TechnicaL assessmenT - LogRhythm · Security Assessor (QSA) company, to provide an independent compliance validation of LogRhythm’s log and event management system. The Company’s

LogRhythm

TechnicaL assessmenT

White Paper

Prepared for:

Page 2Copyright 2011, Coalfire Systems Inc.

Table of Contents

execuTive summaRy

Methodology

SummaryofValidationFindings

Log and evenT managemenT backgRound

LogManagementChallenges&Risks

ApplicableEnvironmentConsiderations


EnvironmentDiagram

EnvironmentDetail

LogRhythmEM

LogRhythmLM

LogRhythmWindowsAgentServer

LogRhythmConsole

Switches

Firewalls

IPS/IDS/WAF

DomainServers

DomainControllers

DMZWebServers

vaLidaTion findings foR LogRhyThm

ValidatedCapabilitiesforCompliance

ValidatedCapabilitiesforSecurityPractices

aPPendix a: comPLiance conTRoL objecTives and vaLidaTion LogRhyThm

3

3

3

5

5

5

5

6

7

7

7

7

7

7

7

8

8

8

8

8

8

10

11


TECHNICAL ASSESSMENT: LogRhythm

execuTive summaRy

LogRhythm(TheCompany)engagedCoalfireSystemsInc.(Coalfire),asarespectedPaymentCardIndustry(PCI)Qualified

SecurityAssessor(QSA)company,toprovideanindependentcompliancevalidationofLogRhythm’slogandevent

managementsystem.TheCompany’stechnologyencompasseskeycontrolareasforPCIcompliance.

ThescopeoftheassessmentisfocusedonvalidatingtheproductsabilitytomeetspecificPCIcontrolsandthe

augmentationofothers.ThescopeofthePCIDSScontrolsselectedforvalidationwasderivedthroughcollaborationwith

LogRhythmsolutionarchitectsandCoalfiretestengineers.Thisreviewgeneratedtwotypesofcontrolclasses.Thefirstisa

classwheretheLogRhythmsolutioncandirectlyfulfilltherequirementwhenproperlydeployedasacontrol.Thesecond

classiswherethecontrolcanpartiallyfulfillthecontrolrequirementoraugmentothercontrolprocedurestoassista

customerinmeetingtherequirement.

Theaudienceforthisvalidationreportismerchantsorserviceprovidersevaluatingtechnicalsolutionsforlogandevent

managementtomeettheirPCIcomplianceandITsecurityrequirements.AdditionallyQSA’sorotherauditorsreviewinga

deployedLogRhythmsolutioninaPCIenvironmentcanusethisreporttosupporttheirverificationefforts.

methodology

CoalfireconductedthisvalidationthroughrigoroustechnicaltestinginourcompliancevalidationlabsusingcommonPCI

environmentalscenarios.TheoutcomeofthistestingprovidesverificationthatcustomersimplementingtheLogRhythm

solutionwillbeabletomeetthesespecificPCIcontrolrequirementsintheirrealworldenvironments.EachPCIrequirement

wasassessedbyvalidatingtheoutputorstateoftheLogRhythmsolutionasdeployedinourlabscenario.Abroadspectrum

ofnetwork,systemandapplicationscenarioswasusedinourvalidationtesting.Testresultsandlabconfigurations

aresummarizedinthetechnicalsectionofthewhitepaper.Anyadditionaldetailoftestprocedures,testresultsorlab

configurationareavailableuponrequest.

Summary of Validation Findings

CoalfirehascompletedourvalidationtestingoftheLogRhythmlogandeventmanagementsolutionandcanconfirmthe

followingsummaryfindings;

I. TheLogRhythmlogandeventmanagementsolution’sarchitectureandimplementationrequirementscanbe

deployedinaPCIenvironmentallowingacustomertoadheretoallPCIrequirementsforthesolution.

