white p aper endgame, inc. - pages.endgame.com€¦ · endgame pci dss security | white paper 3...

W H I T E P A P E R

ENDGAME, INC. PCI DSS SECURITY ARC HITECTURE AND TECHNOLOGY WHITEP APE R

BH AVN A SO NDHI | C IS A, QS A ( P2PE) , PA- Q S A (P2PE)

N ICK TRENC | C I SSP, C I SA, Q SA, PA- Q S A

Endgame PCI DSS Security | White Paper 2

TABLE OF CONTENTS Executive Summary ................................................................................................................. 3

About Endgame ..................................................................................................................... 3

Audience ................................................................................................................................ 4

Methodology .......................................................................................................................... 4

Summary Findings ................................................................................................................. 4

Assessor Comments .............................................................................................................. 5

Application Architecture and Security ................................................................................... 6

Technical Security Assessment.............................................................................................. 8

Assessment Methods ............................................................................................................. 8

Assessment Environment ....................................................................................................... 8

Network Traffic Assessment ................................................................................................... 8

Tools and Techniques ...........................................................................................................10

References ...........................................................................................................................10

Appendix A: PCI DSS Requirements Coverage Matrix .........................................................11

Appendix B: Executed Test Plan ...........................................................................................14

Conclusion ..............................................................................................................................17


EXECUTIVE SUMMARY Endgame, Inc. engaged Coalfire Systems Inc. (Coalfire), a respected Payment Card Industry (PCI)

Qualified Security Assessor (QSA) and Payment Application – QSA (PA-QSA) company, to conduct an

independent technical assessment of their Endgame platform. Coalfire conducted assessment activities

including technical testing, architectural assessment, and compliance validation.

In this paper, Coalfire will describe how they confirmed that the Endgame platform met the PCI Data

Security Standard (PCI DSS) v3.2 anti-malware requirements for Windows endpoints based on the sample

testing and evidence gathered during this assessment.

ABOUT ENDG AME

Endgame is a centrally managed endpoint security platform that stops advanced threats before damage

and loss. The platform provides full stack prevention, accelerated detection and response, and automated

hunting across the depth of the MITRE ATTACK™ matrix. Endgame’s single, autonomous agent eliminates

multiple host agents including anti-virus (AV), next-gen AV, Incident response, indicators of compromise

(IOC)-based agents, and forensic tools. The Endgame platform provides automated workflow and guided

response for analysts to instantly stop malicious activity.

Below are highlights of various features and capabilities within the Endgame platform:

• Full Stack Prevention: Endgame uses advanced signature-less techniques to prevent exploits,

malware, fileless attacks, malicious macros, and ransomware.

– Exploit Prevention: Patent-pending Hardware Assisted Control Flow Integrity (HA-CFI™) and

enhanced Dynamic Binary Instrumentation (DBI) blocks zero-day exploits before malicious

code execution.

– Malware Prevention at file execution: Endgame MalwareScore® prevents execution of known

and unknown malware and performs signature-less malware prevention.

– Fileless Attack Prevention: Patent-pending process injection prevention and Endgame

MalwareScore® prevents malicious module loads, dll injection, and shellcode injection to stop

adversary evasion and fileless attacks.

– Malicious Macro Prevention: Heuristic-based macro prevention blocks malicious macros

embedded in commonly targeted applications such as MS Office applications.

– Ransomware Prevention: Behavior-based ransomware prevention is effective against

ransomware families such as BadRabbit, Petya, WannaCry, etc.

– Technique-Focused Protection: Expands across the breadth of the MITRE ATTACK™ Matrix,

stopping ongoing attacks such as command and control, defense evasion, and privilege

escalation by leveraging Endgame’s knowledge of adversary tradecraft.

• Accelerated Endpoint Detection and Response:

– Endgame’s Enhanced Attacker Visualization, Endgame Resolver™, unveils various actions

taken by the attacker to instantly identify the origin and extent of compromise. Endgame

Resolver™ shows actions of the attack including process events, network connections, netflow,

user logons, DNS requests, and file or registry modifications.

– Endgame’s AI-Powered Security Mentor Artemis®, uses natural language understanding to

automate data collection, investigation, and alert triage at enterprise scale.


