Transcription
AlienVault for Regulatory ComplianceIndustry Whitepaper: ComplianceOverview of Regulatory Compliance in Information SecurityAs computers and networks have become more important in society they and the information they containhave come under increasing legal and industry regulation. However these regulations evolve they willalways imply the need for diligence on the part of network owners and operators. Diligence is most easilydemonstrated by proving that you have exercised all reasonable efforts at monitoring your informationsystem and ensuring that it has the requisite technologies deployed and policies enforced on it. Monitoringyour network is what Security Information and Event Management (SIEM) solutions like the AlienVaultProfessional SIEM are all about.The AlienVault Professional SIEM includes hundreds of automated compliance reports and a ReportWizard that allows for unlimited customization to fit your unique needs. Raw logs and other data is storedforensically in the AlienVault Logger with full chain-of-custody and digital signatures to ensure validity. Aswe will discuss below, AlienVault provides built-in functionality for many controls under PCI andother regulatory regimes.But first let us take a look at how we got here. It is the best way to determine where you are and to see theroad ahead.History of Regulatory Compliance in Information SecurityGramm-Leach-Bliley Act of 1999 - While not chronologically the first piece of regulation to in some wayaddress the policies and practices of information security, the evolution of regulatory regimes impactinginformation security in the United States can nonetheless be effectively seen as beginning with theGramm-Leach-Bliley Act of 1999, commonly referred to as GLBA or “Glibba”. While designed to establishprocesses and address information stored on paper more so than electronically networked information,GLBA established a precedent for how we think about responsibility and liability regarding informationsecurity.GLBA was most notable for replacing portions of the 1933 Glass-Steagall Act, allowing financialinstitutions to combine functions previously reserved for separate institutions. Due to this sharing offunctions within the financial community GLBA also included enforceable legal mandates impacting themanagement and security of customer information. This was broken down into three major areas:1. The Financial Privacy RuleThis rule required financial organizations to tell customers what data they collected, who it was sharedwith, what is done with the information and how it is being protected.2. The Safeguards RuleThe Safeguards Rule required organizations to create a written security policy describing how customerdata will be protected. Most notably for our purposes here and for understanding the on-going thrust ofinformation security regulations, the Safeguards Rule of GLBA also required the regulated organizationsto “develop, monitor and test a program to secure” the pertinent information. This intent of “monitoringand testing” your organization‟s information security solution is found throughout all regulations that followGLBA, as should not be surprising. The act of simply implementing an information security solution is inthe end pointless if this solution is not subject to constant monitoring and testing to ensure that it isachieving the goal of protecting the subject information.3. Pretexting ProtectionPretexting is another word for “social engineering” or any of the more traditional words for bluffing orCopyright AlienVault, LLC, 2010 – info@alienvault.com – USA, Spain, Germany, Mexico 1 408 465-9989
impersonating to gain unauthorized access to personal information. This requirement in GLBA and otherregulatory structures has helped promote authentication systems in IT and led to significant testing andauditing of processes.The intent noted under GLBA‟s Safeguards Rule - that any acceptable solution deployed by anorganization subject to the law must include aspects of monitoring and testing - is the first clear indicationthat SIEM would become central to any regulatory compliance effort. Without the ability to know what youhave and to see what it is doing, for the present and for the past, there should be no real reason to believethat your information system has been secure or that you could consistently demonstrate its security toothers.The Sarbanes Oxley Act of 2002, commonly referred to as “SOX”, is a United States federal lawregarding accounting practices which was in part brought about by the notorious events at Enron,WorldCom and other companies of the preceding period. SOX created requirements for publicly tradedaccounting firms to increase transparency into their operations, and the controls they have built into them,through a regime of reporting. The sections of SOX which most directly or implicitly impact InformationTechnology are 302, 404 and 409.SOX Section 302“Corporate Responsibility for Financial Reports” - places responsibility on the company‟s officersto verify accuracy of quarterly and annual financial statements.SOX Section 404“Management Assessment of Internal Controls” – requires submission of an annual report to theSecurities Exchange Commission detailing the effectiveness of internal controls over accountingpractices. Control over the IT systems that these accounting practices are performed on and in isimplicit in SOX 404 compliance.SOX Section 409“Real-Time Issuer Disclosures” – requires regulated organizations to be diligent aboutmaintaining awareness of the controls on their operations and on the financial condition of theirorganization, and to report within 48 