II. Implementationandoperationaldocumentationprovidecustomerswithappropriateguidanceforoperatingthe

solutioninaPCIcompliantmanner

III. WhenproperlydeployedandconfiguredtheLogRhythmsolutioneitherfullymeetsoraugmentsthefollowing

PCIDSSrequirements:



Pci RequiRemenT diRecTLy meeTs RequiRemenTs augmenTs conTRoL PRocess

1.1.5&1.1.6

1.2.1&1.2.2

1.3.2,1.3.3&1.3.5

2.1

2.3

3.6.7

4.1

5.2

6.1

6.3

6.4.2

6.5

6.6

7.1

8.1

8.5.1,8.5.4,8.5.5,8.5.6,8.5.8&8.5.9

10.2,10.2.2&10.2.4

10.3

10.4

10.5.1,10.5.2,10.5.3,10.5.4&10.5.5

10.6

10.7

11.4

11.5

12.9



Log and evenT managemenT backgRound

ClearvisibilityintoallaspectsoforganizationsITsystems,employeesandcustomersisimperativeintoday’snetworked

environments.ITadministratorsandsecurityprofessionalsaretaskedwithmonitoringandprotectinganoverwhelming

numberoftransactionsandeventsthattraversethroughtheirsystemseveryday.Havingalogandeventmanagement

solutiontobetterunderstandtheoverallhealthofanetworkedenvironmentisnotonlyvaluedassetforITprofessionals;

ithasbecomearequirementforregulatorycompliance.Whendeployingalogandeventmanagementsolutionfor

compliance,organizationsshouldensurethattheinformationprovidedbyeventloggingsystemsismeaningfulandrelevant.

Thisrequiresloggingspecifictypesofdatathatcanconstructeffectiveaudittrails.Inthisassessmentwewillbereviewing

andvalidatingLogRhythm’slogandeventmanagementsolutionasitpertainstothePaymentCardIndustryDataSecurity

Standardregulatorycompliance.

Log Management Challenges and Risks

Whodidwhatwhenandwhere?Eventorlogcapturingsystemsmustbeabletoidentifytheuseraccountinformationand

typeofeventassociatedwitheachloggedaction.Eachevent’soriginmustberecordedandwhetheritwasasuccessor

failure.Timekeepingandrecordingisalsoessentialforauditableevents.Eventlogsmustbeprotectedfromunauthorized

accessandmodification.Thisrequiresimplementingtheloggingsolutionwithpreventativeanddetectivecontrolsthatcan

enforcelogicalaccesstologfiles,eventgeneratingservices,logfileaccessandmodification.

Developingrolesfortheusersandadministratorsofthelogmanagementsystemisakeyareaforsecurity.Rolesshould

preventpersonnelresponsibleformonitoringcriticaleventlogsfunctionindependentlyfromITOperationsinorderto

ensurethatthoseperformingeventsonsystemscannotmodifyeventaudittrails.

Monitoringoperationsforcompliance,logfilesmustbereviewedfrequentlyinordertosustainaneffectivemonitoring

program.Managementmustensurethatthemanualorautomatedreviewoflogfilesoccursonadailybasis,andthelog

informationcapturedisretainedagainstcorporatedataretentionrequirements.AlertingIToperationswhenprocessing

failuresoccurisalsoessentialforalogmanager.Havinggapswithinthelogscanimpedeasuccessfulaudit.Organizations

mustalsohavesufficientstoragecapacitytomeetlogretentionrequirements.

Applicable Environment Considerations

Whenimplementedwithinaregulatedenvironment,theinstallationofeventloggingproductsleavesafootprintof

infrastructurethatmustbecapableofconformingtocontrolrequirements.Validatingthesecontrolobjectivesprovides

assurancethatasecure,compliantinstallationoftheproductispossible,withoutcostlycustomdevelopmentorservice

disruptions.


CoalfireinstalledandconfiguredLogRhythm’sLMandEMappliancesinatestenvironmentinitsSeattlelab.Thescopeof

theassessmentwasdefinedwiththefollowingtasks:



1.Understandproductfunctionality,architecture,delivery,implementationandoperation

2.Reviewconfigurationguidanceandsecuritydocumentation

3.Testproductforrequiredcontrolsinlabenvironment

4.ReviewandverificationofLogRhythmlogmanagementhardwareandsoftwarehardeningbestpractices

5.Reviewagentconfigurationrequirementsandcapabilities

6.Verificationofeventlogtrafficforsecurityandcompliance

7.Reviewandmonitortheproductsnetworktrafficforregulatorycontrolsinlabenvironment.

