PCI DSS Compliance Handbook - ManageEngine · EventLog Analyzer makes its way into Gartner MQ for...

Be Audit-Ready for Payment Card Industry Data Security Standard (PCI DSS) ComplianceComply to PCI DSS Requirement 10 and 11.5 with EventLog Analyzer

EventLog Analyzer

PCI DSS ComplianceHandbook

Safeguard your Customer’s Payment Card Data from Threats

EventLog Analyzer makes its way into Gartner MQ for SIEM 2016. VIEW REPORT

https://www.manageengine.com/log-management/gartner-siem-mq.html

Introduction

The Payment Card Industry (PCI) Security Standards Council was founded by five global payment brands: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. These five payment brands had a common vision of strengthening the security policies to prevent data breaches for businesses that accept and process payment cards. Together they drafted and released the first version of PCI Data Security Standard (PCI DSS 1.0) on December 15, 2004. The current version, PCI DSS 3.0, was released in November 2013 and is active from January 1, 2014, to December 31, 2016. PCI DSS compliance has gained worldwide acceptance by card service providers – card issuers, banks, and merchants – that plan to protect their customers’ cardholder data from being misused. PCI DSS 3.0 has 12 security requirements concerning the protection of cardholder data. All businesses that accept, store, process, or transmit customers card data either online or offline have to adhere to those requirements. Businesses that do not comply with PCI DSS requirements are penalized in different forms such as heavy fines, an increase in the number of audits, and even forfeiture of their licenses to process card transactions. Most importantly, the brand and reputation of a business suffers if a data breach affects its customers' payment card data. Let us now discuss in detail on how businesses can use EventLog Analyzer, the compliance management solution from ManageEngine, to comply with the PCI DSS requirements 10 and 11.5, thereby securing cardholder data and mitigating payment card fraud.

1



Achieving PCI DSS Compliance Using EventLog Analyzer

EventLog Analyzer caters specifically to the following PCI DSS requirements:

PCI DSS requirement 10 helps in determining the “who, what, where, and when” of users accessing your network resources and cardholder data whereas PCI DSS requirement 11.5 helps in protecting critical files from unauthorized access. In simple words, PCI DSS requirements 10 and 11.5 are put in place so businesses can easily analyze the complete user audit trail to identify who is logging into their systems, when they logged into the systems, what activities they carried out on the systems, and whether they accessed system files and other network resources. To meet PCI DSS requirements 10 and 11.5, the log data generated by the network systems has to be collected at a central place and monitored in real time. IT environments consist of heterogeneous network devices, systems, and applications that generate huge amount of logs every day. EventLog Analyzer facilitates centralized log collection, continuous monitoring and reviewing of log data. It can also conduct log forensics investigations, generate security reports, monitor user activities, secure sensitive files, monitor servers, correlate events, and receive alerts during anomalous activities. PCI DSS body also mandates organizations to retain log data of their network systems for a period of one year, thereby allowing the auditors to authenticate security incidents by checking the audit trails from the log data.

Requirement 10: Track and monitor all access to network resources and cardholder data. Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

Requirement 11.5: Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

2



EventLog Analyzer’s advanced capabilities such as log forensics investigations, canned security reports, raw log search capability, out-of-the-box correlation rules, log data retention, and log data protection help businesses easily achieve the requirements set by the PCI DSS regulatory body. The PCI DSS auditor (aka QSA - Qualified Security Assessor) can generate relevant security reports, alerts, and dive into log data to spot areas of non-compliance using EventLog Analyzer within minutes.

EventLog Analyzer provides out-of-the-box support for PCI DSS compliance requirements 10 and 11.5. The out-of-the-box PCI DSS report lists down the PCI DSS sections in a systematic manner with the relevant sub-reports supporting those sections. Figure 1 below represents the out-of-the-box PCI DSS reporting template provided by EventLog Analyzer.

