Upload
others
View
5
Download
2
Embed Size (px)
Citation preview
LogRhythm
TechnicaL assessmenT
White Paper
Prepared for:
Page 2Copyright 2011, Coalfire Systems Inc.
Table of Contents
execuTive summaRy
Methodology
SummaryofValidationFindings
Log and evenT managemenT backgRound
LogManagementChallenges&Risks
ApplicableEnvironmentConsiderations
TechnicaL assessmenT
EnvironmentDiagram
EnvironmentDetail
LogRhythmEM
LogRhythmLM
LogRhythmWindowsAgentServer
LogRhythmConsole
Switches
Firewalls
IPS/IDS/WAF
DomainServers
DomainControllers
DMZWebServers
vaLidaTion findings foR LogRhyThm
ValidatedCapabilitiesforCompliance
ValidatedCapabilitiesforSecurityPractices
aPPendix a: comPLiance conTRoL objecTives and vaLidaTion LogRhyThm
3
3
3
5
5
5
5
6
7
7
7
7
7
7
7
8
8
8
8
8
8
10
11
Page 3Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
execuTive summaRy
LogRhythm(TheCompany)engagedCoalfireSystemsInc.(Coalfire),asarespectedPaymentCardIndustry(PCI)Qualified
SecurityAssessor(QSA)company,toprovideanindependentcompliancevalidationofLogRhythm’slogandevent
managementsystem.TheCompany’stechnologyencompasseskeycontrolareasforPCIcompliance.
ThescopeoftheassessmentisfocusedonvalidatingtheproductsabilitytomeetspecificPCIcontrolsandthe
augmentationofothers.ThescopeofthePCIDSScontrolsselectedforvalidationwasderivedthroughcollaborationwith
LogRhythmsolutionarchitectsandCoalfiretestengineers.Thisreviewgeneratedtwotypesofcontrolclasses.Thefirstisa
classwheretheLogRhythmsolutioncandirectlyfulfilltherequirementwhenproperlydeployedasacontrol.Thesecond
classiswherethecontrolcanpartiallyfulfillthecontrolrequirementoraugmentothercontrolprocedurestoassista
customerinmeetingtherequirement.
Theaudienceforthisvalidationreportismerchantsorserviceprovidersevaluatingtechnicalsolutionsforlogandevent
managementtomeettheirPCIcomplianceandITsecurityrequirements.AdditionallyQSA’sorotherauditorsreviewinga
deployedLogRhythmsolutioninaPCIenvironmentcanusethisreporttosupporttheirverificationefforts.
methodology
CoalfireconductedthisvalidationthroughrigoroustechnicaltestinginourcompliancevalidationlabsusingcommonPCI
environmentalscenarios.TheoutcomeofthistestingprovidesverificationthatcustomersimplementingtheLogRhythm
solutionwillbeabletomeetthesespecificPCIcontrolrequirementsintheirrealworldenvironments.EachPCIrequirement
wasassessedbyvalidatingtheoutputorstateoftheLogRhythmsolutionasdeployedinourlabscenario.Abroadspectrum
ofnetwork,systemandapplicationscenarioswasusedinourvalidationtesting.Testresultsandlabconfigurations
aresummarizedinthetechnicalsectionofthewhitepaper.Anyadditionaldetailoftestprocedures,testresultsorlab
configurationareavailableuponrequest.
Summary of Validation Findings
CoalfirehascompletedourvalidationtestingoftheLogRhythmlogandeventmanagementsolutionandcanconfirmthe
followingsummaryfindings;
I. TheLogRhythmlogandeventmanagementsolution’sarchitectureandimplementationrequirementscanbe
deployedinaPCIenvironmentallowingacustomertoadheretoallPCIrequirementsforthesolution.
II. Implementationandoperationaldocumentationprovidecustomerswithappropriateguidanceforoperatingthe
solutioninaPCIcompliantmanner
III. WhenproperlydeployedandconfiguredtheLogRhythmsolutioneitherfullymeetsoraugmentsthefollowing
PCIDSSrequirements:
Page 4Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
Pci RequiRemenT diRecTLy meeTs RequiRemenTs augmenTs conTRoL PRocess
1.1.5&1.1.6
1.2.1&1.2.2
1.3.2,1.3.3&1.3.5
2.1
2.3
3.6.7
4.1
5.2
6.1
6.3
6.4.2
6.5
6.6
7.1
8.1
8.5.1,8.5.4,8.5.5,8.5.6,8.5.8&8.5.9
10.2,10.2.2&10.2.4
10.3
10.4
10.5.1,10.5.2,10.5.3,10.5.4&10.5.5
10.6
10.7
11.4
11.5
12.9
Page 5Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
Log and evenT managemenT backgRound
ClearvisibilityintoallaspectsoforganizationsITsystems,employeesandcustomersisimperativeintoday’snetworked
environments.ITadministratorsandsecurityprofessionalsaretaskedwithmonitoringandprotectinganoverwhelming
numberoftransactionsandeventsthattraversethroughtheirsystemseveryday.Havingalogandeventmanagement
solutiontobetterunderstandtheoverallhealthofanetworkedenvironmentisnotonlyvaluedassetforITprofessionals;
ithasbecomearequirementforregulatorycompliance.Whendeployingalogandeventmanagementsolutionfor
compliance,organizationsshouldensurethattheinformationprovidedbyeventloggingsystemsismeaningfulandrelevant.
Thisrequiresloggingspecifictypesofdatathatcanconstructeffectiveaudittrails.Inthisassessmentwewillbereviewing
andvalidatingLogRhythm’slogandeventmanagementsolutionasitpertainstothePaymentCardIndustryDataSecurity
Standardregulatorycompliance.