8.ReviewandvalidatehowtheLogRhythmeventloggingsolutionprovidescompliancefororganizations

a.Reviewavailableandcustomreports

b.Reviewavailableandcustominvestigations

c.Reviewalarmingandcorrelationofeventsforcompliance

d.Reviewauditcapabilities

ThisassessmentwasfocusedontheproductsabilitytodirectlysatisfycertainPCIcontrolsandsupportoraugment

thesupportofothersandwasnotacompletereviewoftheproduct.Examplesofareasthatwereoutofscopeforthis

assessmentincludetheproductsabilitytoreceiveandnormalizelogsfromawidevarietyofsourcesandanyscalabilityor

performanceissues.

Environment Diagram



enviRonmenT deTaiL

Thefollowingdescribeshowthesystemsinourlabenvironmenthavebeenconfiguredtosendtheloginformationandhow

thelogdatahasbeenclassified.

LogRhythm’sPCIDSSCompliancePackagecomeswithpredefinedclassificationtypessothelogmanagementservercan

properlydigestdifferentlogsourcetypes,andcorrelateloggedeventsproperly.Forthisassessmentwewillbeleveraging

theLogRhythmknowledgebasePCI/DSSclassificationtemplatefromLogRhythm.

LogRhythm em

TheLogRhythmEvent ManagerinthislabenvironmentisconfiguredwithMicrosoftserver2003withSQLServer2005.

TheEMhousestheAlarmingandResponseManager(ARM)Service.Thefollowingdatabasesareavailablefromthisserver:

EMDB, Alarms, Events and Log Mart.

LogRhythm Lm

TheLogRhythmLog ManagerinthislabenvironmentisrunningMicrosoftserver2003withSQLServer2005.TheLMserver

housestheMediatorandMessageProcessingEngine(MPE).Thefollowingdatabasesareavailable:LMDBandRADB.In

typicaldeploymentstheLMisconfiguredwithaLogRhythmAgent.

LogRhythm Windows Agent Server

ForourlabconfigurationtheagenthasbeenconfiguredtocollectanddigestalleventswithinourLANorprotectedsubnet.

Eventscapturedfrom,fileservers,databases,switches,firewalls,intranetwebservers,andIPS/IDS/WAFsystems.The

agentcaptureslogdataoverport514(UDPandTCP)anddeliversthedataencryptedtotheLogManagerviaport443(TCP).

LogRhythm Console

Forthisassessmenttheconsolehasbeeninstalledlocallyonaseparateworkstation.Trafficfromtheconsoleisdeliveredon

port1433andconsoleusershavetheopportunitytoencryptcommunicationstotheEMandLMappliances.

Switches

SwitchesinthelabenvironmenthavebeenconfiguredtosendlogdatatotheLogRhythmAgentServeronport514.(UDP)

ThelogdatahasbeenclassifiedontheconsoleNetwork Security Devices.

Firewalls

FirewallshavebeenconfiguredtosendloginformationtotheLogRhythmAgentoverport514(UDP)Firewalldeliversall

firewallinformationviatheLANinterfaceontheFirewall.ThelogdatahasbeenclassifiedontheLogRhythmconsoleas

Network Monitoring and Testing.



iPs/ids/Waf

IntrusionDetectionandwebcontentinspectionsystemshavebeenconfiguredtodeliverloginformationtotheLogRhythm

Agentoverport514(TCP).ThelogdatahasbeenclassifiedontheconsoleasNetwork Monitoring and Testing.

Domain Servers

StandarddomainservershavebeenconfiguredtodeliverloginformationtotheLogRhythmAgentoverport514.Domain

serversareconfiguredtosendlogdatatotheLogRhythmWindowsAgentServer.Thelogdatahasbeenclassifiedonthe

consoleasCardholder Data Storage Systems.

Domain Controllers

DomaincontrollershavebeenconfiguredtodeliverloginformationtotheLogRhythmAgentoverport514.Domain

controllersareconfiguredtosendlogdatatotheLogRhythmWindowsAgentServer.Thelogdatahasbeenclassifiedonthe

consoleasAccess Control Systems.