– Endgame Arbiter® automates advanced attack analysis to determine file reputation, attack

type, and other attributes, extracting IOCs to reveal previously unknown threats across the

entire enterprise.

– Automated hunting using tradecraft analytics and Outlier analysis streamlines detection and

response workflows to surface suspicious artifacts across millions of records in minutes.

– Precision and scalable response empowers Security Operations Center (SOC) teams to

restore endpoints at enterprise scale with zero business disruption.

AUDIENCE

This assessment white paper has three target audiences:

1. QSA and Internal Audit Community: This audience may be evaluating Endgame to assess a

merchant or service provider environment for PCI DSS.

2. Administrators and Other Compliance Professionals: This audience may be evaluating

Endgame for use within their organization for compliance requirements other than PCI DSS.

3. Merchant and Service Provider Organizations: This audience is evaluating Endgame for

deployment in their cardholder data environment and the benefits this solution can offer.

METHODOLOGY

Coalfire completed a multi-faceted technical assessment using the below industry and audit best practices.

Coalfire conducted technical lab testing in its Colorado lab from October 6, 2017 to October 27, 2017,

including remediation activities.

At a high level, testing consisted of the following tasks:

1. Technical review of the architecture of the full solution and its components.

2. Implementation of the sensor in the Coalfire lab environment for Windows endpoints.

3. Introduction of malware binaries on local systems with Endgame software installed.

4. Confirmation of Endgame’s ability to block and remove known malware samples for Windows

endpoints.

5. Execution of malware scans using application programming interface (API) scripts for Windows

endpoints.

SUMMARY F INDINGS

The following findings are relevant highlights of this assessment:

• When properly implemented following vendor guidance, the Endgame platform can provide coverage

for PCI DSS Requirement 5 – “Protect all systems against malware and regularly update anti-virus

software or programs”, based on the sample testing and evidence gathered during this assessment.

• The Endgame platform detected and effectively prevented the execution of known malware samples

for Windows endpoints.

• The Endgame platform provided hunting and scanning capabilities for Windows endpoints.

• The Endgame platform effectively mitigated the malware with the following solutions for Windows

endpoints:

– Malware protection at file execution (prevents execution on installation)

– Malware detection for created and modified files


– Application exploits prevention (prevents execution on installation)

– Application exploits detection

– Ransomware prevention

– Deletion of files

• The Endgame platform adequately generated logs of events such that malicious activity could be

traced in accordance with PCI DSS requirements.

• The Endgame Host Sensor could not be disabled by unauthorized users.

• Endgame provides features for investigations (hunting for endpoint data), fileless attacks, whitelisting

of files or applications, and IOC search on file, network, process, registry, and users.

ASSESSOR COMMENTS

The assessment scope focused on validating the use of Endgame in a PCI DSS environment, specifically

to include its impact on PCI DSS Requirement 5. The Endgame platform, when properly implemented

following guidance from Endgame, Inc., can be utilized to meet the technical portions of PCI DSS

Requirement 5. However, as most computing environments and configurations vary drastically, it is

important to note that use of this product does not guarantee security and even the most robust anti-virus

solutions can fail when improperly implemented. A defense-in-depth strategy that provides multiple layers

of protection should be followed as a best practice. Please consult with Endgame, Inc. for policy and

configuration questions and best practices.

It should also not be construed that the use of Endgame guarantees full PCI DSS compliance. Disregarding

PCI requirements and security best practice controls for systems and networks inside or outside of PCI

DSS scope can introduce many other security or business continuity risks to merchants or service

providers. Security and business risk mitigation should be any merchant’s or service provider’s goal and

focus for selecting security controls.


APPLICATION ARCHITECTURE AND SECURITY The Endgame platform offers prevention, detection and response, and threat hunting capabilities. The

Endgame platform can either be hosted on-premises or in the cloud. Customers can host it themselves on

their own infrastructure or Endgame can host it for the customer in the cloud. Endgame’s light weight,

autonomous agent provides online and offline 24x7 protection.