Figure 1: Out-of-the-Box PCI DSS Reporting Template

3



Logging

Identifying the network devices and systems that will be used to store, process, and transmit card data information is the first step to attain PCI DSS compliance. Logging should be enabled for all network systems and devices that fall in the scope for PCI DSS thereby allowing the IT security professionals to track and monitor all access to network resources and cardholder data. Relevant log information that is needed to comply with the PCI DSS requirements has to be enabled on all systems that fall in the scope for PCI DSS.

For example, to identify access attempts on critical network objects such as files, the object access auditing should be enabled on those machines where such sensitive files are stored. Once all the network devices and systems are identified and configured, EventLog Analyzer will aggregate all the log data generated by them in a central place.

ManageEngine's compliance management solution focuses on the integral security framework as shown in Figure 2 for meeting the PCI DSS compliance requirements 10 and 11.5. The EventLog Analyzer PCI DSS security framework consists of the following eight critical capabilities:

<13> 00:00:00 192.168.25.82 MSWinEventLog 1 Security 32050Tue Jul 28 10:51:44 2009 538 Security ANONYMOUS LOGON Well Known Group Success Audit 192.168.25.82 Logon/Logoff User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0x8DEEBBC) Logon Type: 331479 <13> 00:00:00 192.168.25.83 MSWinEventLog 1 Security 32051 Tue Jul 28 10:51:46 2009 538 Security ANONYMOUS LOGON Well Known Grou Success Audit 192.168.25.83 Logon/Logoff User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0x8DF052B) Logon Type: 3 31480 <13> 00:00:00 192.168.25.84 MSWinEventLog 1 Application 32052 Tue Jul 28 10:52:46 2009 100 workstatin Unknown User N/A Information 192.168.25.84 Devices ServerContainer [CREATED] 190 <13> 00:00:00 192.168.25.82 MSWinEventLog 1Application 32053 Tue Jul 28 10:52:49 2009 100workstatin Unknown User N/A Information 192.168.25.82 Devices LogAnalyzer [CREATED] 191 <13> 00:00:00 192.168.25.82 MSWinEventLog 1 Application 32054 Tue Jul 28 10:52:56 2009 100workstatin Unknown User N/A nformation 192.168.25.82 Devices workstatin [CREATED] 192<13> 00:00:00 192.168.25.82 MSWinEventLog 1 Application 32055 Tue Jul 28 10:52:57 2009100workstatin Unknown User N/A Information 192.168.25.82 Devices ServerContainer [STARTED] 193 <13> 00:00:00 192.168.25.82 MSWinEventLog 1Application 32056 Tue J

Figure 2: EventLog Analyzer’s PCI DSS Security Framework

ContinuousLog Reviewing

<13> 00:00:00 192.168.25.82 MSWinEventLog 1 Security 32050Tue Jul 28 10:51:44 2009 538 Security ANONYMOUS LOGON Well Known Group Success Audit 192.168.25.82 Logon/Logoff User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0x8DEEBBC) Logon Type: 331479 <13> 00:00:00 192.168.25.83 MSWinEventLog 1 Security 32051 Tue Jul 28 10:51:46 2009 538 Security ANONYMOUS LOGON Well Known Grou Success Audit 192.168.25.83 Logon/Logoff User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0x8DF052B) Logon Type: 3 31480 <13> 00:00:00 192.168.25.84 MSWinEventLog 1 Application 32052 Tue Jul 28 10:52:46 2009 100 workstatin Unknown User N/A Information 192.168.25.84 Devices ServerContainer [CREATED] 190 <13> 00:00:00 192.168.25.82 MSWinEventLog 1Application 32053 Tue Jul 28 10:52:49 2009 100workstatin Unknown User N/A Information 192.168.25.82 Devices LogAnalyzer [CREATED] 191 <13> 00:00:00 192.168.25.82 MSWinEventLog 1 Application 32054 Tue Jul 28 10:52:56 2009 100workstatin Unknown User N/A nformation 192.168.25.82 Devices workstatin [CREATED] 192<13> 00:00:00 192.168.25.82 MSWinEventLog 1 Application 32055 Tue Jul 28 10:52:57 2009100workstatin Unknown User N/A Information 192.168.25.82 Devices ServerContainer [STARTED] 193 <13> 00:00:00 192.168.25.82 MSWinEventLog 1Application 32056 Tue J