DMZ Web Servers

ForsecurecommunicationsfromtheDMZsubnettotheLANorinternalsubnetLogRhythmagentswereinstalledoneach

webserver.TheagentcapturesthedatalocallywithalocalsystemaccountanddeliversthelogsencryptedtotheLog

Managerforprocessingoverport443.ThelogdatahasbeenclassifiedontheconsoleasCardholder Data Storage Systems.

vaLidaTion findings foR LogRhyThm

TheLogRhythmlogmanagementsolutiondemonstratedstrongalertingcapabilitiesandprovidedcomprehensiveaudit

trailsforforensicsafteranincident.TheLogRhythmManagementConsoleprovidedinvestigationanalysis,reporting

andmonitoringtoolsthatsimplifiedmanagementofsecurityandcomplianceeventlogging.OutoftheboxLogRhythm

supportsmanylogsourcedevicetypesandprovidedtemplatesthatassistedwithdeployment.TheLogRhythmsolution

demonstratedahighlevelofflexibilityforcustomizationoflogsourcetypes,policies,alerts,notifications,reporting,

monitoring,dataclassification,andeventcorrelation.ThisflexibilitymakestheLogRhythmsolutionveryadaptableto

differentenvironmentsandcapableofaddressingcomplianceloggingrequirements.

Validated capabilities for compliance

The ability to establish audit trails

TheLogRhythmconsoleinterfaceisacentralizedlogmanagementtooltoestablishandmonitoraudittrails.

Comprehensiveaudittrailscanbecreatedtomanagealltypesofcomplianceandsecurityobjectives.

Record access to systems by users and programs

TheLogRhythmappliancedemonstratedtheabilitytorecordaccesstosystemsbyusersandprograms.



Record access to sensitive data by users and programs

TheLogRhythmappliancedemonstratedtheabilitytorecordsensitivedataaccessedbyusersandprograms.

Record actions performed under administrator accounts

TheLogRhythmappliancedemonstratedtheabilitytorecordactionsperformedunderadministrativeaccounts.

Record actions performed within authentication systems

TheLogRhythmappliancedemonstratedtheabilitytorecordactionsperformedwithinauthenticationsystems.

Record access to event logs and audit trails

TheLogRhythmappliancedemonstratedtheabilitytorecordaccesstoeventlogsandaudittrails.

Record initialization and termination of event logging services

TheLogRhythmappliancedemonstratedtheabilitytorecordandmonitorinitializationandterminationofevent

loggingservices.

Creation and deletion of system objects

TheLogRhythmappliancedemonstratedtheabilitytorecordcreationanddeletionofsystemobjects.

File integrity monitoring and alerting of sensitive data

TheLogRhythmappliancedemonstratedtheabilitytorecord,monitorandalertonaccesstosensitivedata.

Record user identity for each logged action

TheLogRhythmappliancedemonstratedtheabilitytorecorduseridentitiesandeachloggedactionforthatuser.

Record type of event for each logged action

TheLogRhythmappliancedemonstratedtheabilitytorecordthetypeofeventforeachloggedaction.

Record date and time for each logged action

TheLogRhythmappliancedemonstratedtheabilitytorecorddateandtimeforeachloggedaction.

Record the success or failure for each logged action

TheLogRhythmappliancedemonstratedtheabilitytorecordsuccessorfailureforeachloggedaction.

Record the event origination for each logged action

TheLogRhythmappliancedemonstratedtheabilitytorecordtheeventoriginofeachloggedaction.

Record the event target identity for each logged action

TheLogRhythmappliancedemonstratedtheabilitytorecordtheeventtargetidentityforeachloggedaction.

Protect event logs from unauthorized modification and alert

TheLogRhythmappliancedemonstratedtheabilitytorecordandalertfromunauthorizedmodificationofeventlogs.

File integrity monitoring of event logs

TheLogRhythmappliancesdemonstratedtheabilitytorecordandmonitortheintegrityofeventlogfiles.

Daily review of log files (Assisted with automated report scheduling delivery and notification)

TheLogRhythmappliancedemonstratedtheabilitytopresentreportsandloggingeventsusingtheautomated



reportscheduling.

Large storage and archive capabilities

TheLogRhythmappliancedemonstratedtheabilitytostorelocallylargeamountsofdataaswellasofflinearchiving

andencryptionofolderlogs.

Provided centralized event log analysis

TheLogRhythmapplianceconsoleprovidescentralizedeventloganalysis.

Incident response capability with alerting and notifications

TheLogRhythmappliancedemonstratedtheabilitytorecordalertandnotifyonincidentsthatoccurinthe

cardholderdataenvironment.

Validated capabilities for security best practices

Record remote access attempts

TheLogRhythmappliancedemonstratedtheabilitytorecordremoteaccessattemptstoappliancesandcardholder

dataenvironment.