The Endgame architecture is represented in Figure 1:

Figure 1: Endgame Architecture Diagram

The following are the key components and features of the Endgame platform:

• Endgame Host Sensor (sensor): The Endgame Host Sensor is a lightweight sensor, consuming less

than 1% CPU resources, that is deployed on all monitored endpoints and hosts. The sensor can either

run as a background process with no user interface or with a notification that gives details on current

system threats and blocked actions. The sensor does not interfere with any installed software on the

host, including anti-malware or anti-virus software. Endgame's advanced sensor technology allows

the analyst to choose to install a persistent sensor for long-term protection or a dissolvable sensor for

minimal endpoint footprint.

– Endgame Host Sensor Protection: The Endgame Host Sensor operates in the Operating

System (OS) kernel and user space. It is tamper resistant and has available protections to

prevent disabling of the sensor by the user. In addition, the sensor can be installed in disguised

mode that changes sensor driver file name, sensor file name, and popup name.

– Endgame Host Sensor Operation: The Endgame Host Sensor continuously gathers event data

including domain name system (DNS), file, image loads, network, netflow, process, registry

and windows logon/logoff events and stores them in a secure database. This real-time event

collection and tradecraft analytics allow analysts to identify threats and respond to them quickly.

• Endgame MalwareScore®: A machine learning powered model that performs signature-less malware

prevention and blocks known and unknown malwares on file-based execution. The model is used to


determine if a file is malicious and looks for static attributes of files (without executing the file) that

include file structure, layout, and content. This also includes information such as portable executable

(PE) header data, imports, exports, section names, and file size. These attributes are extracted from

millions of file samples, which then are passed to a machine-learning algorithm that distinguishes a

benign file from a malicious one. The machine learning model is updated as new data is procured and

analyzed. This model is based on Google’s VirusTotal engine.

• The Endgame platform provides Application Programming Interface (API) integration through which

users can schedule periodic malware scans, generate audit log output and endgame platform task

audit logs, and various other outputs required. API is based on representational state transfer (REST)

principles where data resources are accessed via standard HTTPS requests in UTF-8 format to an

API endpoint. Endgame platform communicates over HTTPS using JavaScript Object Notation

(JSON), and response data received is encoded as JSON.

• Endgame Arbiter®: Endgame’s advanced cloud-based malware intelligence platform that provides

behavioral and static malware analysis for all generated malware alerts. Users can submit the file for

analysis from within the platform management console and login to Endgame Arbiter® to view the

analysis report. The report provides summary of the malware file, including filename, Endgame

MalwareScore®, hash values, static and behavioral analysis, reputation score, and VirusTotal report.

The reputation score is calculated from Endgame’s research team lab findings, VirusTotal, and third-

party partners.

– Endgame Arbiter® also communicates the updates pertaining to sensors, malware model, and

whitelists to the Endgame platform when connected to the cloud, and the Endgame platform

will distribute these updates to the sensors immediately.

• Multi-Client Management (MCM) Server/Endgame Platform: Management and monitoring server,

hosted on-premises at the customer’s headquarters or in the Amazon cloud. MCM allows

administrators and analysts to monitor enterprise health by viewing endpoint data across multiple

Endgame platforms from a single interface. MCM integrates several pieces of data from connected

endpoints, and with this data administrators can perform installations, monitor system health, and take

actions as necessary. The management console provides user and password management features

for login to MCM and can also be configured via Lightweight Directory Access Protocol (LDAP). LDAP

enables users registered within Active Directory (AD) to connect to the Endgame platform with AD

credentials. Role-based Access and Control (RBAC) within Endgame platform provides local users

with access to only specific functionality, page views, and permission rights. The Endgame platform

can log various tasks or actions providing support for audit trail logging as required by PCI DSS.


TECHNICAL SECURITY ASSESSMENT

ASSESSMENT METHODS

Coalfire used the following methods to assess the potential PCI DSS coverage of the solution:

1. Analysis of the architecture and configuration of the solution in accordance with vendor guidelines.

2. Deployment of sensors to Windows systems along with enablement of policies. Windows policies

were configured to enforce the detection and prevention of known malware on file execution.

3. Examination of sensor configurations to confirm protection cannot be turned off by non-

administrators on Windows endpoints.