EventLog Analyzer

Logging

Central LogAggregation

LogRetention

LogProtection

Monitoring File Integrity

Real-TimeAlerting

User ActivityMonitoring

4



Central Log Aggregation

All log data from network systems should be aggregated at a centralized place for effective reporting, security, and analysis. EventLog Analyzer aggregates logs from heterogeneous sources (Windows systems, Unix/Linux systems, applications, databases, routers, switches, etc.) at a central location. Although most log data from a network can be collected through the agentless method, EventLog Analyzer offers agent technology as well to meet the diverse requirements of enterprises.

Continuous Log Reviewing

EventLog Analyzer helps IT security professionals by reviewing all log data continuously to detect anomalous security events. The actionable security data is presented as graphs and charts on the dashboard. You can quickly drill down into the data on the dashboard and perform a root cause analysis to identify why a security activity happened. IT administrators can also generate security reports at any given time due to real-time log analysis. EventLog Analyzer allows IT security professionals to review log data using its powerful log search functionality. It provides two different log search capabilities, basic search and advanced search. Basic search permits users to use wild cards, phrases, and boolean operators while framing the search query. Grouped searches and range searches can also be conducted by using basic search. EventLog Analyzer’s advanced search has more sophisticated search capabilities such as multiple event and attribute correlation and multiple group search, but retains the ease of basic search. Advanced Search also enables users to search by executing search filters which can be used to filter out certain events types, severity and other attributes.

Log Retention

Log data collected from all network systems must be stored for one year, and the stored log data should be easily accessible for forensics investigations to comply with PCI DSS requirements. EventLog Analyzer retains all log data generated by network systems, devices, and applications in a centralized repository for any period of time. IT security professionals can use the archived log data to meet compliance requirements, to conduct log forensic investigation, and to perform internal audits.

Log Protection

PCI DSS compliance mandates protection of log data to avoid tampering and deletion. EventLog Analyzer encrypts the log archive files to ensure that the log data is secured for future forensic analysis as well as compliance or internal audits. The archived log data is further secured by hashing and time stamping, making it tamperproof.

5



Monitoring File Integrity

EventLog Analyzer facilitates real-time file integrity monitoring (FIM) by protecting sensitive data, helping organizations meet their compliance needs. With the EventLog Analyzer’s file integrity monitoring capability, security professionals can now centrally track all changes to their files and folders, such as when files and folders are created, accessed, viewed, deleted, modified, renamed, and much more. The critical information provided by EventLog Analyzer helps users make quick decisions and mitigate the risk of data breaches.

Real-Time Alerting

EventLog Analyzer allows IT security professionals to configure and set real-time alerts from a huge list of out-of-the-box alerts. It also has the flexibility to customize and configure alerts based on threshold conditions, event IDs, log message, and more. IT security professionals are notified in real time via email and SMS when any anomalous activity or threshold violations is detected on the network. EventLog Analyzer also allows you to execute custom scripts or programs upon alert generation to take quick remedial action for securing your network.

User Activity Monitoring

EventLog Analyzer monitors all users in real time and provides exhaustive reports with a complete audit trail of all user activities. It also generates privileged user monitoring and auditing (PUMA) reports by tracking the activity of privileged users. With EventLog Analyzer, IT security professionals get precise information in real time on critical events such as user logons, user logoffs, failed logons, successful audit logs cleared, audit policy changes, objects accessed, and user account changes.

6



PCI DSS 3.0 Requirements Fulfilled by EventLog Analyzer

Generating Audit Trails of Suspect Activities

The following table outlines the PCI DSS control requirements that are fulfilled by EventLog Analyzer. The requirement description listed is taken from the PCI Security Standards Council web site (http://www.pcisecuritystandards.org).