Record application security events

TheLogRhythmappliancedemonstratedtheabilitytorecordapplicationsecurityevents.

Recording and alerting for data modification

TheLogRhythmappliancedemonstratedtheabilitytorecordandalertonwhendataismodifiedwithinthe

appliancesandthecardholderenvironment.

Appliance hardening and security practices

LogRhythmhasavailabledocumentationthatcovershardeningandsecuritybestpracticesfortheirappliances.

Separation of user and administration roles

TheLogRhythmappliancedemonstratedtheabilitytoseparateuserroles.



aPPendix a: comPLiance conTRoL objecTives and vaLidaTion LogRhyThm

ThetablebelowoutlineshowLogRhythmaddressestherequirementsofthePCIsections.The“HowLogRhythmSupports

Compliance”columndescribesthecapabilitiesLogRhythmprovidesthatwillmeet,supportoraugmentPCIcompliance.The

“TestProcedure”and“Notes/Keys”forcompliancecolumnareCoalfire’sfindingsfromitsassessmentoftheproduct.

Pci RequiRemenT hoW LogRhyThm suPPoRTs comPLiance TesT PRoceduRe

1.1.5DocumentationandbusinessJustificationforuseofallservices,protocolsandportsallowed,includingdocumentationofsecurityfeaturesimplementedforthoseprotocolsconsideredtobeinsecure.

noTes / keys foR comPLiance

LogRhythmprovidesmonitoringandinvestigationstoperformtestingprocedures1.1.5aand1.1.5bbyshowingtheuseofprotocolsinthenetworkenvironment.Testingrequiresverificationthatallusedservices,protocolsandportshaveabusinessneed.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary

Run investigations for:NetworkServicesummary.NetworkConnectionsummary.

Whenrunasinvestigationsforshorttimeframeswewereabletosuccessfullycaptureprotocols,portsandIPs.

1.1.6Periodicreviewoffirewall/routerrulesets.

Reportingfacilitateseasyandindependentreviewoffirewallandrouteroperation.Reportscanbegeneratedthatshowsactualtrafficallowedanddeniedbyfirewallandrouterrulesets.PCIrequiresverificationatleasteverysixmonths.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary


Whenrunasinvestigationsforshorttimeframeswewereabletosuccessfullycaptureallowedanddeniednetworktraffic.

1.2.1Restrictinboundandoutboundtraffictothatwhichisnecessaryforthecardholderdataenvironment.

Verificationthatinboundandoutboundtrafficisproperlycontrolled(limitedand/ordenied)forthecardholderdataenvironment.LogRhythmdetectsandalertsoninboundinternetactivitywithinthecardholderdataenvironment,providingverificationofproperandthepresenceofimpropernetworkactivities.

Run investigations for:Networkconnectionsummaryreport.

TheLRappliancecanalertandnotifyoninboundandoutboundtraffic.

1.2.2 Verify router configurationsaresecureandsynchronized.

LogRhythmidentifiessynchronizationeventsandcanbeusedtoverifytheproperfunctioningofrouters,firewalls,orothercollaborativenetworkdevices.Reportsprovideaconsolidatedreviewofinternal/externalactivityandthreats.Example Reports:•FirewallAndRouterPolicySynchronization

Unabletoperformthistest.Firewallsynchronizationwasnotconfiguredinthislabenvironment.Observationofvendorreportsanddemonstrationwasusedforvalidation.

Unabletotestthisfeatureinthelabenvironment.VendorObservationusedforvalidation.




1.3.2LimitinboundinternettraffictoIPaddresseswithinDMZ.


LogRhythmdetectsandalertsoninboundandoutboundinternetactivitynotrestrictedtotheDMZ,identifyingnon-compliantnetworktrafficorattemptstoaccessservicesinsidetheDMZthatarenotapprovedforInternetaccessibility.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary


TheLogRhythmappliancecanalertandnotifyoninternettrafficanomaliestoIPaddressesintheDMZ.

1.3.3DonotallowanydirectconnectionsinboundoroutboundfortrafficbetweentheInternetandthecardholderdataenvironment.

LogRhythmcandetectandalertonactivitywhereinternaladdressesarenotpassedfromtheInternetintotheDMZ.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary


TheLogRhythmappliancecanalertandnotifyonInternettraffictothecardholderdataenvironment.

