Beyond PCI Compliance with NetIQ SolutionsBeyond PCI Compliance with NetIQ Solutions
Todd Tucker, CISSP, CPADirector, Chief Security Strategist
Ulrich WeigelProduct Line Manager, NetIQ
Agenda
• PCI DSS and its most challenging requirements• The need to go beyond PCI DSS• The vendor landscape…and NetIQ• How NetIQ can help you address:
– Requirement 2.2 – security configuration standards– Requirement 11.5 – file integrity monitoring– Requirement 10.5 – secure audit trails– Requirement 10.6 – review logs– Others
• Final Q&A
PCI DSS Requirements12 Requirements Spanning 6 Control Objectives
Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect
cardholder data2. Do not use vendor-supplied defaults for system
passwords and other security parametersProtect Cardholder Data
3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open,
public networksMaintain a Vulnerability Management Program
5. Use and regularly update anti-virus software6. Develop and maintain secure systems and
applicationsImplement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder dataRegularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processesMaintain an Information Security Policy
12. Maintain a policy that addresses information security
PCI DSS RequirementsThe Most Challenging Requirements
Challenging Requirement Why?
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Requires the development and application of secure configuration standards, which often requires a significant amount of work.
3. Protect stored cardholder data Requires cardholder data to be encrypted wherever it is stored, including backup tapes, in logs, etc.).
6. Develop and maintain secure systems and applications
Requires the practice of secure coding guidelines.
7. Restrict access to cardholder data by business need-to-know
Many organizations have too many administrators with access.
10. Track and monitor all access to network resources and cardholder data
Requires auditing of user access, which is often disabled, along with the security of logs and daily reviews.
11. Regularly test security systems and processes
Requires file integrity monitoring of system files and other data.
Going Beyond PCI DSSWhat We Hear from Our Customers
“Data protection is more critical than ever.”
• We want an “A” in security!
• Threat vectors are changing and less predictable and…
• Quick detection, response and investigation are essential to reducing the business impact.
“Compliance Is still king.”
• Log management is still a top compliance requirement for IT, but…
• IT shops are struggling to monitor server-level user activity, data access and changes.
• Help us get a “C” in compliance, but no more.
“We want products that allow us to start fast and start simple, but supports our strategic security requirements.”
• Multi-vendor integration lengthens deployments, but…
• Many simple products are too simple to support our IT organization as it matures.
Corporate Data Must Be ProtectedHard Lessons Learned
TJX thieves had time to steal, trip upBy Mark Jewell | AP | 13 April 2007
TJX warned in its recent regulatory filing against expecting too much from its investigation. "We believe that we may never be able to identify much of the information believed stolen" aside from the 45.7 million cards it knows about so far, the filing said.
The way TJX detected the breach — by finding what the company calls "suspicious software" on its computer systems — is an indication not only of the hackers' skill in avoiding detection for so long but also holes in TJX's security, experts say.
CardSystems' Data Left UnsecuredKim Zetter | Wired Magazine | 22 June 2005
MasterCard International announced last Friday that intruders had accessed the data from CardSystems Solutions, a payment processing company based in Arizona, after placing a malicious script on the company's network. "Had they been following the rules and requirements, they would not have been compromised," Jones said.
Dai Nippon Printing reports client data theftReuters | 12 March 2007
TOKYO, March 12 (Reuters) - Japan's Dai Nippon Printing Co. said on Monday a former contract worker stole nearly 9 million pieces of private data on customers from 43 clients including Toyota Motor Corp.
Dai Nippon, one of Japan's largest commercial printing companies, said the confidential information included names, addresses and credit card numbers intended for use in direct mailing and other printing services.
Dai Nippon said the employee stole client data between May 2001 and March 2006 by copying information on to floppy disks and other recording media.