This section of the table focuses on how EventLog Analyzer helps businesses generate audit trails and track suspicious user activities from the moment they log into the system until they log out. EventLog Analyzer generates complete audit trails that provide insights on user access to payment cardholder data, log data, objects, and critical data as well as insights on privileged user activity and brute force attacks.

10.2 Implement automated audit trails for all system components to reconstruct the following events: (From 10.2.1 to 10.2.7)

EventLog Analyzer provides complete audit trails of events that take place on network devices, systems, and applications. It also alerts the IT security professional in real time when malicious activity is detected.

10.2 All individual user accesses to cardholder data.

EventLog Analyzer provides precise information about user access (failure or success events) to sensitive cardholder data files, log files, databases, and applications via custom and out-of-the-box reports. It keeps a record of all individual accesses to cardholder data and can help IT security professionals identify which account was compromised or misused to gain access to cardholder data. EventLog Analyzer verifies all individual user accesses to cardholder data included in log entries with the following out-of-the-box report, Individual User Action.

Requirement Requirement Description How EventLog Analyzer Fulfills The Requirement?

7



10.2.2 All actions taken by any individual with root or administrative privileges.

EventLog Analyzer keeps a record of all log activities performed by individuals having ‘Root’ or ‘Administrative’ privileges. It helps IT securityprofessionals trace any issues resulting from an administrative mistake or misuse of privilege. It sends alerts in real time via SMS or email on authentication failures from users having privileged rights. EventLog Analyzer’s out-of-the-box Privileged User Monitoring and Audit report (PUMA) gives the entire audit trail on all the actions carried out by the privileged users. EventLog Analyzer verifies all actions taken by any individual with root or administrative privileges included in log entries with the following out-of-the-box report, Privileged User Monitoring and Audit (PUMA)

10.2.3

User Policy Changes

Domain Policy Changes

User Session Tracking

Audit Policy Changes

Priviliged user monitoring and audit (PUMA)

Access to all audit trails. EventLog Analyzer records and provides the complete audit trail of all user activity such as creation, deletion, or modification; authentication failures or successes; granting or revoking access; and failures or successes to access files, systems, devices, objects, and applications. EventLog Analyzer will send alerts in real time to IT security professionals when malicious users and privileged users attempt to alter audit log data to hide their actions. EventLog Analyzer verifies the access to all audit trails included in log entries with the following out-of-the-box reports:

8



10.2.4 Invalid logical access attempts.

Multiple invalid login attempts may be an indication of an unauthorized user’s attempts to “brute force” or guess a password. EventLog Analyzer tracks down the activity of malicious individuals who often perform multiple access attempts on critical systems and devices. EventLog Analyzer verifies invalid logical access attempts included in log entries with the following out-of-the-box reports:

EventLog Analyzer provides IT security professionals with information such as when users logon and when users log off.

Use of and changes to identification and authentication mechanisms —including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges. Verify use of identification and authentication mechanisms is logged. Verify all elevation of privileges is logged. Verify all changes, additions, or deletions to any account with root or administrativeprivileges are logged.

It gives you the complete audit trail showing the complete list of activities done by users from login to logout.

It logs all activity that happens on identification and authentication mechanisms in both Windows and Linux environments.

It logs the events when privileges are elevated and can also give information on the processes running under elevated privilege using its out-of-the-box report named ‘Process Tracking.’

It also logs the activities when accounts with root or administrative privileges are created and deleted.

10.2.5

10.2.5.a

10.2.5.b

10.2.5.c

Successful User Logons

Network Logon

User Logon

Successful User Logoffs

Network Logoff

User Logoff

Unsuccessful User Logons

Account Locked Out

9



10.2.6 Initialization, stopping, or pausing of the audit logs

EventLog Analyzer will record and alert IT security professionals when some malicious user turns the audit logs off or pauses logs being generated prior to performing illicit activity to avoid being detected. Initialization of audit logs could indicate that the log function was disabled by a user to hide their actions. EventLog Analyzer verifies the initialization, stopping, or pausing of the audit logs included in log entries with the following out-of-the-box reports:

10.2.7

Object Accessed

Object Created

Object Modified

Object Deleted

Object Handle

Creation and deletion of system- level objects.