Log Management Challenges and Risks
Whodidwhatwhenandwhere?Eventorlogcapturingsystemsmustbeabletoidentifytheuseraccountinformationand
typeofeventassociatedwitheachloggedaction.Eachevent’soriginmustberecordedandwhetheritwasasuccessor
failure.Timekeepingandrecordingisalsoessentialforauditableevents.Eventlogsmustbeprotectedfromunauthorized
accessandmodification.Thisrequiresimplementingtheloggingsolutionwithpreventativeanddetectivecontrolsthatcan
enforcelogicalaccesstologfiles,eventgeneratingservices,logfileaccessandmodification.
Developingrolesfortheusersandadministratorsofthelogmanagementsystemisakeyareaforsecurity.Rolesshould
preventpersonnelresponsibleformonitoringcriticaleventlogsfunctionindependentlyfromITOperationsinorderto
ensurethatthoseperformingeventsonsystemscannotmodifyeventaudittrails.
Monitoringoperationsforcompliance,logfilesmustbereviewedfrequentlyinordertosustainaneffectivemonitoring
program.Managementmustensurethatthemanualorautomatedreviewoflogfilesoccursonadailybasis,andthelog
informationcapturedisretainedagainstcorporatedataretentionrequirements.AlertingIToperationswhenprocessing
failuresoccurisalsoessentialforalogmanager.Havinggapswithinthelogscanimpedeasuccessfulaudit.Organizations
mustalsohavesufficientstoragecapacitytomeetlogretentionrequirements.
Applicable Environment Considerations
Whenimplementedwithinaregulatedenvironment,theinstallationofeventloggingproductsleavesafootprintof
infrastructurethatmustbecapableofconformingtocontrolrequirements.Validatingthesecontrolobjectivesprovides
assurancethatasecure,compliantinstallationoftheproductispossible,withoutcostlycustomdevelopmentorservice
disruptions.
TechnicaL assessmenT
CoalfireinstalledandconfiguredLogRhythm’sLMandEMappliancesinatestenvironmentinitsSeattlelab.Thescopeof
theassessmentwasdefinedwiththefollowingtasks:
Page 6Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
1.Understandproductfunctionality,architecture,delivery,implementationandoperation
2.Reviewconfigurationguidanceandsecuritydocumentation
3.Testproductforrequiredcontrolsinlabenvironment
4.ReviewandverificationofLogRhythmlogmanagementhardwareandsoftwarehardeningbestpractices
5.Reviewagentconfigurationrequirementsandcapabilities
6.Verificationofeventlogtrafficforsecurityandcompliance
7.Reviewandmonitortheproductsnetworktrafficforregulatorycontrolsinlabenvironment.
8.ReviewandvalidatehowtheLogRhythmeventloggingsolutionprovidescompliancefororganizations
a.Reviewavailableandcustomreports
b.Reviewavailableandcustominvestigations
c.Reviewalarmingandcorrelationofeventsforcompliance
d.Reviewauditcapabilities
ThisassessmentwasfocusedontheproductsabilitytodirectlysatisfycertainPCIcontrolsandsupportoraugment
thesupportofothersandwasnotacompletereviewoftheproduct.Examplesofareasthatwereoutofscopeforthis
assessmentincludetheproductsabilitytoreceiveandnormalizelogsfromawidevarietyofsourcesandanyscalabilityor
performanceissues.
Environment Diagram
Page 7Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
enviRonmenT deTaiL
Thefollowingdescribeshowthesystemsinourlabenvironmenthavebeenconfiguredtosendtheloginformationandhow
thelogdatahasbeenclassified.
LogRhythm’sPCIDSSCompliancePackagecomeswithpredefinedclassificationtypessothelogmanagementservercan
properlydigestdifferentlogsourcetypes,andcorrelateloggedeventsproperly.Forthisassessmentwewillbeleveraging
theLogRhythmknowledgebasePCI/DSSclassificationtemplatefromLogRhythm.
LogRhythm em
TheLogRhythmEvent ManagerinthislabenvironmentisconfiguredwithMicrosoftserver2003withSQLServer2005.
TheEMhousestheAlarmingandResponseManager(ARM)Service.Thefollowingdatabasesareavailablefromthisserver:
EMDB, Alarms, Events and Log Mart.
LogRhythm Lm
TheLogRhythmLog ManagerinthislabenvironmentisrunningMicrosoftserver2003withSQLServer2005.TheLMserver
housestheMediatorandMessageProcessingEngine(MPE).Thefollowingdatabasesareavailable:LMDBandRADB.In
typicaldeploymentstheLMisconfiguredwithaLogRhythmAgent.
LogRhythm Windows Agent Server
ForourlabconfigurationtheagenthasbeenconfiguredtocollectanddigestalleventswithinourLANorprotectedsubnet.
Eventscapturedfrom,fileservers,databases,switches,firewalls,intranetwebservers,andIPS/IDS/WAFsystems.The
agentcaptureslogdataoverport514(UDPandTCP)anddeliversthedataencryptedtotheLogManagerviaport443(TCP).
LogRhythm Console
Forthisassessmenttheconsolehasbeeninstalledlocallyonaseparateworkstation.Trafficfromtheconsoleisdeliveredon
port1433andconsoleusershavetheopportunitytoencryptcommunicationstotheEMandLMappliances.
Switches
SwitchesinthelabenvironmenthavebeenconfiguredtosendlogdatatotheLogRhythmAgentServeronport514.(UDP)
ThelogdatahasbeenclassifiedontheconsoleNetwork Security Devices.
Firewalls
FirewallshavebeenconfiguredtosendloginformationtotheLogRhythmAgentoverport514(UDP)Firewalldeliversall
firewallinformationviatheLANinterfaceontheFirewall.ThelogdatahasbeenclassifiedontheLogRhythmconsoleas
Network Monitoring and Testing.
Page 8Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
iPs/ids/Waf
IntrusionDetectionandwebcontentinspectionsystemshavebeenconfiguredtodeliverloginformationtotheLogRhythm
Agentoverport514(TCP).ThelogdatahasbeenclassifiedontheconsoleasNetwork Monitoring and Testing.
