WHITE P APER ENDGAME, INC. - pages.endgame.com€¦ · Endgame PCI DSS Security | White Paper 3...
Transcript of WHITE P APER ENDGAME, INC. - pages.endgame.com€¦ · Endgame PCI DSS Security | White Paper 3...
W H I T E P A P E R
ENDGAME, INC. PCI DSS SECURITY ARC HITECTURE AND TECHNOLOGY WHITEP APE R
BH AVN A SO NDHI | C IS A, QS A ( P2PE) , PA- Q S A (P2PE)
N ICK TRENC | C I SSP, C I SA, Q SA, PA- Q S A
Endgame PCI DSS Security | White Paper 2
TABLE OF CONTENTS Executive Summary ................................................................................................................. 3
About Endgame ..................................................................................................................... 3
Audience ................................................................................................................................ 4
Methodology .......................................................................................................................... 4
Summary Findings ................................................................................................................. 4
Assessor Comments .............................................................................................................. 5
Application Architecture and Security ................................................................................... 6
Technical Security Assessment.............................................................................................. 8
Assessment Methods ............................................................................................................. 8
Assessment Environment ....................................................................................................... 8
Network Traffic Assessment ................................................................................................... 8
Tools and Techniques ...........................................................................................................10
References ...........................................................................................................................10
Appendix A: PCI DSS Requirements Coverage Matrix .........................................................11
Appendix B: Executed Test Plan ...........................................................................................14
Conclusion ..............................................................................................................................17
Endgame PCI DSS Security | White Paper 3
EXECUTIVE SUMMARY Endgame, Inc. engaged Coalfire Systems Inc. (Coalfire), a respected Payment Card Industry (PCI)
Qualified Security Assessor (QSA) and Payment Application – QSA (PA-QSA) company, to conduct an
independent technical assessment of their Endgame platform. Coalfire conducted assessment activities
including technical testing, architectural assessment, and compliance validation.
In this paper, Coalfire will describe how they confirmed that the Endgame platform met the PCI Data
Security Standard (PCI DSS) v3.2 anti-malware requirements for Windows endpoints based on the sample
testing and evidence gathered during this assessment.
ABOUT ENDG AME
Endgame is a centrally managed endpoint security platform that stops advanced threats before damage
and loss. The platform provides full stack prevention, accelerated detection and response, and automated
hunting across the depth of the MITRE ATTACK™ matrix. Endgame’s single, autonomous agent eliminates
multiple host agents including anti-virus (AV), next-gen AV, Incident response, indicators of compromise
(IOC)-based agents, and forensic tools. The Endgame platform provides automated workflow and guided
response for analysts to instantly stop malicious activity.
Below are highlights of various features and capabilities within the Endgame platform:
• Full Stack Prevention: Endgame uses advanced signature-less techniques to prevent exploits,
malware, fileless attacks, malicious macros, and ransomware.
– Exploit Prevention: Patent-pending Hardware Assisted Control Flow Integrity (HA-CFI™) and
enhanced Dynamic Binary Instrumentation (DBI) blocks zero-day exploits before malicious
code execution.
– Malware Prevention at file execution: Endgame MalwareScore® prevents execution of known
and unknown malware and performs signature-less malware prevention.
– Fileless Attack Prevention: Patent-pending process injection prevention and Endgame
MalwareScore® prevents malicious module loads, dll injection, and shellcode injection to stop
adversary evasion and fileless attacks.
– Malicious Macro Prevention: Heuristic-based macro prevention blocks malicious macros
embedded in commonly targeted applications such as MS Office applications.
– Ransomware Prevention: Behavior-based ransomware prevention is effective against
ransomware families such as BadRabbit, Petya, WannaCry, etc.
– Technique-Focused Protection: Expands across the breadth of the MITRE ATTACK™ Matrix,
stopping ongoing attacks such as command and control, defense evasion, and privilege
escalation by leveraging Endgame’s knowledge of adversary tradecraft.
• Accelerated Endpoint Detection and Response:
– Endgame’s Enhanced Attacker Visualization, Endgame Resolver™, unveils various actions
taken by the attacker to instantly identify the origin and extent of compromise. Endgame
Resolver™ shows actions of the attack including process events, network connections, netflow,
user logons, DNS requests, and file or registry modifications.