4. Execution of known malware samples (to include ransomware, backdoor, trojan horse, spyware,

virus, and worm) deliberately propagated to test machines.

5. Review of backend component for verification of detection, execution prevention, and deletion of

all test sample malwares for Windows endpoints. Also, evaluation of backend component for

verification that sensors were deployed, communicating, up-to-date, performing periodic scans via

API scripts, and protecting against potential threats for the Windows endpoints.

ASSESSMENT ENVIRONME NT

The Endgame platform was hosted in the cloud for testing purposes and the sensor was installed on the

following system:

• Windows 2012 Server deployed in a virtual environment including default Windows applications with

other anti-virus solutions disabled.

NETWORK TRAFFIC ASSE SSMENT

A Wireshark Ethernet port sniffer was used to monitor the following traffic for components within the

Endgame platform:

• Traffic from the Windows machine to the Endgame platform (Figure 2): No sensitive data was

transmitted over the network from the Windows machine with the sensor deployed to the Endgame

platform server and any log data or alert information was encrypted over TLS 1.2.


Figure 2: Communication between the Windows machine and the Endgame platform machine hosted

in the cloud. Encrypted data (logs or update information) is always transmitted.


TOOLS AND TECHNIQUES

Standard tools Coalfire utilized for this technical assessment included:

TOOL NAME DESCRIPTION

Live Malware Samples Sample binaries of known malware for Windows systems:

• Sample Windows malware obtained from theZoo aka Malware DB at

http://thezoo.morirt.com/

• Sample Windows malware provided by Endgame vendor for testing purposes

*Note – Visiting and downloading from the above sites may lead to malware

infection. It is highly recommended against.

Wireshark Wireshark Ethernet port sniffer to observe the traffic coming in and out of the system

REFERENCES

PCI SSC - Data Security Standard - https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf

PCI SSC - Data Security Standard- Payment Application Data Security Standard Program Guide, v3.2 -

https://www.pcisecuritystandards.org/documents/PA-DSS_v3-2.pdf

Endgame Administrator Guide: Admin User Guide - 2.4.pdf

Endgame User Guide: User Guide - 2.4.pdf

Endgame API Documentation: Endgame API Docs.pdf

Endgame Platform Upgrade: Upgrade Endgame to the 2.4[1].pdf

Endgame Sensor Upgrade: Sensor Upgrade via Upload and Execute[1].pdf

Cloud Updates to Platform: Cloud Communication Design.pdf

http://thezoo.morirt.com/

https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf

https://www.pcisecuritystandards.org/documents/PA-DSS_Program_Guide_v3_1.pdf

https://www.pcisecuritystandards.org/documents/PA-DSS_Program_Guide_v3_1.pdf


APPENDIX A: PCI DSS REQUIREMENTS COVERAGE MATRIX COMPLIANCE

LEVEL DESCRIPTION

Compliance directly supported via use of the Endgame platform

Requires merchant action for full compliance

PCI DSS REQUIREMENT COMPLIANCE SUPPORTED

ASSESSOR COMMENTS

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

5.1 Deploy anti-virus software on

all systems commonly affected by

malicious software (particularly

personal computers and servers).

Endgame provides the following features:

• Can directly deploy sensors (endpoint software

application) on Windows systems through the

Endgame management console. Sensors can also

be deployed manually on Windows through

command line terminal.

• Provides direct monitoring capability for the sensor

deployed systems through the Endgame

management console (hosted on a customer’s

physical premises or in the cloud).

5.1.1 Ensure that all anti-virus

programs are capable of detecting,

removing, and protecting against

all known types of malicious

software.

• Endgame, Inc. uses Endgame MalwareScore®, the

machine learning model developed by Endgame,

Inc. to detect and prevent against known malware.

This allows Endgame to detect known malware,

block them from running, and remove them when

requested by an administrator. Testing showed that

Endgame was able to detect, block at file execution,

and remove malware by providing the file path for

several examples of viruses, Trojans, ransomware,

rootkits, and other known malware on the Windows

OS endpoint.

• Administrators can configure the policies on

Windows systems to detect and prevent malware.

Deletion of file requires actions to be performed on

the endpoints through management console. The

configurations have to be performed by

Administrators in order to be compliant with PCI DSS

requirements.