Domain Servers
StandarddomainservershavebeenconfiguredtodeliverloginformationtotheLogRhythmAgentoverport514.Domain
serversareconfiguredtosendlogdatatotheLogRhythmWindowsAgentServer.Thelogdatahasbeenclassifiedonthe
consoleasCardholder Data Storage Systems.
Domain Controllers
DomaincontrollershavebeenconfiguredtodeliverloginformationtotheLogRhythmAgentoverport514.Domain
controllersareconfiguredtosendlogdatatotheLogRhythmWindowsAgentServer.Thelogdatahasbeenclassifiedonthe
consoleasAccess Control Systems.
DMZ Web Servers
ForsecurecommunicationsfromtheDMZsubnettotheLANorinternalsubnetLogRhythmagentswereinstalledoneach
webserver.TheagentcapturesthedatalocallywithalocalsystemaccountanddeliversthelogsencryptedtotheLog
Managerforprocessingoverport443.ThelogdatahasbeenclassifiedontheconsoleasCardholder Data Storage Systems.
vaLidaTion findings foR LogRhyThm
TheLogRhythmlogmanagementsolutiondemonstratedstrongalertingcapabilitiesandprovidedcomprehensiveaudit
trailsforforensicsafteranincident.TheLogRhythmManagementConsoleprovidedinvestigationanalysis,reporting
andmonitoringtoolsthatsimplifiedmanagementofsecurityandcomplianceeventlogging.OutoftheboxLogRhythm
supportsmanylogsourcedevicetypesandprovidedtemplatesthatassistedwithdeployment.TheLogRhythmsolution
demonstratedahighlevelofflexibilityforcustomizationoflogsourcetypes,policies,alerts,notifications,reporting,
monitoring,dataclassification,andeventcorrelation.ThisflexibilitymakestheLogRhythmsolutionveryadaptableto
differentenvironmentsandcapableofaddressingcomplianceloggingrequirements.
Validated capabilities for compliance
The ability to establish audit trails
TheLogRhythmconsoleinterfaceisacentralizedlogmanagementtooltoestablishandmonitoraudittrails.
Comprehensiveaudittrailscanbecreatedtomanagealltypesofcomplianceandsecurityobjectives.
Record access to systems by users and programs
TheLogRhythmappliancedemonstratedtheabilitytorecordaccesstosystemsbyusersandprograms.
Page 9Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
Record access to sensitive data by users and programs
TheLogRhythmappliancedemonstratedtheabilitytorecordsensitivedataaccessedbyusersandprograms.
Record actions performed under administrator accounts
TheLogRhythmappliancedemonstratedtheabilitytorecordactionsperformedunderadministrativeaccounts.
Record actions performed within authentication systems
TheLogRhythmappliancedemonstratedtheabilitytorecordactionsperformedwithinauthenticationsystems.
Record access to event logs and audit trails
TheLogRhythmappliancedemonstratedtheabilitytorecordaccesstoeventlogsandaudittrails.
Record initialization and termination of event logging services
TheLogRhythmappliancedemonstratedtheabilitytorecordandmonitorinitializationandterminationofevent
loggingservices.
Creation and deletion of system objects
TheLogRhythmappliancedemonstratedtheabilitytorecordcreationanddeletionofsystemobjects.
File integrity monitoring and alerting of sensitive data
TheLogRhythmappliancedemonstratedtheabilitytorecord,monitorandalertonaccesstosensitivedata.
Record user identity for each logged action
TheLogRhythmappliancedemonstratedtheabilitytorecorduseridentitiesandeachloggedactionforthatuser.
Record type of event for each logged action
TheLogRhythmappliancedemonstratedtheabilitytorecordthetypeofeventforeachloggedaction.
Record date and time for each logged action
TheLogRhythmappliancedemonstratedtheabilitytorecorddateandtimeforeachloggedaction.
Record the success or failure for each logged action
TheLogRhythmappliancedemonstratedtheabilitytorecordsuccessorfailureforeachloggedaction.
Record the event origination for each logged action
TheLogRhythmappliancedemonstratedtheabilitytorecordtheeventoriginofeachloggedaction.
Record the event target identity for each logged action
TheLogRhythmappliancedemonstratedtheabilitytorecordtheeventtargetidentityforeachloggedaction.
Protect event logs from unauthorized modification and alert
TheLogRhythmappliancedemonstratedtheabilitytorecordandalertfromunauthorizedmodificationofeventlogs.
File integrity monitoring of event logs
TheLogRhythmappliancesdemonstratedtheabilitytorecordandmonitortheintegrityofeventlogfiles.
Daily review of log files (Assisted with automated report scheduling delivery and notification)
TheLogRhythmappliancedemonstratedtheabilitytopresentreportsandloggingeventsusingtheautomated
Page 10Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
reportscheduling.
Large storage and archive capabilities
TheLogRhythmappliancedemonstratedtheabilitytostorelocallylargeamountsofdataaswellasofflinearchiving
andencryptionofolderlogs.
Provided centralized event log analysis
TheLogRhythmapplianceconsoleprovidescentralizedeventloganalysis.
Incident response capability with alerting and notifications
TheLogRhythmappliancedemonstratedtheabilitytorecordalertandnotifyonincidentsthatoccurinthe
cardholderdataenvironment.
Validated capabilities for security best practices
Record remote access attempts
TheLogRhythmappliancedemonstratedtheabilitytorecordremoteaccessattemptstoappliancesandcardholder
dataenvironment.
Record application security events
TheLogRhythmappliancedemonstratedtheabilitytorecordapplicationsecurityevents.
Recording and alerting for data modification
TheLogRhythmappliancedemonstratedtheabilitytorecordandalertonwhendataismodifiedwithinthe
appliancesandthecardholderenvironment.
Appliance hardening and security practices
LogRhythmhasavailabledocumentationthatcovershardeningandsecuritybestpracticesfortheirappliances.
Separation of user and administration roles
TheLogRhythmappliancedemonstratedtheabilitytoseparateuserroles.