– Endgame’s AI-Powered Security Mentor Artemis®, uses natural language understanding to
automate data collection, investigation, and alert triage at enterprise scale.
Endgame PCI DSS Security | White Paper 4
– Endgame Arbiter® automates advanced attack analysis to determine file reputation, attack
type, and other attributes, extracting IOCs to reveal previously unknown threats across the
entire enterprise.
– Automated hunting using tradecraft analytics and Outlier analysis streamlines detection and
response workflows to surface suspicious artifacts across millions of records in minutes.
– Precision and scalable response empowers Security Operations Center (SOC) teams to
restore endpoints at enterprise scale with zero business disruption.
AUDIENCE
This assessment white paper has three target audiences:
1. QSA and Internal Audit Community: This audience may be evaluating Endgame to assess a
merchant or service provider environment for PCI DSS.
2. Administrators and Other Compliance Professionals: This audience may be evaluating
Endgame for use within their organization for compliance requirements other than PCI DSS.
3. Merchant and Service Provider Organizations: This audience is evaluating Endgame for
deployment in their cardholder data environment and the benefits this solution can offer.
METHODOLOGY
Coalfire completed a multi-faceted technical assessment using the below industry and audit best practices.
Coalfire conducted technical lab testing in its Colorado lab from October 6, 2017 to October 27, 2017,
including remediation activities.
At a high level, testing consisted of the following tasks:
1. Technical review of the architecture of the full solution and its components.
2. Implementation of the sensor in the Coalfire lab environment for Windows endpoints.
3. Introduction of malware binaries on local systems with Endgame software installed.
4. Confirmation of Endgame’s ability to block and remove known malware samples for Windows
endpoints.
5. Execution of malware scans using application programming interface (API) scripts for Windows
endpoints.
SUMMARY F INDINGS
The following findings are relevant highlights of this assessment:
• When properly implemented following vendor guidance, the Endgame platform can provide coverage
for PCI DSS Requirement 5 – “Protect all systems against malware and regularly update anti-virus
software or programs”, based on the sample testing and evidence gathered during this assessment.
• The Endgame platform detected and effectively prevented the execution of known malware samples
for Windows endpoints.
• The Endgame platform provided hunting and scanning capabilities for Windows endpoints.
• The Endgame platform effectively mitigated the malware with the following solutions for Windows
endpoints:
– Malware protection at file execution (prevents execution on installation)
– Malware detection for created and modified files
Endgame PCI DSS Security | White Paper 5
– Application exploits prevention (prevents execution on installation)
– Application exploits detection
– Ransomware prevention
– Deletion of files
• The Endgame platform adequately generated logs of events such that malicious activity could be
traced in accordance with PCI DSS requirements.
• The Endgame Host Sensor could not be disabled by unauthorized users.
• Endgame provides features for investigations (hunting for endpoint data), fileless attacks, whitelisting
of files or applications, and IOC search on file, network, process, registry, and users.
ASSESSOR COMMENTS
The assessment scope focused on validating the use of Endgame in a PCI DSS environment, specifically
to include its impact on PCI DSS Requirement 5. The Endgame platform, when properly implemented
following guidance from Endgame, Inc., can be utilized to meet the technical portions of PCI DSS
Requirement 5. However, as most computing environments and configurations vary drastically, it is
important to note that use of this product does not guarantee security and even the most robust anti-virus
solutions can fail when improperly implemented. A defense-in-depth strategy that provides multiple layers
of protection should be followed as a best practice. Please consult with Endgame, Inc. for policy and
configuration questions and best practices.
It should also not be construed that the use of Endgame guarantees full PCI DSS compliance. Disregarding
PCI requirements and security best practice controls for systems and networks inside or outside of PCI
DSS scope can introduce many other security or business continuity risks to merchants or service
providers. Security and business risk mitigation should be any merchant’s or service provider’s goal and
focus for selecting security controls.
Endgame PCI DSS Security | White Paper 6
APPLICATION ARCHITECTURE AND SECURITY The Endgame platform offers prevention, detection and response, and threat hunting capabilities. The
Endgame platform can either be hosted on-premises or in the cloud. Customers can host it themselves on
their own infrastructure or Endgame can host it for the customer in the cloud. Endgame’s light weight,
autonomous agent provides online and offline 24x7 protection.