5.1.2 For systems considered to be

not commonly affected by

malicious software, perform

periodic evaluations to identify and

evaluate evolving malware threats

in order to confirm whether such

systems continue to not require

anti-virus software.

This is a process/procedure requirement. Customers

(merchants or service providers) must “periodically”

evaluate the systems they use to ensure they are not

considered commonly affected. Endgame Host Sensors

can be deployed on Windows endpoints and sensor

deployments would be required to evaluate and identify

malware threats on these endpoints.



ASSESSOR COMMENTS

5.2 Ensure that all anti-virus

mechanisms are maintained as

follows.

• Are kept current

• Perform periodic scans

• Generate audit logs which are

retained per PCI DSS

Requirement 10.7.

5.2.a

• The sensor software installed on Windows endpoints

checks and detects malicious files on execution and

performs real-time checks against the Endgame

MalwareScore®.,

• Automatic updates on the Endgame platform feature

are available when there is connectivity to the cloud

environment (Arbiter), thus meeting the PCI DSS

automatic updates requirement. Windows endpoint

sensors then receive updates from the Endgame

platform management console.

5.2.b Policies can be configured on Windows systems via

API scripts that will need to be developed and deployed

on Endgame platform servers in respective environments

to have the scans performed periodically.

5.2.c Logging as required by PCI DSS can be generated

via API scripts that will need to be developed and

deployed on Endgame platform servers in respective

environments requiring administrators to perform

necessary actions. The audit logs generated will need to

be forwarded to syslog servers for retention purposes to

meet PCI DSS Requirement 10.7. The logging could

include actions performed by users or administrators on

the management console as well as tasks that were

executed for Windows endpoints from within the

management console

5.3 Ensure that anti-virus

mechanisms are actively running

and cannot be disabled or altered

by users, unless specifically

authorized by management on a

case-by-case basis for a limited

time period.

Note: Anti-virus solutions may be

temporarily disabled only if there is

legitimate technical need, as

authorized by management on a

case-by-case basis. If anti-virus

protection needs to be disabled for

a specific purpose, it must be

formally authorized. Additional

security measures may also need

to be implemented for the period of

time during which anti-virus

protection is not active.

5.3.a The Endgame management and monitoring

console shows the monitoring status (Active, Inactive,

Unmonitored, or Deployment Failure status mode) of all

endpoints where the sensor is deployed through the

management console.

5.3.b The management console provides the functionality

to delete or uninstall the endpoint sensor device based

on the administrator type setting and permissions.

No users can disable the sensor software running locally

on the Windows machine without appropriate

administrator permissions.

5.3.c This is an administrative control and requires

authorization to be provided by management to meet the

control requirement.

5.4: Ensure that security policies

and operational procedures for

protecting systems against

This is a policies and procedures based requirement.

While Endgame can help meet the requirements for

protecting against malware, it is up to administrators to



ASSESSOR COMMENTS

malware are documented, in use,

and known to all affected parties.

create and document specific policies as required for their

respective environments.


APPENDIX B: EXECUTED TEST PLAN PCI DSS REQUIREMENT

TEST DEFINITION PER PCI VALIDATION PLAN

COMPLIANCE SUPPORTED

ENDGAME RESULTS AND TESTING

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

5.1 Deploy anti-virus

software on all systems

commonly affected by

malicious software

(particularly personal

computers and

servers).

5.1 For a sample of system

components including all

operating system types


malicious software, verify

that anti-virus software is

deployed if applicable anti-

virus technology exists.

Produced a report and log record that

indicated that the sensor software was

installed, active, and gathered events to

detect and prevent threats from

endpoints within scope of PCI DSS.

5.1.1 Ensure that all

anti-virus programs are

capable of detecting,

removing, and

protecting against all

known types of

malicious software.

5.1.1 Review vendor

documentation and examine

anti-virus configurations to

verify that anti-virus

programs;

• Detect all known types

of malicious software,

• Remove all known

types of malicious

software, and

• Protect against all

known types of

malicious software.

Examples of types of

malicious software include

viruses, Trojans, worms,

spyware, adware, and

rootkits.