5 Years Undetected | Theft by insider5 Years Undetected | Theft by insider
8 Months Undetected | Internet-based theft8 Months Undetected | Internet-based theft
17 Months Undetected | Theft via wireless access17 Months Undetected | Theft via wireless access
These breaches occurred over a long period of time and took
different threat vectors
These breaches occurred over a long period of time and took
different threat vectors
Corporate Data Must Be Protected New Threat Vectors Expose Blind Spots in Network SIEM
SAN
Web Server
(Internal Users)
App Servers
DatabaseServers
S/W Load Balancing
SAN
DMZ
Web Servers
Trusted Network
FTP Drop
LoadBalancing
Trusted BusinessPartners
InternetUsers
Employees(Inside)
Wireless
OrganizedCrime
New threat vectors create a porous perimeter, inhibiting traditional security approaches focused on the network
New threat vectors create a porous perimeter, inhibiting traditional security approaches focused on the network
Public DNS
Server
Network-focused security provides limited visibility of host platforms and applications
Network-focused security provides limited visibility of host platforms and applications
Traditional VectorTraditional Vector
A Complicated Vendor LandscapeAddressing Need for Compliance and Data Protection
Change & Threat Detection
Access Control & User Monitoring
Event Correlation & Analysis
Log Management & Forensics
Security Config. Management
Time to
ValueMedium to Long Medium to Long Long Short Short to Medium
FocusSecurity and
Change Management
Compliance Threat Management Compliance Compliance
SecurityConfigurationManagement
TraditionalSEM
TraditionalSIM
Identity & Access Management Vendors
Newer, BlendedSIM / SEM
ChangeDetection /
HIDS
A Simpler SolutionCompliance and Comprehensive Data Protection
Change & Threat Detection
Access Control & User Monitoring
Event Correlation & Analysis
Log Management & Forensics
Security Config. Management
Time to
ValueMedium to Long Medium to Long Long Short Short to Medium
FocusSecurity and
Change Management
Compliance Threat Management Compliance Compliance
NetIQ Security Compliance Suite
The industry’s only integrated solution to include:
Change and Threat Detection
User and Access Monitoring
Security Event Correlation and Analysis
Log Management and Forensics
Security Configuration Management
NetIQ Security Compliance Suite
• NetIQ Security Manager– Leading security information and event management
solution
• Change Guardian Modules– Change detection, classification and alerting
• NetIQ Secure Configuration Manager – Robust security assessment and reporting with
baselining and delta reporting
Addressing Requirement 2.2Security Configuration Standards
2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).
2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function)2.2.3 Configure system security parameters to prevent misuse2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
System Integrity AnalysisWith NetIQ Secure Configuration Manager
Security Officer
IT Architecture
ConfigurationTemplates
PolicyCompliance
BaselineComparison Asset
Owners
Business Managers
VulnerabilityAssessment
Administrators
Assess MeasureReport
Infrastructure
Configuration reporting and vulnerability assessments help preserve system integrity and ensure compliance.
System Integrity AnalysisWith NetIQ Secure Configuration Manager
• Quantify the risk from configuration and policy exceptions
• View multiple risk metrics– Total risk score– Managed risk score– Most vulnerable systems– Most frequently reported
vulnerabilities
• Manage risk across multiple platforms
Out-of-the-Box TemplatesWith NetIQ Secure Configuration Manager
• Center for Internet Security Benchmarks– Legacy Settings for Win2K3 DCs v2.1 – Enterprise Settings for Win2K3 DCs v2.1 – Specialized Security Settings for Win2K3 DCs v2.1 – Legacy Settings for Win2K3 Member Servers v2.1 – Enterprise Settings for Win2K3 Member Servers v2.1 – Specialized Sec. Settings for Win2K3 Member Servers
v2.1 – Level 1 for Win2K v1.2.2 . – Level 1 for Solaris 2.5.1-9.0 v1.3.0 – Level 1 for Red Hat Enterprise Linux v1.0.3 – Level 1 for AIX v1.01 – Level 1 for HP-UX v1.3.1 – Level 1 for Oracle Databases 9i/10g v2.01 – Level 1 for SQL Server v1.0. – Level 1 v1.2.2 for Win2K
• PCI DSS Essentials and Access control• Regulations and Standards
Business Exception ManagementWith NetIQ Secure Configuration Manager
ValidateCompliance
DistributeReport
EvaluateRisk
Waive- or -
Remediate
Document / Suppress Exception
ComplianceReport
IT Security
BusinessOwner orAdministrator
ChangeManagement
Request forChange
Remediate
ChangeAdvisory
Board
Security or IT Operations
Documentation and tracking of compliance exceptions ensures risk is properly managed in alignment with the business.
Exception Management
• Time-based policy exceptions allow organizations to manage known exemptions
• Enables reports to reflect the business realities
• Reports reflect “managed” risk
Addressing Requirement 11.5File Integrity Monitoring
11.5 Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files; and configure the software to perform critical file comparisons at least weekly.
Critical files are not necessarily only those containing cardholder data. For file integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider).
Network andSecurity Devices
Systems andApplications
Change Detection
NIDS / NIPSAlerts
ActiveDirectory
Objects
SystemMisuse
PrivilegeEscalation
Denial ofService
Port Scanning
BufferOverflows
Files,Directories
Shares
SystemSettings and
Policies
User Accounts
ACLs
AuditSettings
DeviceConfiguration
UnauthorizedProcesses
Login Failures
Threat Detection
Registry
Effective detection at both the host and network levels provides better protection of corporate data and demonstrable oversight of change controls.