Page 11Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
aPPendix a: comPLiance conTRoL objecTives and vaLidaTion LogRhyThm
ThetablebelowoutlineshowLogRhythmaddressestherequirementsofthePCIsections.The“HowLogRhythmSupports
Compliance”columndescribesthecapabilitiesLogRhythmprovidesthatwillmeet,supportoraugmentPCIcompliance.The
“TestProcedure”and“Notes/Keys”forcompliancecolumnareCoalfire’sfindingsfromitsassessmentoftheproduct.
Pci RequiRemenT hoW LogRhyThm suPPoRTs comPLiance TesT PRoceduRe
1.1.5DocumentationandbusinessJustificationforuseofallservices,protocolsandportsallowed,includingdocumentationofsecurityfeaturesimplementedforthoseprotocolsconsideredtobeinsecure.
noTes / keys foR comPLiance
LogRhythmprovidesmonitoringandinvestigationstoperformtestingprocedures1.1.5aand1.1.5bbyshowingtheuseofprotocolsinthenetworkenvironment.Testingrequiresverificationthatallusedservices,protocolsandportshaveabusinessneed.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary
Run investigations for:NetworkServicesummary.NetworkConnectionsummary.
Whenrunasinvestigationsforshorttimeframeswewereabletosuccessfullycaptureprotocols,portsandIPs.
1.1.6Periodicreviewoffirewall/routerrulesets.
Reportingfacilitateseasyandindependentreviewoffirewallandrouteroperation.Reportscanbegeneratedthatshowsactualtrafficallowedanddeniedbyfirewallandrouterrulesets.PCIrequiresverificationatleasteverysixmonths.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary
Run investigations for:NetworkServicesummary.NetworkConnectionsummary.
Whenrunasinvestigationsforshorttimeframeswewereabletosuccessfullycaptureallowedanddeniednetworktraffic.
1.2.1Restrictinboundandoutboundtraffictothatwhichisnecessaryforthecardholderdataenvironment.
Verificationthatinboundandoutboundtrafficisproperlycontrolled(limitedand/ordenied)forthecardholderdataenvironment.LogRhythmdetectsandalertsoninboundinternetactivitywithinthecardholderdataenvironment,providingverificationofproperandthepresenceofimpropernetworkactivities.
Run investigations for:Networkconnectionsummaryreport.
TheLRappliancecanalertandnotifyoninboundandoutboundtraffic.
1.2.2 Verify router configurationsaresecureandsynchronized.
LogRhythmidentifiessynchronizationeventsandcanbeusedtoverifytheproperfunctioningofrouters,firewalls,orothercollaborativenetworkdevices.Reportsprovideaconsolidatedreviewofinternal/externalactivityandthreats.Example Reports:•FirewallAndRouterPolicySynchronization
Unabletoperformthistest.Firewallsynchronizationwasnotconfiguredinthislabenvironment.Observationofvendorreportsanddemonstrationwasusedforvalidation.
Unabletotestthisfeatureinthelabenvironment.VendorObservationusedforvalidation.
Page 12Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
Pci RequiRemenT hoW LogRhyThm suPPoRTs comPLiance TesT PRoceduRe
1.3.2LimitinboundinternettraffictoIPaddresseswithinDMZ.
noTes / keys foR comPLiance
LogRhythmdetectsandalertsoninboundandoutboundinternetactivitynotrestrictedtotheDMZ,identifyingnon-compliantnetworktrafficorattemptstoaccessservicesinsidetheDMZthatarenotapprovedforInternetaccessibility.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary
Run investigations for:NetworkServicesummary.NetworkConnectionsummary.
TheLogRhythmappliancecanalertandnotifyoninternettrafficanomaliestoIPaddressesintheDMZ.
1.3.3DonotallowanydirectconnectionsinboundoroutboundfortrafficbetweentheInternetandthecardholderdataenvironment.
LogRhythmcandetectandalertonactivitywhereinternaladdressesarenotpassedfromtheInternetintotheDMZ.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary
Run investigations for:NetworkServicesummary.NetworkConnectionsummary.
TheLogRhythmappliancecanalertandnotifyonInternettraffictothecardholderdataenvironment.
1.3.5DonotallowunauthorizedoutboundtrafficfromthecardholderdataenvironmenttotheInternet.
LogRhythmdetectsandalertsonanyoutboundactivitynotnecessaryforthepaymentcardenvironment.AnyaccessestoIPaddressestounauthorizednetworkscanbequicklyidentified.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary
Run investigations for:NetworkServicesummary.NetworkConnectionsummary.
TheLogRhythmappliancecanalertandnotifyonoutboundtrafficfromthecardholderdataenvironmenttotheInternet.
2.1Alwayschangevendor-supplieddefaultsbeforeinstallingasystemonthenetwork,includingbutnotlimitedtopasswords,simplenetworkmanagementprotocol(SNMP)communitystrings,andeliminationofunnecessaryaccounts.
LogRhythmcanalarmondetecteduseofdefaultpasswordsorknowndefaultaccountsthatshouldnotbeusedinasecuredeployment.Example Alarms:•AlarmOnDefaultAccountUsage•AlarmOnAnonymousOrGuestAccountUsage
Created Alarms for:Anonymous–AccountUsagesa-AccountusageAdministrator–AccountusageGuest-AccountusagePublic-Accountusage
Inthelabenvironmentwewereabletosuccessfullyalertandnotifyonalldefaultaccountusage.Admin,Administrator,Guest,andSAaccounts.Wewerealsoabletoalarmonregularaccountusage.NotificationswereobtainedviaemailandthroughLogRhythmconsole.
2.3Encryptallnon-consoleadministrativeaccessusingstrongcryptography.UsetechnologiessuchasSSH,VPN,orSSL/TLSforwebbasedmanagementandothernon-consoleadministrativeaccess.