The Endgame architecture is represented in Figure 1:
Figure 1: Endgame Architecture Diagram
The following are the key components and features of the Endgame platform:
• Endgame Host Sensor (sensor): The Endgame Host Sensor is a lightweight sensor, consuming less
than 1% CPU resources, that is deployed on all monitored endpoints and hosts. The sensor can either
run as a background process with no user interface or with a notification that gives details on current
system threats and blocked actions. The sensor does not interfere with any installed software on the
host, including anti-malware or anti-virus software. Endgame's advanced sensor technology allows
the analyst to choose to install a persistent sensor for long-term protection or a dissolvable sensor for
minimal endpoint footprint.
– Endgame Host Sensor Protection: The Endgame Host Sensor operates in the Operating
System (OS) kernel and user space. It is tamper resistant and has available protections to
prevent disabling of the sensor by the user. In addition, the sensor can be installed in disguised
mode that changes sensor driver file name, sensor file name, and popup name.
– Endgame Host Sensor Operation: The Endgame Host Sensor continuously gathers event data
including domain name system (DNS), file, image loads, network, netflow, process, registry
and windows logon/logoff events and stores them in a secure database. This real-time event
collection and tradecraft analytics allow analysts to identify threats and respond to them quickly.
• Endgame MalwareScore®: A machine learning powered model that performs signature-less malware
prevention and blocks known and unknown malwares on file-based execution. The model is used to
Endgame PCI DSS Security | White Paper 7
determine if a file is malicious and looks for static attributes of files (without executing the file) that
include file structure, layout, and content. This also includes information such as portable executable
(PE) header data, imports, exports, section names, and file size. These attributes are extracted from
millions of file samples, which then are passed to a machine-learning algorithm that distinguishes a
benign file from a malicious one. The machine learning model is updated as new data is procured and
analyzed. This model is based on Google’s VirusTotal engine.
• The Endgame platform provides Application Programming Interface (API) integration through which
users can schedule periodic malware scans, generate audit log output and endgame platform task
audit logs, and various other outputs required. API is based on representational state transfer (REST)
principles where data resources are accessed via standard HTTPS requests in UTF-8 format to an
API endpoint. Endgame platform communicates over HTTPS using JavaScript Object Notation
(JSON), and response data received is encoded as JSON.
• Endgame Arbiter®: Endgame’s advanced cloud-based malware intelligence platform that provides
behavioral and static malware analysis for all generated malware alerts. Users can submit the file for
analysis from within the platform management console and login to Endgame Arbiter® to view the
analysis report. The report provides summary of the malware file, including filename, Endgame
MalwareScore®, hash values, static and behavioral analysis, reputation score, and VirusTotal report.
The reputation score is calculated from Endgame’s research team lab findings, VirusTotal, and third-
party partners.
– Endgame Arbiter® also communicates the updates pertaining to sensors, malware model, and
whitelists to the Endgame platform when connected to the cloud, and the Endgame platform
will distribute these updates to the sensors immediately.
• Multi-Client Management (MCM) Server/Endgame Platform: Management and monitoring server,
hosted on-premises at the customer’s headquarters or in the Amazon cloud. MCM allows
administrators and analysts to monitor enterprise health by viewing endpoint data across multiple
Endgame platforms from a single interface. MCM integrates several pieces of data from connected
endpoints, and with this data administrators can perform installations, monitor system health, and take
actions as necessary. The management console provides user and password management features
for login to MCM and can also be configured via Lightweight Directory Access Protocol (LDAP). LDAP
enables users registered within Active Directory (AD) to connect to the Endgame platform with AD
credentials. Role-based Access and Control (RBAC) within Endgame platform provides local users
with access to only specific functionality, page views, and permission rights. The Endgame platform
can log various tasks or actions providing support for audit trail logging as required by PCI DSS.
Endgame PCI DSS Security | White Paper 8
TECHNICAL SECURITY ASSESSMENT
ASSESSMENT METHODS
Coalfire used the following methods to assess the potential PCI DSS coverage of the solution:
1. Analysis of the architecture and configuration of the solution in accordance with vendor guidelines.
2. Deployment of sensors to Windows systems along with enablement of policies. Windows policies
were configured to enforce the detection and prevention of known malware on file execution.
3. Examination of sensor configurations to confirm protection cannot be turned off by non-
administrators on Windows endpoints.
4. Execution of known malware samples (to include ransomware, backdoor, trojan horse, spyware,
virus, and worm) deliberately propagated to test machines.
