Problem to Solve: How can we use our APM/NPM solution to meet the PCI requirement of “regularly testing security systems and processes”?
Contributing Author – Robert Wright, Network Engineer with 15+ years experience
As we wrap up this blog series I felt it would be important to highlight critical points out of each of the past 5 entries.
- In no way is PCI stating that packet sniffers or sniffer based technology is not permitted in your environment.
- In PCI v3 a new requirement (1.1.3), demands a current diagram that shows all cardholder data flow across systems and networks is required
- Folks, troubleshooting network and application performance problems simply do not need access to cardholder data
- Through our APM/NPM tools we can ensure we maintain compliance with PCI DSS v3
- When deploying an APM/NPM solution, be sure to review the various authentication types which are supported
So let’s get going on our final post of this series! This article will be covering the concept of “Regularly Monitor and Test Networks”. Note we will not be covering requirement 12, as it pertains to information security policies. It should be noted that the number of requirements in these last few sections are limited, and even fewer apply to APM/NPM. So let’s get the show on the road.
Track and monitor all access to network resources and cardholder data
It’s funny how one of the most critical aspects of many people’s lives and IT systems goes unnoticed and taken for granted. Nope, I’m not talking about payday! I am talking about time (or more to the point for this posting), the Network Time Protocol (NTP). Requirement 10.4 requires all critical systems to utilize a time synchronization technology, such as NTP.
Now you may think, how does this apply to APM/NPM and its relationship to PCI? Imagine for a moment if your firm were to be compromised/hacked. One common task is to create a time line of events. In such a scenario many companies turn to their security tools first and then APM/NPM tools second to fill in the gaps. What is important then? Time. How else will you know what came first, second or third from a chronological perspective.
To continue with this scenario, a very common task is to obtain packets related to a suspected attack. These packets can be utilized to expand on an alert that an Intrusion Detection System (IDS) created. With hundreds of thousands or millions of packets flowing across your network, how will you know where to look if you don’t have the accurate time across systems?
So when you configure your next service in your APM/NPM tool set, consider creating your NTP infrastructure. It may just save you hours of anguish later!
Regularly test security systems and processes
Requirement 11.4 requires an institution to implement a IDS or IPS system. We covered this briefly in the previous paragraphs so I won’t rehash that a second time. However, if we look at the present trends, we see aggregation switching has gained in popularity and rightfully so.
So in a PCI world, what is one critical item we must understand? The flow of our data. So if an aggregation switch makes sense to you, consider one with an easy graphical interface and one which provides superb logging of administrative functions. What other features should we consider looking for? Integration of the switch and your tool set to realize even larger savings and ease of use.
A company which understands the need to properly design a solution, will adequately capacity plan their switches at the initial design meeting. Why is this critical? Simple. An aggregation solution which is undersized for traffic rate or overwhelms its connected tools isn’t a solution! It’s a liability! You will spend hours hunting down “THE” flow which explains how your system was compromised, only to never find it. Is it because you lack the skill to do so? No, it was predetermined the day your solution was designed!
Conclusion of this blog series on PCI
Can your APM/NPM solution replace your securities IDS/IPS tool set? No. Can you realize additional value from an existing or potential future investment? Yes! Do solutions exist today which multiple teams including information security can leverage? Yes!
As you venture down this road, find a vendor who has your best interest in mind. Engage the appropriate teams within your organization as you go down this path. Not only will you find additional budget, but the end solution will hopefully fit many different objectives.