hours any „material changes‟ to them. Security breaches ofthe information systems that the financial information is contained within are well within thedefinition of „material changes‟ to these controls and can dramatically impact an accounting firm‟sfinancial condition.SOX was one of the first regulatory regimes to drive a significant adoption of SIEM technologies ascompanies sought to secure their ability to demonstrate adequate controls over their accounting data.AlienVault Professional SIEM contains built-in SOX reporting capabilities.The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was intended to protect thehealth insurance coverage of workers when they changed employers (HIPAA Title I) and additionallycreated the requirement to provide a structure for managing the security of patient records and othermedical data (HIPAA Title II).The “Privacy Rule” provision of HIPAA Title II came into effect in the spring of 2003, providing regulationand disclosure of how organizations handle patient records including medical records themselves as wellas patient financial records. Protected Health Information (PHI) must be secured and organizations mustbe able to demonstrate to auditors that they are capable of managing the security of their systems.As Health Information Technology (HIT) efforts increase and automation at last spreads throughouthealthcare providers in the United States, HIPAA compliance will become a much more common concern.Healthcare providers are today digitizing patient medical records at a historic and increasing pace andindustry-wide communications are emerging. The need for management and monitoring of thetransmission and handling of data as sensitive as individual medical and genetic information will withoutdoubt drive increased demand for robust and sophisticated SIEM deployments throughout the medicalcommunity.AlienVault Professional SIEM contains built in HIPAA/HIT reporting capabilities.Copyright AlienVault, LLC, 2010 – USA, Spain, Germany, Mexico 1 408 465-9989- Page 2 -Whitepaper: Compliance
The Cybersecurity Act of 2009 (S.773) has, as of this writing, not yet passed into law. Whether or not itultimately does become law it does provide strong indications of future directions for the evolution ofregulatory compliance in the information security world:“Purpose: To ensure the continued free flow of commerce within the United States and with itsglobal trading partners through secure cyber communications, to provide for the continueddevelopment and exploitation of the Internet and intranet communications for such purposes, toprovide for the development of a cadre of information technology specialists to improve andmaintain effective cyber security defenses against disruption, and for other purposes.”Section 6 of S.773 specifically dwells on information security regulation, stating that the National Institutefor Standards and Technology shall “establish measurable and auditable cybersecurity standards forall Federal Government, government contractor, or grantee critical infrastructure information systems andnetworks”Of significant note as well in the Cybersecurity Act is the subsection 6(d)2:“ shall require each Federal agency, and each operator of an information system or networkdesignated by the President as a critical infrastructure information system or network, periodicallyto demonstrate compliance with the standards established under this section.”In other words: “critical infrastructure” comes to mean what the President says it means, and there arestrong indications throughout the Act that this will include networks critical to the functioning of the UnitedStates other than the traditional power and water control system networks. We leave it as an exercise forthe reader to interpret that statement, but it is certainly an implication that economic, educational, healthand many other systems may well fall under this or other future regulatory regimes.Regulatory Compliance Detailed Example: AlienVault and PCIThe Payment Card Industry Data Security Standard (PCI DSS) – PCI emerged from VISA‟s earlierstandards and is now maintained by the PCI Security Standards Council, an organization created by themajor credit card brands in reaction to various highly publicized breaches of credit card information. ThePCI DSS has prompted significant adoption of SIEM and other information security technologies and bestpractices for the simple reason that it has the type of teeth that strongly motivate business executives:financial. Failure to maintain PCI compliance can cost an organization on-going fines until compliance isreached and could result in an organization losing the ability to accept credit cards (which for mostmerchants is tantamount to a death sentence). If credit card holders‟ information is compromised then themerchant organization could be held financially liable for the total losses and replacement costs for allparties involved, adding up potentially to many millions of dollars. PCI audits require the signature of a Clevel executive, who bears personal responsibility for the accuracy of the compliance reports.The DSS imposes a variety of requirements on “Merchant” organizations (organizations which handlecredit card transactions) based on the number of transactions they handle each year:Level 1 PCI Merchants are companies handling greater than six million credit card transactions per year.Level 2 PCI Merchants are companies handling between one and six million transactions per year.Level 3 PCI Merchants handle between twenty thousand and one million transactions per year.Level 4 PCI Merchants handle less than twenty thousand transactions per year.Level 4 merchants quite often outsource all of their credit card handling needs and can avoid incurringsignificant overhead due to PCI compliance. Level 1 Merchants will almost always need to performsignificant diligence to comply with the PCI DSS.The PCI DSS - While SIEM is not specifically mentioned in the PCI standard documentation, all of thetwelve sections implicitly require the functionality provided by AlienVault Professional SIEM.Section 1: “Install and maintain a firewall configuration to protect cardholder data.”Copyright AlienVault, LLC, 2010 – USA, Spain, Germany, Mexico 1 408 465-9989- Page 3 -Whitepaper: Compliance
