstrates that sensitive authentication data and cardholder information is not being stored. Likewise, the key management aspects of Requirement 3 can be greatly assisted with a log management solution. The split knowledge and establishment of dual control of keys is intended to help prevent key misuse but it implies a level of detective controls to help enforce prevention. Adding careful logging to key use enhances this significantly and can even provide a compensating control option for those who are still working towards a more complete solution.

Requirement 4

DSS 1.2 specifies industry best practices for wireless authentication and transmission of data. Administrators need to be able to see that cardholder information is never sent via email, and that the cryptography used on open, public networks is strong. WEP must be turned off by June 30, 2010 and new implementations will be barred from using WEP after March 31, 2009. Logs are an effective way to keep evidence of secure communication handshakes and transmission that reveal crypto versions and type. Centralized logs are even more effective, as they can provide a single report on violations throughout a global enterprise. They also may reveal flaws in configurations. A system that reviews services and banners, for example, could easily generate an audit trail for SSLv2 or WEP.

Requirement 5

The advantage of using ArcSight Logger for centralized reporting of anti-virus installation and updates is the ability to generate a high-performance, normalized and consolidated view over distributed and unique anti-virus software and programs. Most companies now have, or will benefit from, multiple anti-virus programs. Defense-in-depth, as well as some technology limitations, can mean reports from at least two anti-virus systems need to be combined. DSS 1.2 states all operating system types must use anti-virus software and address all known types of malicious software. A vendor and platform neutral logging solution is an efficient and effective way to pull together malware reports. The business is best served when it generates consistent and independent reports for security monitoring even when it operates across a diverse set of underlying technology.

Requirement 6

There are numerous opportunities for log management in secure systems development, such as success/fail review status, patch-level reporting, vulnerability reporting and trends over time. PCI DSS 1.2 has made Requirement 6.6 mandatory, which means web application firewalls and vulnerability assessment logs will need to be collected and analyzed on a regular basis. In addition under Requirement 6, patching systems produce a number of alerts and errors that can be cross-referenced with the system logs to determine false positives or uncover a business-impact issue. Feedback from systems being patched becomes increasingly valuable under the PCI DSS 1.2 guidance that companies may use a risk-based approach to prioritize their patches.

Requirement 7

This requirement established a need-to-know standard for access to cardholder data. Also referred to as role-based-access, this type of control depends heavily on logging to detect violations. The second half of the requirement requires a deny all unless specifically allowed, which of course benefits greatly from the system described in Requirement 10 that logs and reports suspicious activities.

Requirement 8

ArcSight Logger provides centralized repository to store and analyze user activity, such as activity by revoked/disabled identities, suspicious activity, or the use of generic or vendor default identities. Test procedures under DSS 1.2 now state that passwords must be unreadable when stored and in transmission. All logs therefore must be reviewed for violations of password security requirements. A centralized and high-performance solution like ArcSight Logger provides the best platform to maintain log compliance with Requirement 8.

ArcSight 4

Whitepaper: ArcSight Logger and PCI DSS 1.2

Requirement 9

ArcSight Logger provides a central repository for physical security system audit trails and for monitoring access and access control changes that can help tie-in physical activity to computer and network-related events. DSS 1.2 specifies that storage locations offsite must be visited at least annually. This can be recorded and reported in the logs. DSS 1.2 also relaxes the camera requirements, which means detailed text logs regarding physical access may be a suitable control in lieu of visual data.

Requirement 10

A proper configuration of ArcSight Logger will by itself complete the PCI DSS 1.2 Requirement 10, which primarily deals with implementation of a system to collect, analyze and retain assessment trails. DSS 1.2 clarifies that all external facing technology must now copy logs to an internal log server and also that the audit trail history must be quickly accessible (online, archived or restorable from backup). This emphasizes the requirement for a dedicated log management solution that provides at least one year, with a minimum of three months immediately available for analysis and removes the word online. ArcSight Logger provides numerous high-performance and enterprise-scalable options to provide immediate or quickly accessible audit trail access. Subsections of Requirement 10 mandates all access to system components be linked individual users, especially for administrative-level access. They also require automated assessment trails with detailed entries for all system components to reconstruct events, and security to prevent the trails from alteration. These system logs must be reviewed daily, especially on intrusion detection and authentication, authorization and accounting systems. All combined, ArcSight Logger is designed to provide a complete solution with the highest-performance, most-scalable centralized log management system that meets or exceeds PCI DSS 1.2 compliance. Subsection 4 (time synchronization) is the only area of Requirement 10 where logs are not directly applicable as a solution. However, even here ArcSight Logger assists with management of time by providing a centralized point to show time synchronization across all systems, which will identify excessive drift and alert administrators to systems with incorrectly configured time.

Requirement 11

Regular tests of security systems and processes will generate data that can be stored in ArcSight Logger for centralized and convenient archival purposes. The normalization of the data will make the process of managing test data and reporting considerably more efficient.

Requirement 12

Many daily operational procedures are linked to security policies. A status check on policy compliance, or the pressure for revision, can be automated through analyzing logs, using routing notifications and instructions, and by creating a system for distribution of alerts to appropriate personnel. ArcSight Logger can provide insight into audit trails that reveal the status of policies for information security management. DSS 1.2 now includes remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs) in the list of critical employee-facing technologies that must be monitored.

Conclusion
The ArcSight approach makes it easier to protect stored cardholder data by centrally auditing and altering administrators to security issues enhancing solutions across all twelve requirements. Broad device support and high-performance aggregation means a more centralized view and more integrity in the collection of log data. Using a source of origin approach, ArcSight Logger provides end-to-end reliability and availability of audit trails. This mean a turnkey, scalable log management solution that can easily be rolled out and managed across hundreds or even thousands of locations to ensure complete collection of all enterprise event data.

To learn more, contact ArcSight at: info@arcsight.com or 1-888-415-ARST

2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners.

ArcSight 5