EventLog Analyzer’s out-of-the-box object access auditing reports provide precise information when system-levels objects are created or deleted and it helps IT security professionals to determine whether such modifications were authorized. EventLog Analyzer monitors system-level objects such as application executables and configuration files, system configuration files, system executables. EventLog Analyzer verifies the creation and deletion of system-level object information included in log entries with the following out-of-the-box reports:

System Logs

Audit Logs Cleared

10



Record Audit Trail Entries from Log DataThis section of the table addresses how EventLog Analyzer can help businesses to record audit trail entries from log data such as user identification, event type, date and time, success and failure indication, origination of event, and name of affected data, system component, or resource. Recording such audit trail entries can help IT security professionals in identifying and mitigating threats.

10.3 Record at least the following audit trail entries for all system components for each event: (From 10.3.1 to 10.3.6).

10.3.1 User identification.

EventLog Analyzer records all critical audit trail entries found in the log data that is generated by network systems, devices, and applications. This helps in spotting a potential compromise and provides details about who, what, where, when, and how that compromise happened.

EventLog Analyzer verifies user identification (account/login) information included in log entries with the following out-of-the-box reports:

Successful User Logons

Network Logon

User Logon

Successful User Logoffs

Network Logoff

User Logoff

Unsuccessful User Logons

Terminal Service Session

User Created

User Deleted

Account Locked Out

User Modified


11



Date and time.

10.3.4 Success or failure indication.

Timestamps are the most important part of any event because they tell us when that particular event happened. EventLog Analyzer parses time stamp data to verify date and time included in log entries for accurate reporting, alerting, correlation, and archiving.

EventLog Analyzer parses success or failure information of an event from the log entries and represents the data in graphs and charts. EventLog Analyzer can also be configured to send alerts or generate reports at a scheduled time when success or failure events get triggered.

EventLog Analyzer verifies the origination of event by parsing the relevant information such as host, IP, or application from the log entries.

Origination of event.10.3.5

EventLog Analyzer’s real-time alerting, out-of-the-box reporting, and log search capability help identify affected data, system components, and critical resources.

Identity or name of affected data, system component, or resource.

10.3.6

EventLog Analyzer verifies and categorizes the type of event included in log entries based on the event severity parameters such as:

Type of event

ErrorFailureInformationSuccessAlertCriticalDebug

EmergencyNoticeWarningApplicationSecuritySystemAnd more.

10.3.2

12



EventLog Analyzer limts the viewing of audit trails by creating role-based access for users to view log data. The administrator can assign rights to guest and operator users by creating groups for systems, devices, and applications. For example, the administrator can create a group of 100 Windows servers and assign that group to Bob (Operator User). Bob will only be able to view and access the audit trails of all activities happening on the 100 Windows servers in his group and not the log data of other systems, devices, and applications.

Limit viewing of audit trails to those with a job-related need.

10.5.1

Protect audit trail files from unauthorized modifications.

10.5.2

Promptly back up audit trail files to a centralized log server or media that is difficult to alter.

10.5.3

Protect Audit Trail Files from Being AlteredThis section of the table discusses how EventLog Analyzer helps businesses protect audit trail entries from being modified and deleted by malicious users. Often, malicious users try to modify or delete the audit logs in order to hide their activity from being known to others. EventLog Analyzer safeguards against log data alteration by monitoring it in real time and encrypting the log data, thereby making it tamperproof by hashing and time-stamping it. It also checks the integrity and accuracy of the log data by monitoring it using the file integrity monitoring (FIM) capability.

EventLog Analyzer encrypts the log archive files to ensure that the log data is secured for future forensic analysis and compliance or internal audits. The archived log data is further secured by hashing and time stamping, making it tamperproof.

EventLog Analyzer protects audit trails from unauthorized modification by immediately archiving, hashing, and storing collected logs in a secure central repository.

EventLog Analyzer includes an integrated file integrity monitoring, which can ensure that the collection infrastructure is not tampered with. Alerts are customizable to prevent or allow alarms on a case-by-case basis, including not causing an alert when new data is being added.