AlienVault Professional SIEM allows you to determine what traffic is using your network at layers 1-7 toassist with the creation and enforcement of firewall configurations.Section 2: “Do not use vendor supplied defaults for system passwords and other security parameters”AlienVault Professional SIEM provides visibility into user login activity and detects the use of weak(unencrypted) logins.Section 3: “Protect Cardholder Data”AlienVault Professional SIEM detects out-of-policy access to cardholder data and provides the reportingand response platform for such incidents.Section 4: “Encrypt transmission of cardholder data across open, public networks.”AlienVault Professional SIEM is able to detect unencrypted traffic leaving areas of the network containingcardholder data.Section 5: “Use and regularly update anti-virus software or programs.”AlienVault Professional SIEM deployed on PCI networks can enable prioritization of antivirus, can confirmthat updates are propagating regularly and can integrate antivirus alerts into network monitoring andcorrelation. AlienVault‟s NAC capability can integrate with network infrastructure to enforce antivirusupdate levels on laptops, hosts and workstations.Section 6: “Develop and maintain secure systems and applications.”SIEM is a virtual requirement to maintaining secure systems, providing the monitoring and reportingplatforms to verify consistently applied security. Every aspect of the AlienVault Professional SIEM isspecifically designed to ensure the maintenance of secure systems and applications.Section 7: “Restrict access to cardholder data by business need to know.”Confirmation of access policy application is provided by the AlienVault Professional SIEM, detecting andrecording configuration changes to systems holding cardholder data and detecting and recordingsuspicious login attempts to these systemsSection 8: “Assign a unique ID to each person with computer access.”AlienVault Professional SIEM monitors user logins to all systems in the PCI domain, detecting nonstandard login attempts and relating user IDs to originating IP and in some cases MAC addresses.Section 9: “Restrict physical access to cardholder data.”Areas that are controlled by card or biometric access can have these systems integrate with AlienVaultProfessional SIEM, providing confirmation of access by physical identification and correlation with eventswith occur on the information system before and after an individual physically accesses a controlled area.Section 10: “Track and monitor all access to network resources and cardholder data.”AlienVault Professional SIEM is designed specifically to track and monitor activities such as access tonetwork resources and data stores. AlienVault Professional SIEM will by nature retain a complete audittrail of all access to all components in the PCI domain and provide the capability to alert on all out-ofpolicy access violations.Section 11: “Regularly test security systems and processes.”AlienVault Professional SIEM deployed in a PCI environment is an active and on-going test of the securityof that information system. Constantly monitoring all aspects of the PCI domain and providing a centralconsole to oversee and investigate the results of testing exercises, AlienVault Professional SIEM is theactive testing center for PCI compliance.Section 12: “Maintain a policy that addresses information security for employers and contractors.”AlienVault Professional SIEM in a PCI environment provides an active representation of existing policies,a platform for detecting policy violations as well as a platform for determining necessary policy changes.Copyright AlienVault, LLC, 2010 – USA, Spain, Germany, Mexico 1 408 465-9989- Page 4 -Whitepaper: Compliance
For all aspects of PCI compliance, AlienVault Professional SIEM provides the reporting and forensicsplatform necessary to both demonstrate a given aspect of compliance as well as investigate any incidentthat occurs on the network.ConclusionsRegulatory compliance is only going to increase in coming years. The criticality of information systems tothe safety of the individual, the organization and the state will drive a continuous “raising of the bar” interms of the diligence that those managing information systems will be mandated to demonstrate.Performing and demonstrating the diligence required by regulatory regimes calls for the visibilitiesembodied in SIEM technologies.The AlienVault Professional SIEM is specifically well suited for the task of regulatory compliance fororganizations of all sizes.Copyright AlienVault, LLC, 2010 – USA, Spain, Germany, Mexico 1 408 465-9989- Page 5 -Whitepaper: Compliance
forensically in the AlienVault Logger with full chain-of-custody and digital signatures to ensure validity. As we will discuss below, AlienVault provides built-in functionality for manycontrols under PCI and other regulatory regimes. But first let us take a look at how we got here. It is the best way to determine where you are and to see the