LogRhythmprovidesarecordofallservicesusedandcanalarmontheuseofnon-encryptedprotocols.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary•UseOfNon-EncryptedProtocols
Performed investigation for:•NetworkServiceSummary•NetworkConnectionSummary
CreatedalertsforuseofnonencryptedconnectionstoCardholdersystems.
WewereabletosuccessfullycapturesummaryinformationviashorttimeframeswhenrunninginvestigationsforNetworkServiceSummaryandNetworkConnectionSummary.
3.6.7Preventionofunauthorizedsubstitutionofcryptographickeys.
LogRhythmmayalarmonactionsthataffectspecificfilesorobjects,includingcryptographickeys.Thedetailsofwho,whenandwhereakeywasalteredwillbeavailableinreal-timetothecustodian(s).Example Reports: •FileIntegrityMonitoringActivity
Theappliancecanhoweveralarmonsubstitutedkeys.
Unabletotestthisfeatureinthelabenvironment.Observationofvendordemonstrationwasusedforvalidation.
Page 13Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
Pci RequiRemenT hoW LogRhyThm suPPoRTs comPLiance TesT PRoceduRe
4.1UseofstrongcryptographyandsecurityprotocolssuchasSSL/TLSorIPSECtosafeguardsensitivecardholderdataduringtransmissionoveropenpublicnetworks.
noTes / keys foR comPLiance
LogRhythmrecordswhichprotocolsarebeingusedinthecardholderdataenvironment,showingwhenanyunauthorizedprotocolsorunencryptedservicesareused.Inaddition,LogRhythmiscapableofalarmingonconditionswhereasystemobservesunencryptedinformationpassedwhenexpectingonlyencryptedtraffic.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary
Thisfeaturehasnotbeentested.
Observationofvendordemonstrationwasusedforvalidation.
5.2Ensurethatallanti-virusmechanismsarecurrently,activelyrunningandcapableofgeneratingauditlogs.
LogRhythmdetectsandalertsonanyerrorconditionsoriginatingfromanti-virusapplications,whentheservicesarestartedandstopped,aswellasidentifieswhennewsignaturesareinstalled.Alarmingcanbeconfiguredtoinformthecustodian(s)ofwhenanymalwareisdetectedinsidethecardholderdataenvironment.Example Reports:•MalwareDetected•Anti-VirusSignatureUpdateReportExample Alarms:•AlarmOnMalware
CreatedreportforVirusupdatesignaturereport.(Custom)
TheLRappliancewassuccessfullyabletoalertifanAVclientwasrunningandwasabletodetermineifaclientorserverhadsuccessfullydownloadedthelatestvirussignaturedatabaseupdates.
6.1Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyhavingthelatestvendor-suppliedsecuritypatchesinstalled.Installcriticalsecuritypatcheswithinonemonthofrelease.
LogRhythmcantrackandreportonwhenpatchesareinstalledondevices,showingwhichsystemshavehadpatchingwithinthepastmonth,oranyothertimeframeasdictatedbyorganizationalpolicy.Example Reports:•PatchesApplied
Createserverpatchingreports.
Createworkstationpatchingreports.
LRAppliancespatchingReport
Wewereabletosuccessfullycapture patch update informationonwindowsoperatingsystems.
6.3Developsoftwareapplications(internalandexternal,andincludingwebbasedadministrativeaccesstoapplications)inaccordancewithPCIDSS(forexample,secureauthenticationandlogging),andbasedonindustrybestpractices.Incorporateinformationsecuritythroughoutthesoftwaredevelopmentlifecycle.
LogRhythmprovidesloggingintelligencethatcustomwrittensoftwareneedstobeeffective.Byprovidinganintelligencesystemforlogstobesentto,rulescanbecreatedtoprovideproperalarming,reporting,andenhancementtotheabilitiesofanycustomapplicationtobeusedinthecardholderdataenvironment.
CaptureexistingIISlogsviaflatfile.TheLRapplianceiscapableofcapturingcustomlogs.
Successfullyconnectedexistingwebserver/applicationlogstoLRappliance.
6.4.2Separationofdutiesbetweendevelopment/testandproductionenvironments.
LogRhythmcanreportoncommunicationsbetweenproductionanddevelopmentenvironmentstoensureseparation.
Createdalarmsforconnectionstraversingtest/developmentandproductionsubnets.IPbasedalarm.
Successfullyalertedonusers/connectionsattemptingtoconnectfromtestsubnetstoproductionsubnets.
Page 14Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
Pci RequiRemenT hoW LogRhyThm suPPoRTs comPLiance TesT PRoceduRe
6.5Developapplicationsbasedonsecurecodingguidelines.Preventcommoncodingvulnerabilitiesinsoftwaredevelopmentprocesses.
noTes / keys foR comPLiance
Vulnerabilitiesoutlinedinsection6.5canbedetectedbyreal-timeexaminationtoolsorbyusingcompatiblevulnerabilityscanningsystems.Attemptstoattackthewebapplications,suchasbyacross-sitescriptingvulnerability(XSS),canbealarmedoninreal-timebyLogRhythm.Example Reports:•VulnerabilitiesDetected
ScannerintegrationwithLogRhythmwasnottestedinthelab.
Thisfeaturewasvalidatedthroughobservationofvendordemonstration.
6.6Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychanges
•Installingaweb-applicationfirewallinfrontofpublic-facingwebapplications
LogRhythmcanaddresseithersolutionbyworkinginconjunctionwithwebexploitsystems,suchasIntrusionDetectionSystems,Web-ApplicationFirewalls,StatefulInspectionFirewalls,WebServers,andotherlogsourcestoanalyzedetectedpotentialabusesaswellasprovideawaytoinvestigatesuspectedbreaches.Example Reports:•SuspiciousActivitybyUser•TopTargetedHosts•SuspiciousActivitybyHost•TopTargetedApplications•TopSuspiciousUsers•VulnerabilitiesDetected
ScannerintegrationwithLogRhythmwasnottestedinthelab.