Secure audit trails so they cannot be altered.

10.5


13



EventLog Analyzer provides adequate protection of the audit logs by monitoring them in real time from unauthorized access using object access reports, file integrity monitoring reports, and alerting. EventLog Analyzer archives the logs to a centralized log server and sends notifications to IT security professionals when someone tries to alter or modify or delete the audit trail log files. EventLog Analyzer encrypts the log archive files to ensure that the log data is secured for future forensic analysis and compliance/internal audits. The archived log data is further secured by hashing and time stamping, making it tamperproof.

EventLog Analyzer stores the log data that is generated by external-facing technologies such as wireless, firewalls, DNS, and mail servers onto a secure centralized server. The log data files are made tamperproof by hashing and time-stamping the log data. The log data is also secured from unauthorized access by using the file integrity monitoring (FIM) capablility. EventLog Analyzer comes bundled with PostgreSQL database to store log data. Other database applications such as MSSQL and MySQL can also be used by organizations.

EventLog Analyzer’s file integrity monitoring capability checks for changes to log data and notifies when such changes are noted. It is flexible and can be customized to generate alerts when log data is created, accessed, viewed, deleted, modified, renamed, and more.

Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

10.5.5

Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.

10.5.4

14



EventLog Analyzer reviews log data on a regular basis and helps IT security professionals mitigate threats and attacks proactively. EventLog Analyzer checks logs in real time and protects cardholder data environment from unauthorized access.

Review logs and security events for all system components to identify anomalies or suspicious activity.

10.6

Review Logs and Security Events Generated by your IT infrastructureThis section of the table focuses on how EventLog Analyzer helps businesses review log data and security events generated by servers, firewalls, intrusion-detection systems and intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, applications, and other technologies on a daily basis via out-of-the-box reports, custom reports, correlation rules, alerts, file integrity, log search, capability, and more.

Daily review of security events helps identify suspicious or anomalous activities. EventLog Analyzer allows you to check logs on a daily basisvia out-of-the-box reports, custom reports, correlation rules, alerts, file integrity, and log search capability. EventLog Analyzer reviews the log data generated by applications, servers, systems, and devices such as firewalls, IDS/IPS, switches, and routers in real time. EventLog Analyzer also helps identify anomalous behavior using its out-of-the-box ‘trend reports’ that can show you different event patterns in real time.

Review the following at least daily:

All security events

Logs of all system components that store, process, or transmit CHD and/or

SAD, or that could impact the security of CHD and/or SAD

Logs of all critical system components

Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).

10.6.1, 10.6.1.a


15



EventLog Analyzer’s Universal Log Parsing and Indexing (ULPI) capability helps security professionals monitor and review log data from any system component. It identifies and alerts when attempts to gain access to critical systems are made by malicious users.

Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual riskassessment.

Examine security policies and procedures to verify that procedures are defined forreviewing logs of all other system components periodically—either manually or via log tools—based on the organization’s policies and risk management strategy.

10.6.2

10.6.2.a

Retain Log Data to Perform Forensics AnalysisThis section of the table discusses how EventLog Analyzer helps businesses retain logs for at least a year, thereby allowing IT security professionals to conduct log forensics investigations to trace out compromises or breaches that occurred in the past or that are currently occuring, so the security pros can quickly identify and minimize the impact of a data breach.

EventLog Analyzer retains logs for any custom period. PCI DSS requires log retention for at least a year and EventLog Analyzer meets this requirement. EventLog Analyzer’s log retention allows IT security professionals to track down the compromise or security incident that had occurred or is occurring.

IT security professionals can track potential threat patterns, the duration of the attack and other security insights.

EventLog Analyzer also keeps three months of logs immediately available, so IT security professionals can quickly identify and minimize impact of a data breach.

Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).

Examine security policies and procedures to verify that they define the following:

Audit log retentionpolicies

Procedures for retaining audit logs for at least one year, with a minimum of three months immediatelyavailable online.