5. Review of backend component for verification of detection, execution prevention, and deletion of
all test sample malwares for Windows endpoints. Also, evaluation of backend component for
verification that sensors were deployed, communicating, up-to-date, performing periodic scans via
API scripts, and protecting against potential threats for the Windows endpoints.
ASSESSMENT ENVIRONME NT
The Endgame platform was hosted in the cloud for testing purposes and the sensor was installed on the
following system:
• Windows 2012 Server deployed in a virtual environment including default Windows applications with
other anti-virus solutions disabled.
NETWORK TRAFFIC ASSE SSMENT
A Wireshark Ethernet port sniffer was used to monitor the following traffic for components within the
Endgame platform:
• Traffic from the Windows machine to the Endgame platform (Figure 2): No sensitive data was
transmitted over the network from the Windows machine with the sensor deployed to the Endgame
platform server and any log data or alert information was encrypted over TLS 1.2.
Endgame PCI DSS Security | White Paper 9
Figure 2: Communication between the Windows machine and the Endgame platform machine hosted
in the cloud. Encrypted data (logs or update information) is always transmitted.
Endgame PCI DSS Security | White Paper 10
TOOLS AND TECHNIQUES
Standard tools Coalfire utilized for this technical assessment included:
TOOL NAME DESCRIPTION
Live Malware Samples Sample binaries of known malware for Windows systems:
• Sample Windows malware obtained from theZoo aka Malware DB at
http://thezoo.morirt.com/
• Sample Windows malware provided by Endgame vendor for testing purposes
*Note – Visiting and downloading from the above sites may lead to malware
infection. It is highly recommended against.
Wireshark Wireshark Ethernet port sniffer to observe the traffic coming in and out of the system
REFERENCES
PCI SSC - Data Security Standard - https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf
PCI SSC - Data Security Standard- Payment Application Data Security Standard Program Guide, v3.2 -
https://www.pcisecuritystandards.org/documents/PA-DSS_v3-2.pdf
Endgame Administrator Guide: Admin User Guide - 2.4.pdf
Endgame User Guide: User Guide - 2.4.pdf
Endgame API Documentation: Endgame API Docs.pdf
Endgame Platform Upgrade: Upgrade Endgame to the 2.4[1].pdf
Endgame Sensor Upgrade: Sensor Upgrade via Upload and Execute[1].pdf
Cloud Updates to Platform: Cloud Communication Design.pdf
Endgame PCI DSS Security | White Paper 11
APPENDIX A: PCI DSS REQUIREMENTS COVERAGE MATRIX COMPLIANCE
LEVEL DESCRIPTION
Compliance directly supported via use of the Endgame platform
Requires merchant action for full compliance
PCI DSS REQUIREMENT COMPLIANCE SUPPORTED
ASSESSOR COMMENTS
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
5.1 Deploy anti-virus software on
all systems commonly affected by
malicious software (particularly
personal computers and servers).
Endgame provides the following features:
• Can directly deploy sensors (endpoint software
application) on Windows systems through the
Endgame management console. Sensors can also
be deployed manually on Windows through
command line terminal.
• Provides direct monitoring capability for the sensor
deployed systems through the Endgame
management console (hosted on a customer’s
physical premises or in the cloud).
5.1.1 Ensure that all anti-virus
programs are capable of detecting,
removing, and protecting against
all known types of malicious
software.
• Endgame, Inc. uses Endgame MalwareScore®, the
machine learning model developed by Endgame,
Inc. to detect and prevent against known malware.
This allows Endgame to detect known malware,
block them from running, and remove them when
requested by an administrator. Testing showed that
Endgame was able to detect, block at file execution,
and remove malware by providing the file path for
several examples of viruses, Trojans, ransomware,
rootkits, and other known malware on the Windows
OS endpoint.
• Administrators can configure the policies on
Windows systems to detect and prevent malware.
Deletion of file requires actions to be performed on
the endpoints through management console. The
configurations have to be performed by
Administrators in order to be compliant with PCI DSS
requirements.
5.1.2 For systems considered to be
not commonly affected by
malicious software, perform
periodic evaluations to identify and
evaluate evolving malware threats
in order to confirm whether such
systems continue to not require
anti-virus software.
