Identifying automation opportunities: Configuration management
Sprinkled heavily throughout the PCI DSS 1.1 within requirements two, seven and eight are obligatory controls over baseline builds and the variances that these builds are subject to over time. Controls related to password management, unencrypted non-console administrative access, and entitlements are just a few areas that require granular control and oversight over low level system settings. As enterprises grow, systems age, and new administrators gain access to critical systems, it becomes more difficult to ensure the compliance of system settings without a set of automated tools that can query and pro-actively alert system administrators and security staff of security deficiencies.
Benefit: Full population view versus small sample sizes
Rather than sampling, a total population snapshot can take place at regular and frequent intervals. When sampling, it may take months and even years before deficiencies in all system builds are discovered. For PCI purposes, even one deficiency can lead to a failing grade, and may result in a lack of safe harbor status following a breach.
Benefit: Auditors and security staff save time with assessments
With proactive monitoring and alerting, system administrators and security staff can more efficiently spend their time on remediation items instead of assessment drills. Many tools offer the ability to prioritize alerts based upon system classification or severity of security settings. This allows security staff and administrators to focus on those critical systems that may impact an organization more significantly.
Additional benefits include:
- Automated checks are less time consuming and prone to fewer errors
- Automated checks usually scale well in very large organizations
- New checks can be performed in relatively quick fashion
- Automated checks offer the ability to identify variances in corporate security policies
Identifying automation opportunities: Log management
Requirement 10 of the PCI DSS has traditionally been one of the more time consuming and tedious requirements to fulfill, as each system that stores, processes, or transmits cardholder data (or an in-scope system) must log a minimum set of attributes to comply with PCI.
Securing the application and system level local logs of each in-scope system can be challenging in large financial organizations with a more diverse variety of systems. Granular controls and need-to-know access must be restricted to ensure that non-privileged users are not able to modify, access, and/or delete logs or log settings.
The amount of time that it takes to manually review logs can be egregious and boring. Monotonous tasks lead to mistakes, omissions, and a false sense of security.
Manual sorting of the most critical alerts can lead to unnecessarily long security exposures for vulnerable or compromised systems. Alternatively, automated checks allow for predefined prioritization of alerts based upon a variety of different attributes inclusive of log type, source, system type, and other correlated vulnerability data. This enables quick reaction times for the most critical security alerts on the most relevant systems.
Additional benefits: Automated log management:
- Ability to detect misconfigurations of applications and systems in near real time
- Improved SLAs to external and internal customers
- Improved incident response capabilities during compromises
- Better forensic data through the comparison of correlated information between multiple security devices along with application and system logs
Erecting automated processes that focus on configuration management and audit log management responsibilities can benefit general security best practices, and operational dividends while freeing up cycle time of your IT compliance and security teams to tackle more strategic and thought provoking work.
About the author:
Spyro Malaspinas, CISSP, CISM, CISA, GCIH, CCNA, CSPFA, CCSE+, NSA, Six Sigma, is a Pprincipal at ThreeFactor Security and can be reached at firstname.lastname@example.org. Spyro formerly served as the PCI practice leader at Symantec Corp., a sr. Ssecurity consultant at VeriSign Inc., and security architect at IBM. He has been performed compliance assessments, remediation, risk and compliance program management functions for some of the largest merchants and service providers found globally.
This was first published in June 2008