10.7

10.7.a


16



Deploy a File Integrity Monitoring Tool to Detect Changes to Critical FilesThis section of the table addresses how EventLog Analyzer’s file integrity monitoring capability helps businesses check for changes to critical files and notify when such changes are detected. It monitors critical files for changes such as modification, deletion, renamed, accessed, and created, and it also tells the name of the individual who initiated the change. EventLog Analyzer’s file integrity monitoring also alerts security professionals in real time via email and SMS when changes to critical files are detected.

EventLog Analyzer’s file integrity monitoring (FIM) feature checks for changes to critical files and notifies when such changes are detected. It can track a malicious individual altering configuration file contents, operating system programs, or application executables. IT security professionals can now centrally track all changes happening to their files and folders such as when files and folders are created, accessed, viewed, deleted, modified, renamed and more.

Deploy a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

11.5

System executables

Application executables

Configuration and parameter files

EventLog Analyzer facilitates real-time, file integrity monitoring (FIM) by protecting sensitive files. It monitors all file types such as system executables, application executables, system configuration files, content files, log files, zipped files, zipped, and more. The critical information provided by EventLog Analyzer's file integrity monitoring feature allows users to make quick decisions and mitigate the risk of cardholder data breaches.

11.5.a Verify the use of a change-detection mechanism within the cardholder data environment by observing system settings and monitored files as well as reviewing results from monitoring activities. Examples of files that should be monitored:


17



11.5.b EventLog Analyzer sends alert notifications to IT security professionals via SMS or email when unauthorized users modify critical files. File comparison reports can be generated using EventLog Analyzer to compare the changes made to them. Reports can be scheduled to run weekly, hourly, daily, monthly, or any custom period.

Verify the mechanism is configured to alert personnel to unauthorized modification of critical files and to perform critical file comparisons at least weekly.

Centrally stored, historical or archived, log and audit files

Additional critical files determined by entity (for example, through risk assessment or other means).

18



ConclusionCompliance with PCI DSS is a must for all businesses that accept card payments because keeping

customer’s payment card data secure is crucial for the progress of those businesses. PCI DSS

compliance can bring enormous benefits to businesses such as a more secure network, higher

brand value, improved reputation, lower risk of data breaches. Non-compliance, on the other hand,

can have severe consequences.

EventLog Analyzer helps businesses stay complaint with PCI DSS requirements 10 and 11.5 with

ease. It facilitates real-time reviewing and monitoring of log data and network resources with its

out-of-the-box PCI DSS report, file integrity monitoring (FIM), log management capabilities and

much more.

To learn more about EventLog Analyzer, please visit www.eventloganalyzer.com.

19



About ManageEngine

http://blogs.manageengine.com www.facebook.com/manageengine https://twitter.com/manageengine

Joel John Fernandes currently works as a Senior Product Marketing Analyst for

ManageEngine. He has thorough knowledge in the Security Information and Event

Management (SIEM) and Payment Card Industry Data Security Standard (PCI DSS)

domain and has consulted on network security and log management for both large

and small enterprises. He can be reached at [email protected]

About the Author

ManageEngine delivers the real-time IT management tools that empower an IT team to meet an organization’s need for real-time services and support. Worldwide, more than 60,000 established and emerging enterprises — including more than 60 percent of the Fortune 500 — rely on ManageEngine products to ensure the optimal performance of their critical IT infrastructure, including networks, servers, applications, desktops and more. ManageEngine is a division of Zoho Corp. with offices worldwide, including the United States, United Kingdom, India, Japan and China.

20



ManageEngine EventLog AnalyzerPCI DSS Compliance Solution

www.eventloganalyzer.com

Zoho Corporation4141 Hacienda DrivePleasanton, CA 94588, USA

Phone: +1 888 204 3539Website: www.manageengine.com



PCI DSS Compliance Handbook - ManageEngine · EventLog Analyzer makes its way into Gartner MQ for...

Documents

Transcript of PCI DSS Compliance Handbook - ManageEngine · EventLog Analyzer makes its way into Gartner MQ for...