Thisfeaturewasvalidatedthroughobservationofvendordemonstration.
7.1Limitaccessestosystemcomponentsandcardholderdataonlythoseindividualswhosejobrequiressuchaccess.
Accesstocardholderdatacanbemonitoredbythecustodian(s)ofthedatainreal-timebycollectingaccesscontrolsystemdata.Accountcreation,privilegeassignmentandrevocation,andobjectaccesscanbevalidatedusingLogRhythm.Example Reports:•HostAuthenticationSummary•DisabledAccountsSummary•ApplicationsAccessedbyuser•RemovedAccountSummary
Testperformedwithalerts,reports,andinvestigations.
TheLRappliancewasabletosuccessfullyabletotrackaccountsandcomponentsthataccessthecardholderenvironment.
8.1AssignallusersuniqueIDbeforeallowingthemaccesstosystemcomponentsorcardholderdata.
Accountcreationcanbemonitoredthroughreportingandinvestigationsoflogspertainingtothecreationandmodificationofaccounts.Accountsthathavemorethanoneusermaybeidentifiedthroughinvestigationsoffrequentand/orsuspiciousloginactivities.Example Reports:•AccountCreationActivity•AccountModificationActivity
Setupreports,investigationstoreviewthecreationofuniqueids.
LRcanreportandmonitorthecreationofuniqueids.
Page 15Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
Pci RequiRemenT hoW LogRhyThm suPPoRTs comPLiance TesT PRoceduRe
8.5.1Controladdition,deletionandmodificationofuserIDs,Credentialsandotheridentifierobjects.
noTes / keys foR comPLiance
Accountmodificationcanbemonitoredthroughreportingandinvestigationsoflogspertainingtothecreationandmodificationofaccounts.Example Reports:•AccountCreationActivity•AccountModificationActivity
Createdcustomalarmsforaccountmodification,creation,anddeletion.
TheLRappliancewasabletosuccessfullyalertandnotifyonallactivities.TheLRappliancealsoprovidedaccurateaudittrailfortheseevents.
8.5.4Immediatelyrevokeaccessforanyterminatedusers.
AccountmodificationcanbemonitoredthroughreportingandinvestigationsoflogspertainingtothecreationandmodificationofaccountsExample Reports:•DisabledAccountsSummary.(Report/Alarm)
•RemovedAccountSummary(Alarm/Report)
Createdcustomeralarmnotificationsforterminatedaccounts.
Wewereabletoreportandinvestigatetheterminationofusersviatheconsole.
8.5.5Removeordisableinactiveuseraccountsatleastevery90days.
AccountmodificationcanbemonitoredthroughreportingandinvestigationsoflogspertainingtothecreationandmodificationofaccountsExample Reports:•DisabledAccountsSummary.(Report/Alarm)
•RemovedAccountSummary(Alarm/Report)
Terminateduserreport
Inactiveuserreport.
TheLRappliancecouldreportonterminateduseraccountsanddisableduseraccounts.
8.5.6Enableaccountsusedbyvendorsforremotemaintenanceonlyduringthetimeperiodneeded.
AccountmodificationcanbemonitoredthroughreportingandinvestigationsoflogspertainingtothecreationandmodificationofaccountsExample Reports:•DisabledAccountsSummary.(Report/Alarm)
•RemovedAccountSummary(Alarm/Report)
•Inactiveusers.(Report/Alarm)
LRappliancealarmonaccountusage.
Useraccountsummaryreport
Disableduseraccountsummaryreport.
LRapplianceswereabletotrackandmonitorvendoraccountsviatail,investigationsandreports.
8.5.8Donotusergroup,sharedorgenericaccountsandpasswords.
•AlarmongenericUserIDs.•AlarmonDefaultorsharedadministrationactivities.
•AlarmsharedgenericuserIDsarenotusedtoadministeranysystemcomponents.
Createdalarmondefaultuseraccounts:
•Administrator•Admin•Guest• SA•NetworkAdministratoraccounts
TheLRappliancecansuccessfullytrackmonitorandreportonanytypeofaccountusageviainvestigationsorreports.
8.5.9Changeuserpasswordsevery90days.
•Reportonuseraccountmodification.•PasswordChange.Every90days.
Reportonpasswordchange(accountmodification)viauser.
LRwasabletosuccessfullyreportandmonitorpasswordchangesfromanytypeofuser.
Page 16Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
Pci RequiRemenT hoW LogRhyThm suPPoRTs comPLiance TesT PRoceduRe
10.2ImplementautomatedaudittrailsforallsystemcomponentstoreconstructPCIstandardspecifiedevents.
noTes / keys foR comPLiance
LogRhythm’scorecapabilitiesarecentralizationandpropermanagementoflogdatathatcomprisesthemajorityoftheaudittrail.Reportscanbeproducedtoshowallauditactivityfromaccountcreation,throughaccountactivity,toaccountremoval.SupportforreportingonlogdatafromcustomapplicationscontainingportionsoftheaudittrailiseasilyachievedusingLogRhythm’sbuiltinrulebuildingtools.Example Reports:•AccountCreationActivity•UserAuthenticationSummary•UserAccessSummary•AccountModification
Setupcorrelatedeventsacrossmultipledevicetypes.
Constructedafewauditscenariosforthistest.
LRapplianceisablesuccessfullytoreconstructaudittrailsacrossmultipletypesofdevicetypes.WewereabletotrackthepathofanincomingtransactionfromfirewalltoswitchestoDMZtoServerevents.
10.2.4Implementautomatedaudittrailsforallsystemcomponentstoreconstructallinvalidlogicalaccessattempts.