1. Detect all "KNOWN" types of

malware:

Endgame MalwareScore® allows

Endgame to detect known malware and

block them from running. Demonstrated

that the types of malware that were

detected included ransomware,

backdoor, trojan horse, spyware, virus,

and worm.

2. Remove all “KNOWN” types of

malware:

Demonstrated that administrator users

can delete the detected malicious file

through the management console. The

types of malware that were removed

included ransomware, backdoor, trojan

horse, spyware, virus, and worm.

3. Protect against all "KNOWN" types

of malware:

Demonstrated how the solution detected

and then banned or blocked known

malware that was part of the known

malware list from VT for Windows

endpoints. The types of malware that

were protected included ransomware,

backdoor, trojan horse, spyware, virus,

and worm.

5.1.2 For systems

considered to be not


malicious software,

perform periodic

evaluations to identify

and evaluate evolving

5.1.2 Interview personnel to

verify that evolving malware

threats are monitored and

evaluated for systems not

currently considered to be


malicious software, in order

Demonstrated how easily the Sensor

software was deployed on any given

system (OS coverage and

implementation features). Also

illustrated how any given system was

assessed even if it was not part of the

in-scope PCI systems.


PCI DSS REQUIREMENT




malware threats in

order to confirm

whether such systems

continue to not require

anti-virus software.

to confirm whether such

systems continue to not

require anti-virus software.

5.2 Ensure that all anti-

virus mechanisms are

maintained.

• Are kept current

• Perform periodic

scans

• Generate audit

logs which are

retained per PCI

DSS Requirement

10.7.

5.2.a Examine policies and

procedures to verify that anti-

virus software and definitions

are required to be kept up to

date.

Demonstrated that MalwareScore®

analyzes, detects, and protects the

malicious files for Windows endpoints.

Once the Endgame platform was

updated with the newer version via

cloud, updates were pushed out to

sensor software on endpoints through

the management console.

5.2.b Examine anti-virus

configurations, including the

master installation of the

software to verify anti-virus

mechanisms are:

• Configured to perform

automatic updates, and

• Configured to perform

periodic scans.

• Demonstrated that Endgame

periodically scanned in-scope

systems for malware through API

scripts that can be executed on

the Endgame platform server.

• Demonstrated that automatic

updates could be performed when

connected to the Arbiter in the

cloud environment.

• The Windows endpoint sensor

was then upgraded from within the

Endgame platform management

console.

5.2.c Examine a sample of

system components,

including all operating

system types commonly

affected by malicious

software, to verify that:

• The anti-virus software

and definitions are

current.

• Periodic scans are

performed.

• Demonstrated that Endgame’s

machine learning model was

sourced from current repositories

and received information through

Arbiter.

• Demonstrated that Endgame

periodically scanned in-scope

systems through the use of API

scripts.

5.2.d Examine anti-virus



software and a sample of

system components, to verify

that:

• Anti-virus software log

generation is enabled,

and

Demonstrated that anti-virus logs are

available through the Endgame

platform; however, administrators are

required to execute scripts periodically

on the platform to generate logs as

required by PCI DSS. These logs are

currently retained as per customers’

retention requirements. These could be

retained in accordance with PCI DSS

Requirements 10.7 or could be


PCI DSS REQUIREMENT




• Logs are retained in

accordance with PCI

DSS Requirement

10.7.

configured to have the logs sent out via

Syslog for retention purposes.

5.3 Ensure that anti-

virus mechanisms are

actively running and

cannot be disabled or

altered by users, unless

specifically authorized

by management on a

case-by-case basis for

a limited time period.

Note: Anti-virus

solutions may be

temporarily disabled

only if there is

legitimate technical

need, as authorized by

management on a case-

by-case basis. If anti-

virus protection needs

to be disabled for a

specific purpose, it

must be formally

authorized. Additional

security measures may

also need to be

implemented for the

period of time during

which anti-virus

protection is not active.

5.3.a Examine anti-virus





the anti-virus software is

actively running.

Demonstrated via log reports and live

console view that the sensor software

was either running or active on Windows

endpoints and that the policy was

enforcing the proper configurations.

5.3.b Examine anti-virus





that the anti-virus software

cannot be disabled or altered

by users.