Change and Threat DetectionWith NetIQ Security Manager
Change and Threat Detection Powerful Visibility of Host Security Activity
Security Manager for Windows Servers monitors changes and access to the following:
− Files and directories
− File shares
− Registry keys
− Processes
Leverages Microsoft file system filter driver APIs to overcomes limitations of:
− native object-level auditing
− file integrity checking
− kernel shims
UpdateBaseline
Remediate / Undo Changes
ChangesNot Approved?
ChangesApproved?
BaselineSnapshot
UpdatedSnapshot
–+Delta
Report
Automated reporting of system changes enhances change controls and helps identify the causes of problems.
Baselining and Delta ReportingWith NetIQ Secure Configuration Manager
• Assess and record server configurations
• Report changes to configuration details– User accounts– System settings– Object permissions– Installed services
• Address the problem of “configuration drift”
Business Exception ManagementWith NetIQ Secure Configuration Manager
Addressing Requirements 10.5 / 10.6Secure Audit Trails and Review Them
10.5 Secure audit trails so they cannot be altered.10.5.1 Limit viewing of audit trails to those with a job-related need10.5.2 Protect audit trail files from unauthorized modifications10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter10.5.4 Copy logs for wireless networks onto a log server on the internal LAN.10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 10.6.
Server Administrators
• Logins and logoffs
User ProfileType
Monitored Activities
(examples)
Network Administrators
Database Administrators
EndUsers
• Logins and logoffs • Logins and logoffs • Logins and logoffs
• Policy andaudit changes
• Starting and stoppingsecurity services
• File and directoryaccess
• Softwareinstallation
• Data access
• Changes toaudit subsystem
• Changes to users,roles and privileges
• ACL changes
• Administrativeaccess
• Data access• Clearing log files
• Account management
Powerful auditing of user activity and access controls helps meet compliance mandates and address both inside and outside threats.
User and Access Control MonitoringWith NetIQ Security Manager
User and Access MonitoringAddress the Insider Threat via Proper Audit Trails
Leverages multiple sources of user and access data:
− Object-level access events in Windows
− Access management on Windows, AD, Unix/Linux, iSeries
− System, application, network logs
Forensic queries enable easy reconstruction of user activities
Real-time alerts for high-risk user activities
Log Management and ForensicsWith NetIQ Security Manager
SecurityEvent
Management(SEM)
Enterprise OLAP
DataCollection
Security Devices
Active Directory
Applications andDatabasesServers and
Workstations
TR
AC
E™
(Tre
nd R
epor
ting,
Ana
lytic
s an
d C
entr
aliz
ed E
xam
inat
ion)
SummaryReporting
LogForensics
Distributed Log Servers
Security Information
Management(SIM)
Network Devices
TRACE™ technology delivers log management, protects the chain of custody, and provides trend analysis and forensics to meet evolving mandates.
TrendReporting
CentralizedConsole
Log Management and ForensicsQuickly Respond to and Resolve Security Incidents
Quick and meaningful log queries:− Indexed data for speed of queries
covering a long history of events
− Agent-enriched events (e.g., SID translation, local correlation)
− Both Coordinated Universal Time (UTC) and local time captured
Trusted log server data store:− X.509 certificate-based signatures and
signature verification
− Customer selected algorithms / key lengths (industry standards)
Event Correlation and AnalysisWith NetIQ Security Manager
Servers and Workstations
Network Devices Active Directory
Applications andDatabases
Security Devices
DataCollection
Correlation Engine
Real-Time Event Collection
SummaryReporting
TrendReporting
LogForensics
Real-TimeMonitoring
CentralizedConsole
SecurityEvent
Management(SEM)
Security Information
Management(SIM)
Real-time event correlation reduces alert volumes while highlighting critical events, improving incident management while reducing costs.
Unified ConsoleAll-in-One, Easy to Use
Supports historical reporting and real-time incident management
− OLAP, summary and forensic reporting
Operations Console for Threat Management
− Rich alert management, including notification groups and SLA tracking
Record, track and share investigation evidence
− Incident packages capture and preserve various types of evidence
Other Ways NetIQ Can Help
• Requirement 7: Restrict access to cardholder data by business need-to-know– Entitlement reporting with NetIQ Secure Configuration
Manager– Delegated administration to reduce full administrative
privileges with NetIQ Change Administrator for Windows, NetIQ Directory & Resource Administrator, NetIQ Group Policy Administrator, and NetIQ access management features on Unix, Linux and iSeries
• Requirement 12: Maintain a policy that addresses information security for employees and contractors– Policy lifecycle management and security awareness with
NetIQ VigilEnt Policy Center
Final Q&AFinal Q&A
Todd Tucker, CISSP, CPADirector, Chief Security Strategist
Ulrich WeigelProduct Line Manager, NetIQ