This is a process/procedure requirement. Customers
(merchants or service providers) must “periodically”
evaluate the systems they use to ensure they are not
considered commonly affected. Endgame Host Sensors
can be deployed on Windows endpoints and sensor
deployments would be required to evaluate and identify
malware threats on these endpoints.
Endgame PCI DSS Security | White Paper 12
PCI DSS REQUIREMENT COMPLIANCE SUPPORTED
ASSESSOR COMMENTS
5.2 Ensure that all anti-virus
mechanisms are maintained as
follows.
• Are kept current
• Perform periodic scans
• Generate audit logs which are
retained per PCI DSS
Requirement 10.7.
5.2.a
• The sensor software installed on Windows endpoints
checks and detects malicious files on execution and
performs real-time checks against the Endgame
MalwareScore®.,
• Automatic updates on the Endgame platform feature
are available when there is connectivity to the cloud
environment (Arbiter), thus meeting the PCI DSS
automatic updates requirement. Windows endpoint
sensors then receive updates from the Endgame
platform management console.
5.2.b Policies can be configured on Windows systems via
API scripts that will need to be developed and deployed
on Endgame platform servers in respective environments
to have the scans performed periodically.
5.2.c Logging as required by PCI DSS can be generated
via API scripts that will need to be developed and
deployed on Endgame platform servers in respective
environments requiring administrators to perform
necessary actions. The audit logs generated will need to
be forwarded to syslog servers for retention purposes to
meet PCI DSS Requirement 10.7. The logging could
include actions performed by users or administrators on
the management console as well as tasks that were
executed for Windows endpoints from within the
management console
5.3 Ensure that anti-virus
mechanisms are actively running
and cannot be disabled or altered
by users, unless specifically
authorized by management on a
case-by-case basis for a limited
time period.
Note: Anti-virus solutions may be
temporarily disabled only if there is
legitimate technical need, as
authorized by management on a
case-by-case basis. If anti-virus
protection needs to be disabled for
a specific purpose, it must be
formally authorized. Additional
security measures may also need
to be implemented for the period of
time during which anti-virus
protection is not active.
5.3.a The Endgame management and monitoring
console shows the monitoring status (Active, Inactive,
Unmonitored, or Deployment Failure status mode) of all
endpoints where the sensor is deployed through the
management console.
5.3.b The management console provides the functionality
to delete or uninstall the endpoint sensor device based
on the administrator type setting and permissions.
No users can disable the sensor software running locally
on the Windows machine without appropriate
administrator permissions.
5.3.c This is an administrative control and requires
authorization to be provided by management to meet the
control requirement.
5.4: Ensure that security policies
and operational procedures for
protecting systems against
This is a policies and procedures based requirement.
While Endgame can help meet the requirements for
protecting against malware, it is up to administrators to
Endgame PCI DSS Security | White Paper 13
PCI DSS REQUIREMENT COMPLIANCE SUPPORTED
ASSESSOR COMMENTS
malware are documented, in use,
and known to all affected parties.
create and document specific policies as required for their
respective environments.
Endgame PCI DSS Security | White Paper 14
APPENDIX B: EXECUTED TEST PLAN PCI DSS REQUIREMENT
TEST DEFINITION PER PCI VALIDATION PLAN
COMPLIANCE SUPPORTED
ENDGAME RESULTS AND TESTING
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
5.1 Deploy anti-virus
software on all systems
commonly affected by
malicious software
(particularly personal
computers and
servers).
5.1 For a sample of system
components including all
operating system types
commonly affected by
malicious software, verify
that anti-virus software is
deployed if applicable anti-
virus technology exists.
Produced a report and log record that
indicated that the sensor software was
installed, active, and gathered events to
detect and prevent threats from
endpoints within scope of PCI DSS.
5.1.1 Ensure that all
anti-virus programs are
capable of detecting,
removing, and
protecting against all
known types of
malicious software.
5.1.1 Review vendor
documentation and examine
anti-virus configurations to
verify that anti-virus
programs;
• Detect all known types
of malicious software,
• Remove all known
types of malicious
software, and
• Protect against all
known types of
malicious software.
Examples of types of
malicious software include
viruses, Trojans, worms,
spyware, adware, and
rootkits.
1. Detect all "KNOWN" types of
malware:
Endgame MalwareScore® allows
Endgame to detect known malware and
block them from running. Demonstrated
that the types of malware that were
detected included ransomware,
backdoor, trojan horse, spyware, virus,
and worm.
