EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
1. ARTICLE :: FEBRUARY 2016
For anyone tasked to ensure compliance with the 12 requirements contained in the Payment Card
Industry Data Security Standard (PCI DSS), one requirement often causes unexpected difficulty, if only
because of the variety of systems involved.
Requirement 10 of the PCI DSS requires companies to track and monitor all access to network
resources and to cardholder data. On the surface that seems pretty easy. Implement audit trails,
record information about specific events, use time synchronization, write audit logs to a central log
management system, monitor file integrity of audit logs, review audit logs daily and retain the log
information for at least a year.
But how can your company make it all work? It is fairly easy to get any individual system – Windows,
Linux, AIX, Cisco IOS – to record the required audit trail information, and most modern systems are
easy to configure to use time synchronization. That’s where it begins to become difficult.
The challenges to meeting PCI compliance requirements are significant and can have both technical
and financial impact.
* Systems record log data in different formats – syslog, event log, SNMP trap, Cisco Netflow. Is
there existing expertise to easily configure each of them to talk to and transfer data to a central
log server?
* What about collecting relevant application data and moving it from public servers such as Web
Servers, DNS Servers, and Mail Servers promptly and securely into an internal environment?
In a retail environment, are you prepared to collect and protect the log data from your Point of
Sales systems?
* If you store cardholder data do your Database Administrators and system administrators have
time to add the necessary responsibilities to their workloads?
* Where will you place and configure file integrity monitoring?
* Do you have the resources to monitor the logs daily, recognize threats, and respond?
* How much data will have to be stored to meet the retention requirements?
The real question for any company dealing with compliance requirements is “how can we minimize the
impact of compliance on our core business processes and budget and still maximize the results?”
EASING THE COMPLIANCE BURDEN :: SAGAN SOLUTION &
PCI COMPLIANCE
Article published by: Drew Brunson, Senior Information Security Consultant,
Quadrant Information Security
quadrantsec.com
2. quadrantsec.com
Quadrant Information Security and its Sagan Technology Security Information and Event Management
(SIEM) system provides the answer to that question and makes compliance with Requirement 10 of the
PCI Standard easy to achieve.
Quadrant has the expertise to analyze your environment and implement our Sagan solution directly
into your environment, configured to meet your exact need. By placing our Sagan appliance, or
multiple appliances, in your environment we remove the need for sensitive information to ever leave
your control and we have the expertise to bring audit information directly from your core systems and
integrate it into the Sagan engine, where it is dynamically evaluated. Our Security Operations Center
(SOC) monitors this process 24/7/365 and alerts for anomalies and threats are generated automatically
and manually. Alerts can be tailored according to pre-defined levels. Some alerts may only be listed in
a daily report, others in an email to on-call personnel, others may generate a phone call from our SOC
to on-call and/or management to ensure immediate notification and response.
3. quadrantsec.com
From a PCI requirement perspective, Quadrant helps your company address each of the sub-
requirements of Requirement 10.
10.1 Inventory – We help you inventory your systems and ensure that all systems are generating the
appropriate logs.
10.2 Event Reconstruction – We can help you “tune” the audit trails from each system to ensure that
the information captured will allow the reconstruction of required security events.
10.3 Auditable Events – It’s easy to miss recording certain events and Quadrant can help you ensure
and validate that each system is recording each of the events required by the PCI DSS.
10.4 Time Sync – Time synchronization is critical to Quadrant and we help ensure that time
synchronization is active and accurate.
10.5 Secure Log Environment – Our Quadrant appliance provides a secure environment for all
systems capable of writing syslog, event log, SNMP trap, or Cisco Netflow events.
10.6 Review and Monitoring – Our Security Operations Center provides around the clock real-time
monitoring of the auditable events that are configurable according to your priorities.
10.7 Audit Retention – Our systems are configured to retain your log data for a minimum of 53 weeks.
Well in compliance with the PCI DSS.
10.8 Policy & Process – While your company retains responsibility for the policy component of this
sub-requirement, our processes for monitoring your network resources and cardholder data are
documented and available in compliance with this area.
We are flexible in our ability to manage events from a diverse population of assets. Some of the
systems we can manage include:
* Routers (Cisco, etc.)
* Managed network switches
* Firewalls (Sonicwall, Fortigate, etc.)
* IDS/IPS systems (Cisco, Fortigate, etc.)
* Linux and Unix systems (services, kernel messages, etc.)
* Windows based networks (Event logs, etc.)
* Specified Application events (Webservers, Point of Sale)
* Wireless access points (Cisco, D-Link, etc.)
* Host based IDS systems (HIDS) (AIDE, OSSEC, etc.)
* Detection of rogue devices on networks (via Arpalert, etc.)
4. quadrantsec.com
Our Sagan Technology SIEM, combined with our Managed Security Services solution, provides real
time monitoring of your most valuable assets. Each event from an asset is written in real time to the
Sagan appliance and these entries are evaluated as they come in on the wire. Combined with its clean
and easy to use security console, available to authorized users in your company, it is a proven solution.
We use the solution in house to manage our 24/7 Managed IDS / IPS services for customers.
Sagan Technology gives us a broad range of devices, services, applications that we can monitor. For
example, if your organization is a “Cisco shop” and you don’t want to deploy Snort based IDS/IPS sen-
sors, it really doesn’t matter to our staff. We can monitor the Cisco devices just as we would a Snort
based IDS/IPS solution.
With our security console our users can take advantage of a number of unique features to strengthen
their company’s security posture and remain within PCI DSS compliance. More specifically, we can
provide robust reporting tools to report uniquely on PCI as well as overall network activity. The Sagan
console also provides log search functionality, our reputation database and threat intelligence.