Event Data Management Software: A Vital Tool for Tackling the PCI Challenge

Though the security standard for processing credit cards has passed, and IT has adjusted, pitfalls remain.

by Ed Chopskie

As we mark the passing of the three-year anniversary of the creation of the Payment Card Industry Data Security Standard (PCI DSS), it’s a good time to reflect on the progress and the pitfalls that still remain.

Certainly, the detailed framework provided by PCI DSS gives companies a great deal of guidance and practical advice for fortifying the infrastructure that protects sensitive consumer financial data. Within the 12 areas defined by the standard and procedures for network security, vulnerability management, access controls, data protection, and policy, among others.

The strength of this paper guidance, however, is balanced by the real-world challenges of implementing the internal business rules and appropriate IT systems needed for compliance. In fact, a recent study (see http://www.rsa.com/press_release.aspx?id=8781) by security provider RSA and Forrester Consulting shows that adoption has not been uniform across affected organizations. Companies that process higher volumes of transactions are getting the religion and making the appropriate investments. Smaller organizations have been moving more slowly, leaving consumers and the companies themselves at significant risk.

As time passes, one of the larger issues confronting an enterprise is how to store and analyze the huge volumes of enterprise data the PCI compliance process requires. A variety of data types are affected, from audit and application logs and network connectivity settings to configuration and vulnerability scan data.

Companies have to find an affordable way to store all this information. They need a simple and effective approach to aggregating and correlating intelligence from the data and packaging the results in audit-friendly reports.

Enter event data management software, also known as log data management or (in the vernacular of industry analysts) security information management (SIM) solutions. Event data records (log data) are created whenever time-stamped transactions occur in the IT infrastructure. The retention of this log data and the ability for organizations to quickly inspect these records have become vital to businesses for meeting audit readiness and regulatory compliance and in detecting suspicious activity, insider threats, and other security breaches.

The Role of Event Data Management

Event data management software is an ideal asset for helping an organization improve its PCI compliance. EDM solutions provide a means to store all relevant information and correlate findings to meet compliance, identify problem areas, and quickly produce reports for auditors.

In obvious and not so obvious ways, the software has a role to play across all 12 of the PCI focus areas. We offer a brief look at each area and how event data management software can help businesses tackle the PCI challenge:

PCI Requirement 1: Install and maintain a firewall configuration to protect cardholder data

This requirement focuses on five tenets, including best practices for firewall and router configurations; processes to prohibit network traffic from “untrusted” environments that are not explicitly allowed; restricting connections between publicly-available services and systems storing cardholder data; preventing direct public access to systems storing cardholder data; and concealing internal addressing schemes from the Internet.

In this context, event data management tools can play a valuable role in auditing events so required reports can be created. A SIM, for example, can show if internal network addressing is “leaking” to the Internet. Auditors can also have simplified visibility into traffic patterns among various network segments on a firewall.

PCI Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

The existence of active default system credentials can be a hidden trap door for breach-minded criminals. A variety of logs can reveal whether the required changes were made prior to moving the systems into production.

PCI Requirement 3: Protect stored cardholder data

This element of PCI focuses on data encryption as well as storage and display of sensitive cardholder data that must be retained for legitimate business reasons. It also specifies which data cannot be retained, including the stripe data, card verification code, and the PIN block from debit cards.

At the simplest level, SIM software can track who has been accessed cardholder data from company databases. Auditing of database application logs and system logs can show if any illicit or unauthorized data access has occurred.

Many SIM applications can also verify whether an organization is compliant when it comes to not keeping prohibited data such as the full track (stripe) data.

PCI Requirement 4: Encrypt transmission of cardholder data across open, public networks

Many organizations have adopted VPN technology to transmit and receive sensitive data with their business partners. SIM software can be used to monitor the VPN communications to see if IPSec tunnels are properly established.

This area also addresses some of the special concerns of wireless security. The lack of effective controls in the wireless arena has contributed to a number of major breaches, including the infamous break-in at TJX that exposed the credit and debit card records of nearly 47 million customers. Event data management solutions can audit wireless logs to ensure proper encryption and other controls are in place

PCI Requirement 5: Use and regularly update anti-virus software or programs

This is a very straightforward requirement, primarily intended to reduce the impact of attacks on Windows environments. Fortunately, SIM software is optimized to “play nice” with anti-virus logs. Once companies have their procedures established for regularly installing and updating anti-virus software across their infrastructures, SIM tools can easily audit the logs to ensure the reality matches the plan.

PCI Requirement 6: Develop and maintain secure systems and applications

Companies expend a significant amount of energy and resources in this area for the initial investment in security systems and in their ongoing development and maintenance. Activities under scrutiny here include patch management, change control procedures, software development activities, and Web application protection.

Log management tools can report, for example, on the extensive intelligence that patch management solutions produce. For example, event viewer logs generated by clients that interact with Microsoft’s Software Update Services patching service can be sent to a SIM for evaluation.

PCI Requirement 7: Restrict access to cardholder data by business need-to-know

This requirement sounds relatively straightforward, but many organizations struggle to get a grasp on exactly where sensitive data resides in their enterprise. For example, database access may be tightly locked down, but security controls may be lacking in e-mail systems. Once the data locations are defined and rules outlined as to who can access it, SIM tools can be invoked to monitor access logs and particular files.

PCI Requirement 8: Assign a unique ID to each person with computer access

This is a key area where log management systems can deliver great value. They can be set up to look for warning signs, such as logs that show multiple log-ins in succession from different locations by the same user, or accounts that have been inactive for more than 90 days. In addition, they can flag passwords that do not meet PCI requirements.

PCI Requirement 9: Restrict physical access to cardholder data

New possibilities are opening up for integrating physical and logical security defenses to better identify potentially suspicious activity. For example, an event could be generated, and thus evaluated in a SIM, if an employee logs into a remote VPN connection but is then shown to be simultaneously accessing a physical data center with a card key,

PCI Requirement 10: Track and monitor all access to network resources and cardholder data

This is the SIM “sweet spot.” This requirement looks at processes that link system access to specific users, record-specific information about audit trail entries (such as type of event or date and time) and ensure logs are reviewed daily. These information types can be aggregated by SIM tools -- which collect tamper-proof log data -- so that any compliance deficiency or potential criminal activity can be found.

PCI Requirement 11: Regularly test security systems and processes

As part of this section, companies must demonstrate that they have completed vulnerability testing to be compliant. SIM solutions can prove these tests were administered by capturing attack signatures or other proof of the simulated attack.

PCI Requirement 12: Maintain a policy that addresses information security for employees and contractors

Here, SIM tools can be useful to audit compliance to the variety of policies companies must have in place to meet PCI standards. Three of the most common areas where the software can add value are: ensuring that security and administrative teams are monitoring and analyzing security alerts and related information; administering user accounts; and handling alerts as part of an incident response plan.

- - -

Ed Chopskie is vice president of marketing for SenSage. You can reach the author at ed.chopskie@sensage.com.