2. Remove all “KNOWN” types of
malware:
Demonstrated that administrator users
can delete the detected malicious file
through the management console. The
types of malware that were removed
included ransomware, backdoor, trojan
horse, spyware, virus, and worm.
3. Protect against all "KNOWN" types
of malware:
Demonstrated how the solution detected
and then banned or blocked known
malware that was part of the known
malware list from VT for Windows
endpoints. The types of malware that
were protected included ransomware,
backdoor, trojan horse, spyware, virus,
and worm.
5.1.2 For systems
considered to be not
commonly affected by
malicious software,
perform periodic
evaluations to identify
and evaluate evolving
5.1.2 Interview personnel to
verify that evolving malware
threats are monitored and
evaluated for systems not
currently considered to be
commonly affected by
malicious software, in order
Demonstrated how easily the Sensor
software was deployed on any given
system (OS coverage and
implementation features). Also
illustrated how any given system was
assessed even if it was not part of the
in-scope PCI systems.
Endgame PCI DSS Security | White Paper 15
PCI DSS REQUIREMENT
TEST DEFINITION PER PCI VALIDATION PLAN
COMPLIANCE SUPPORTED
ENDGAME RESULTS AND TESTING
malware threats in
order to confirm
whether such systems
continue to not require
anti-virus software.
to confirm whether such
systems continue to not
require anti-virus software.
5.2 Ensure that all anti-
virus mechanisms are
maintained.
• Are kept current
• Perform periodic
scans
• Generate audit
logs which are
retained per PCI
DSS Requirement
10.7.
5.2.a Examine policies and
procedures to verify that anti-
virus software and definitions
are required to be kept up to
date.
Demonstrated that MalwareScore®
analyzes, detects, and protects the
malicious files for Windows endpoints.
Once the Endgame platform was
updated with the newer version via
cloud, updates were pushed out to
sensor software on endpoints through
the management console.
5.2.b Examine anti-virus
configurations, including the
master installation of the
software to verify anti-virus
mechanisms are:
• Configured to perform
automatic updates, and
• Configured to perform
periodic scans.
• Demonstrated that Endgame
periodically scanned in-scope
systems for malware through API
scripts that can be executed on
the Endgame platform server.
• Demonstrated that automatic
updates could be performed when
connected to the Arbiter in the
cloud environment.
• The Windows endpoint sensor
was then upgraded from within the
Endgame platform management
console.
5.2.c Examine a sample of
system components,
including all operating
system types commonly
affected by malicious
software, to verify that:
• The anti-virus software
and definitions are
current.
• Periodic scans are
performed.
• Demonstrated that Endgame’s
machine learning model was
sourced from current repositories
and received information through
Arbiter.
• Demonstrated that Endgame
periodically scanned in-scope
systems through the use of API
scripts.
5.2.d Examine anti-virus
configurations, including the
master installation of the
software and a sample of
system components, to verify
that:
• Anti-virus software log
generation is enabled,
and
Demonstrated that anti-virus logs are
available through the Endgame
platform; however, administrators are
required to execute scripts periodically
on the platform to generate logs as
required by PCI DSS. These logs are
currently retained as per customers’
retention requirements. These could be
retained in accordance with PCI DSS
Requirements 10.7 or could be
Endgame PCI DSS Security | White Paper 16
PCI DSS REQUIREMENT
TEST DEFINITION PER PCI VALIDATION PLAN
COMPLIANCE SUPPORTED
ENDGAME RESULTS AND TESTING
• Logs are retained in
accordance with PCI
DSS Requirement
10.7.
configured to have the logs sent out via
Syslog for retention purposes.
5.3 Ensure that anti-
virus mechanisms are
actively running and
cannot be disabled or
altered by users, unless
specifically authorized
by management on a
case-by-case basis for
a limited time period.
Note: Anti-virus
solutions may be
temporarily disabled
only if there is
legitimate technical
need, as authorized by
management on a case-
by-case basis. If anti-
virus protection needs
to be disabled for a
specific purpose, it
must be formally
authorized. Additional
security measures may
also need to be
implemented for the
period of time during
which anti-virus
protection is not active.
5.3.a Examine anti-virus
configurations, including the
master installation of the
software and a sample of
system components, to verify
the anti-virus software is
actively running.
Demonstrated via log reports and live
console view that the sensor software
was either running or active on Windows
endpoints and that the policy was
enforcing the proper configurations.