LogRhythmidentifiesfailedaccessandauthenticationattemptsforenterprisenetworkeddevices.LogRhythmautomatestheprocessofidentifyinghigh-riskactivityandprioritizesbasedonassetrisk.High-riskactivitycanbemonitoredinreal-timeoralertedon.LogRhythmreportsprovideeasyandstandardreviewofinappropriate,unusual,andsuspiciousactivity.Example Reports:•DisabledAccountsSummary•RemovedAccountSummary•AuditExceptionsEventSummary•UserObjectAccessSummary•FailedHostAccessByUser•FailedApplicationAccessByUser
Createdreports/tail/investigationsfor:
DisabledAccountsSummary(Report)•RemovedAccountSummary.•AuditExceptionsEventSummary.
•UserobjectsAccessSummary.
•FailedHostAccessbyUser.•FailedApplicationAccessbyUser.
LRwasabletotrack,monitorandreportviaautomatedaudittrailsforallsystemcomponentstoreconstructallinvalidlogicalaccessattempts.
10.3RecordUseridentification,typeofevent,dateandtime,successorfailure,originationandidentityofaffecteddataorsystemforeachaudittrailentry.
LogRhythmtimestampsandclassifieseacheventreceivedtomatchthisrequirement,aswellasextractusefulinformationsuchasuseridentification,IPaddressesandhostnames,objectsaccessed,vendormessageids,amountsaffected(bytes,monetaryvalues,quantities,durations),affectedapplicationsandotherdetailsusefulforforensicinvestigationoftheauditlogs.
ThroughouttheauditingoftheLRapplianceconstantcheckingoftimestampsanduserinformationwascaptured.
TheLRappliancewasabletosuccessfullycapturetimestampuseraccountinformationforeachaudittrailentry.
10.4Synchronizeallcriticalsystemclocksandtimes.
Manyenvironmentscannotsynchronizesystemclockstoasingletimestandard,soLogRhythmindependentlysynchronizesthetimestampsofallcollectedlogentries,ensuringthatalllogdataistime-stampedtoastandardtimeregardlessofthetimezoneandclocksettingsofthelogginghosts.
Verifiedsystemtimestampofalllogs.
LogRhythmautomaticallysynchronizesalltimestampsthroughouttheloggingenvironment.
Page 17Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
Pci RequiRemenT hoW LogRhyThm suPPoRTs comPLiance TesT PRoceduRe
10.5.1Limitviewingofallaudittrailstothosewithajob-relatedneed.
noTes / keys foR comPLiance
LogRhythmincludesdiscretionaryaccesscontrolsallowingyoutorestricttheviewingofauditlogstoindividualsbasedontheirroleandNeed-To-Know.
Createduserrolesandtestedforabilitytoview/manipulateloginformationandfeatures.
TheLRapplianceconsolewasabletosuccessfullylimitwhatuserscanseewhatdata.TheRolebasedpermissionsalsolimitedtheabilityofchangingconfigurationsettingsontheLRappliances.
10.5.2 Protect audit trail filesfromunauthorizedmodifications.
UsingLogRhythmhelpsensureaudittrailareprotectedfromunauthorizedmodification.LogRhythmcollectslogsimmediatelyaftertheyaregeneratedandstorestheminasecurerepository.LogRhythmserversutilizeaccesscontrolsattheoperatingsystemandapplicationleveltoensurethatlogdatacannotbemodifiedordeleted.
LRappliancescanalertandnotifyonanyuserlookingtomanipulatelogslogsourcesandLRappliances.Administratorswithaccesswillalertandnotify
LRapplianceswereabletosuccessfullybackup(doesthisfunctioninrealtime.)Theapplianceisalsoverycapableofofflineencryptedstorageoflogs.
10.5.3Promptlyback-upaudittrailfilestoacentralizedlogserverormediathatisdifficulttoalter.
LogRhythmautomaticallycollectsaudittrailsandstorestheminacentralandsecurerepository.Whenalogiscollected,itisstoredinadatabaseforanalysisandreportingandacopyiswrittentoanarchivefile.Thearchivecopyofthelogalsoservesasabackup.ArchivefilescanbewrittentoSAN,NAS,orothercentrallocationprovidingforadditionalredundancy.SegregationcanbeperformedbyallowingonlylogtraffictopassthroughLogRhythmviafirewall,filtercontrolonarouter,orconfiguringtheLogRhythmappliance’sfirewalltorejectunanticipatedconnections.
Thisfunctionisperformedautomatically.TherearetwocopiesoftheeventdatastoredonLMandEMappliances.
FurtherarchivingtoaSANorNASmustbeconfiguredandencryptionkeymustbeestablished.
LRappliancescreateabackupcopyoflogsoncepresentedtotheLRappliancestorage.Verifythatallauditdataispromptlybackeduptoacentralizedlogserverorprotectedstoragemedia.
10.5.5Usefile-integritymonitoringorchange-detectionsoftwareonlogstoensurethatexistinglogdatacannotbechangedwithoutgeneratingalerts.Althoughnewdatabeingaddedshouldnotcauseanalert.)
LogRhythmincludesanintegratedfileintegritymonitoringcapabilitythatensuresourcollectioninfrastructureisnottamperedwith.Additionally,LogRhythmserversutilizeaccesscontrolsattheoperatingsystemandapplicationleveltoensurelogdatacannotbemodifiedordeleted.Alertsarecustomizabletopreventorallowalarmsonacasebycasebasis,includingnotcausinganalertwithnewdatabeingadded.
ConfiguredfileintegritymonitoringonsourceloghostandLRLMandEMappliances.
TheLRappliancewasabletodetectmanipulationoraccessoflogsonLM,EMandsourcehostlogsusingfileintegritymonitoring.Fromtheconsoleadministratorscanexcludetheactivityfromtheserviceaccountcapturingtheeventinformation.
10.5.4Writelogsforexternal-facingtechnologiesontoalogserverontheinternalLAN.
LogRhythmcansecurelycollectlogsfromtheentireITinfrastructureincludingexternalfacingtechnologiesforstorageonaninternalLANNetworkwhereaLogRhythmapplianceresides.
ArchivelogstoragefromEMtoastoragelocationontheLAN.
TheLRappliancewasabletosuccessfullystorelogstoashareontheLANsubnet.LRappliancealsowasabletoencryptthedata.