Demonstrated that users cannot disable

the sensor software running locally on

the Windows machine without

appropriate administrator permissions.

5.3.c Interview responsible

personnel and observe

processes to verify that anti-

virus software cannot be

disabled or altered by users,

unless specifically authorized

by management on a case-

by-case basis for a limited

time period.

Demonstrated that Endgame could be

configured by a user with proper

administrative access and that a policy

was in place that dictated when

authorized changes could be made for

Windows endpoints.

5.4: Ensure that

security policies and

operational procedures

for protecting systems

against malware are

documented, in use,

and known to all

affected parties.

5.4 Examine documentation

and interview personnel to

verify that security policies

and operational procedures

for protecting systems

against malware are:

• Documented,

• In use, and

• Known to all affected

parties.

This is a policies and procedures based

requirement. Customers are required to

implement this requirement for their

environment. Demonstrated that

Endgame logs were queried and that

health statistics regarding the client

software were collected to provide proof

of agent uptime as well as policy

compliance.


CONCLUSION After reviewing the requirements of the PCI DSS, Coalfire determined, through review of business impacts

and a technical assessment, that Endgame, as outlined in this document, could meet PCI DSS Requirement

5 for Windows endpoints. The ability to achieve overall compliance with any regulation or standard will be

dependent upon the specific design and implementation of the Endgame platform.

Endgame demonstrated a high level of flexibility for managing endpoints, customization of policies, file

analysis, notifications, configurations including logging, and LDAP and RBAC settings, which makes it an

option for companies aiming to comply with PCI DSS anti-malware requirements.


ABOUT THE AUTHORS

Bhavna Sondhi | Senior Security Consultant | CISA, QSA (P2PE), PA-QSA (P2PE)

Bhavna Sondhi is a Sr. Security Consultant for the Application Security team at Coalfire. Bhavna is responsible for conducting PCI DSS, PA-DSS, and P2PE assessments as well as authoring technical whitepapers. Bhavna joined Coalfire in 2013 and brings over 11 years of software engineering and Information Security experience to the team, leading extensive consulting and assessment engagements within USA, Europe, and Asia. As a lead PA-QSA and P2PE-QSA, Bhavna supports assessments for some of the largest payment software providers in the world and her software engineering experience plays a vital part in ensuring the teams recognize the importance of secure code development and Information Security within their operational practices.

Nick Trenc | Director Nick Trenc is the Director of the Application Security team at Coalfire. Nick has several years of

experience working in Information Security and has an in-depth understanding of application, network,

and system security architectures. He holds CISA, CISSP, QSA, and PA-QSA certifications.

Published November 2017.

ABOUT COALFIRE Coalfire is the cybersecurity advisor that helps private and public sector organizations avert threats, close gaps, and effectively manage risk. By providing independent and tailored advice, assessments, technical testing, and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives, and fuel their continued success. Coalfire has been a cybersecurity thought leader for more than 16 years and has offices throughout the United States and Europe. Coalfire.com

Copyright © 2014-2017 Coalfire Systems, Inc. All Rights Reserved. Coalfire is solely responsible for the contents of this document

as of the date of publication. The contents of this document are subject to change at any time based on revisions to the applicable

regulations and standards (HIPAA, PCI-DSS et.al). Consequently, any forward-looking statements are not predictions and are

subject to change without notice. While Coalfire has endeavored to ensure that the information contained in this document has

been obtained from reliable sources, there may be regulatory, compliance, or other reasons that prevent us from doing so.

Consequently, Coalfire is not responsible for any errors or omissions, or for the results obtained from the use of this information.

Coalfire reserves the right to revise any or all of this document to reflect an accurate representation of the content relative to the

current technology landscape. In order to maintain contextual accuracy of this document, all references to this document must

explicitly reference the entirety of the document inclusive of the title and publication date; neither party will publish a press release

referring to the other party or excerpting highlights from the document without prior written approval of the other party. If you have

questions with regard to any legal or compliance matters referenced herein you should consult legal counsel, your security advisor

and/or your relevant standard authority.

white p aper endgame, inc. - pages.endgame.com€¦ · endgame pci dss security | white paper 3...

Documents