5.3.b Examine anti-virus
configurations, including the
master installation of the
software and a sample of
system components, to verify
that the anti-virus software
cannot be disabled or altered
by users.
Demonstrated that users cannot disable
the sensor software running locally on
the Windows machine without
appropriate administrator permissions.
5.3.c Interview responsible
personnel and observe
processes to verify that anti-
virus software cannot be
disabled or altered by users,
unless specifically authorized
by management on a case-
by-case basis for a limited
time period.
Demonstrated that Endgame could be
configured by a user with proper
administrative access and that a policy
was in place that dictated when
authorized changes could be made for
Windows endpoints.
5.4: Ensure that
security policies and
operational procedures
for protecting systems
against malware are
documented, in use,
and known to all
affected parties.
5.4 Examine documentation
and interview personnel to
verify that security policies
and operational procedures
for protecting systems
against malware are:
• Documented,
• In use, and
• Known to all affected
parties.
This is a policies and procedures based
requirement. Customers are required to
implement this requirement for their
environment. Demonstrated that
Endgame logs were queried and that
health statistics regarding the client
software were collected to provide proof
of agent uptime as well as policy
compliance.
Endgame PCI DSS Security | White Paper 17
CONCLUSION After reviewing the requirements of the PCI DSS, Coalfire determined, through review of business impacts
and a technical assessment, that Endgame, as outlined in this document, could meet PCI DSS Requirement
5 for Windows endpoints. The ability to achieve overall compliance with any regulation or standard will be
dependent upon the specific design and implementation of the Endgame platform.
Endgame demonstrated a high level of flexibility for managing endpoints, customization of policies, file
analysis, notifications, configurations including logging, and LDAP and RBAC settings, which makes it an
option for companies aiming to comply with PCI DSS anti-malware requirements.
Endgame PCI DSS Security | White Paper 18
ABOUT THE AUTHORS
Bhavna Sondhi | Senior Security Consultant | CISA, QSA (P2PE), PA-QSA (P2PE)
Bhavna Sondhi is a Sr. Security Consultant for the Application Security team at Coalfire. Bhavna is responsible for conducting PCI DSS, PA-DSS, and P2PE assessments as well as authoring technical whitepapers. Bhavna joined Coalfire in 2013 and brings over 11 years of software engineering and Information Security experience to the team, leading extensive consulting and assessment engagements within USA, Europe, and Asia. As a lead PA-QSA and P2PE-QSA, Bhavna supports assessments for some of the largest payment software providers in the world and her software engineering experience plays a vital part in ensuring the teams recognize the importance of secure code development and Information Security within their operational practices.
Nick Trenc | Director Nick Trenc is the Director of the Application Security team at Coalfire. Nick has several years of
experience working in Information Security and has an in-depth understanding of application, network,
and system security architectures. He holds CISA, CISSP, QSA, and PA-QSA certifications.
Published November 2017.
ABOUT COALFIRE Coalfire is the cybersecurity advisor that helps private and public sector organizations avert threats, close gaps, and effectively manage risk. By providing independent and tailored advice, assessments, technical testing, and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives, and fuel their continued success. Coalfire has been a cybersecurity thought leader for more than 16 years and has offices throughout the United States and Europe. Coalfire.com
Copyright © 2014-2017 Coalfire Systems, Inc. All Rights Reserved. Coalfire is solely responsible for the contents of this document
as of the date of publication. The contents of this document are subject to change at any time based on revisions to the applicable
regulations and standards (HIPAA, PCI-DSS et.al). Consequently, any forward-looking statements are not predictions and are
subject to change without notice. While Coalfire has endeavored to ensure that the information contained in this document has
been obtained from reliable sources, there may be regulatory, compliance, or other reasons that prevent us from doing so.
Consequently, Coalfire is not responsible for any errors or omissions, or for the results obtained from the use of this information.
Coalfire reserves the right to revise any or all of this document to reflect an accurate representation of the content relative to the
current technology landscape. In order to maintain contextual accuracy of this document, all references to this document must
explicitly reference the entirety of the document inclusive of the title and publication date; neither party will publish a press release
referring to the other party or excerpting highlights from the document without prior written approval of the other party. If you have
questions with regard to any legal or compliance matters referenced herein you should consult legal counsel, your security advisor
and/or your relevant standard authority.