Page 18Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
Pci RequiRemenT hoW LogRhyThm suPPoRTs comPLiance TesT PRoceduRe
10.6Reviewlogsforallsystemcomponentsatleastdaily.Logreviewsmustincludethoseserversthatperformsecuritylogfunctionslikeintrusion-detectionsystem(IDS)andauthentication,authorizationandaccountingprotocol.
noTes / keys foR comPLiance
LogRhythmsuppliesaonestoprepositoryfromwhichtoreviewlogdatafromacrosstheentireITinfrastructure.Reportscanbegeneratedanddistributedonautomaticallyonadailybasis.LogRhythmprovidesanaudittrailofwhodidwhatwithinLogRhythmandareportwhichcanbeprovidedtoshowproofoflogdatareview.Example Reports:•LogRhythmUsageAuditing
Createdcustomandleveragedexistingreportsforsummaryofeventsthatrequirefrequentreview.Reportscanbeemailedandorstoredataconfiguredlocationonthenetwork.
TheLRappliancesarecapableofcapturingandpresentingrelevantdatathatmustbereviewedbyadministratorsonafrequentbasis.
10.7Retainaudittrailhistoryforatleastoneyear,withaminimumofthreemonthsimmediatelyavailableofanalysis.
LogRhythmcompletelyautomatestheprocessofretainingyouraudittrail.LogRhythmcreatesarchivefilesofallcollectedlogentries.Thesefilesareorganizedinadirectorystructurebydaymakingiteasytostore,backup,anddestroylogarchivesbasedonyourpolicy.
WithexistingstoragespaceontheEMandarchivingcapabilitiestheLRapplianceisverycapableofdataretentionformanyneeds.Theframeworkisveryflexibleforincreasedstorageandofflinestorage.
TheLRappliancesarecapableofhandlinglargeamountsofdatalocallyandhavetheabilitytoarchiveencryptedbackupsoflogdataforlongtermstorage.
11.4Useintrusion-detectionsystems,and/orintrusion-preventionsystemstomonitoralltrafficattheperimeterof the cardholder data environmentaswellasatcriticalpointsinsideofthecardholderdataenvironment,andalertpersonneltosuspectedcompromises.Keepallintrusion-detectionandpreventionengines,baselines,andsignaturesup-to-date.
LogRhythmcollectslogsfromnetworkandhostbasedIDS/IPSsystems.Itsrisk-basedprioritizationandalertingreducethetimeandcostassociatedwithmonitoringandrespondingtoIDS/IPSalerts.ThePersonalDashboardfeaturecanbeusedtomonitorintrusionrelatedactivityinreal-time.ApowerfulInvestigatortoolmakesforensicsearcheasyandefficient.LogRhythmcombinedwithIDS/IPSisanextremelypowerfultoolinidentifyingandrespondingtointrusionrelatedactivityefficientlyandaccurately.Example Reports:•Successful/FailedHostAccessbyUser•Successful/FailedApplicationAccessbyUser•Successful/FailedFileAccessbyUser•TopAttackers•MultipleAuthenticationFailures•SuspiciousActivityByUserandHost
TheLRapplianceswereconfiguredtocaptureIPS/IDSlogsfromanotherappliance.
•Successful/Failedhostaccessbyuser.(Alarm/Report)
•Successful/FailedapplicationAccessbyuser(Alarm/Report)
•Successful/FailedFileAccessbyUser(Report/Alarm)
•TopAttackers
•MultipleAuthenticationFailures
•SuspiciousActivitybyUserandHost.(Report/Alarm)
UsingreportsinvestigationsandalertstheLRappliancewasabletocaptureandnotifyonnetworkintrusions.Theaudittrailwasveryhelpfultodeterminethepathanintruderhadtakenandactionsperformed.
11.5Deployfile-integritymonitoringtoolstoalertpersonneltounauthorizedmodificationofcriticalsystemfiles,configurationfiles,orcontentfiles;andconfigurethesoftwaretoperformcriticalfilecomparisonsatleastweekly.
LogRhythmagentsincludeanintegratedfileintegritymonitoringcapabilitywhichcanbeusedtodetectandalertonthefollowingforanyfileordirectory:Reads;Modifications;Deletions;PermissionChanges.Thiscapabilityiscompletelyautomated.Howoftenfilesarescannedisconfigurable.Filescanbescannedatuserdefinedfrequenciessuchasevery5minutesoronceanight.Example Reports:•FileIntegrityMonitoringActivity
ConfiguredFileIntegrityMonitoringofsourcehostlogsandlocallogs.Createdalertandalarmforanyusage.
Ranfileintegritymonitoringactivityreport.
RanfileintegritymonitoringactivityreportandfoundtheLRappliancewasabletosuccessfullydetectaccessorattemptedmanipulationoflogs.
Page 19Copyright 2011, Coalfire Systems Inc.
TECHNICAL ASSESSMENT: LogRhythm
Pci RequiRemenT hoW LogRhyThm suPPoRTs comPLiance TesT PRoceduRe
12.9Implementanincidentresponseplan.Bepreparedtorespondimmediatelytoasystembreach.
noTes / keys foR comPLiance
LogRhythmprovidesacentralizedmanagementsystemcapableofalarming,reportingandinvestigatingsecuritybreachestothenetwork.LogRhythmsupportsanincidentresponseplanbyprovidingthereal-timeenterprisedetectionintelligencetoaddressissuesquicklytopreventdamageandexposure.Example Alarms:•AlarmOnAttack•AlarmOnCompromise•AlarmOnMalware
LRdoesnotprovideanincidentresponseplanbuttheappliancedoesassistwithcreatingaframeworkforcapturingaudittrailsandnotifications.
LRdoesnotprovideanincidentresponseplanbuttheappliancedoesassistwithcreatingaframeworkforcapturingaudittrailsandnotifications.Testedthroughouttheentireassessment.