1.3.5DonotallowunauthorizedoutboundtrafficfromthecardholderdataenvironmenttotheInternet.

LogRhythmdetectsandalertsonanyoutboundactivitynotnecessaryforthepaymentcardenvironment.AnyaccessestoIPaddressestounauthorizednetworkscanbequicklyidentified.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary


TheLogRhythmappliancecanalertandnotifyonoutboundtrafficfromthecardholderdataenvironmenttotheInternet.

2.1Alwayschangevendor-supplieddefaultsbeforeinstallingasystemonthenetwork,includingbutnotlimitedtopasswords,simplenetworkmanagementprotocol(SNMP)communitystrings,andeliminationofunnecessaryaccounts.

LogRhythmcanalarmondetecteduseofdefaultpasswordsorknowndefaultaccountsthatshouldnotbeusedinasecuredeployment.Example Alarms:•AlarmOnDefaultAccountUsage•AlarmOnAnonymousOrGuestAccountUsage

Created Alarms for:Anonymous–AccountUsagesa-AccountusageAdministrator–AccountusageGuest-AccountusagePublic-Accountusage

Inthelabenvironmentwewereabletosuccessfullyalertandnotifyonalldefaultaccountusage.Admin,Administrator,Guest,andSAaccounts.Wewerealsoabletoalarmonregularaccountusage.NotificationswereobtainedviaemailandthroughLogRhythmconsole.

2.3Encryptallnon-consoleadministrativeaccessusingstrongcryptography.UsetechnologiessuchasSSH,VPN,orSSL/TLSforwebbasedmanagementandothernon-consoleadministrativeaccess.

LogRhythmprovidesarecordofallservicesusedandcanalarmontheuseofnon-encryptedprotocols.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary•UseOfNon-EncryptedProtocols

Performed investigation for:•NetworkServiceSummary•NetworkConnectionSummary

CreatedalertsforuseofnonencryptedconnectionstoCardholdersystems.

WewereabletosuccessfullycapturesummaryinformationviashorttimeframeswhenrunninginvestigationsforNetworkServiceSummaryandNetworkConnectionSummary.

3.6.7Preventionofunauthorizedsubstitutionofcryptographickeys.

LogRhythmmayalarmonactionsthataffectspecificfilesorobjects,includingcryptographickeys.Thedetailsofwho,whenandwhereakeywasalteredwillbeavailableinreal-timetothecustodian(s).Example Reports: •FileIntegrityMonitoringActivity

Theappliancecanhoweveralarmonsubstitutedkeys.

Unabletotestthisfeatureinthelabenvironment.Observationofvendordemonstrationwasusedforvalidation.




4.1UseofstrongcryptographyandsecurityprotocolssuchasSSL/TLSorIPSECtosafeguardsensitivecardholderdataduringtransmissionoveropenpublicnetworks.


LogRhythmrecordswhichprotocolsarebeingusedinthecardholderdataenvironment,showingwhenanyunauthorizedprotocolsorunencryptedservicesareused.Inaddition,LogRhythmiscapableofalarmingonconditionswhereasystemobservesunencryptedinformationpassedwhenexpectingonlyencryptedtraffic.Example Investigations:•NetworkServiceSummary•NetworkConnectionSummary

Thisfeaturehasnotbeentested.

Observationofvendordemonstrationwasusedforvalidation.

5.2Ensurethatallanti-virusmechanismsarecurrently,activelyrunningandcapableofgeneratingauditlogs.

LogRhythmdetectsandalertsonanyerrorconditionsoriginatingfromanti-virusapplications,whentheservicesarestartedandstopped,aswellasidentifieswhennewsignaturesareinstalled.Alarmingcanbeconfiguredtoinformthecustodian(s)ofwhenanymalwareisdetectedinsidethecardholderdataenvironment.Example Reports:•MalwareDetected•Anti-VirusSignatureUpdateReportExample Alarms:•AlarmOnMalware

CreatedreportforVirusupdatesignaturereport.(Custom)

TheLRappliancewassuccessfullyabletoalertifanAVclientwasrunningandwasabletodetermineifaclientorserverhadsuccessfullydownloadedthelatestvirussignaturedatabaseupdates.

6.1Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyhavingthelatestvendor-suppliedsecuritypatchesinstalled.Installcriticalsecuritypatcheswithinonemonthofrelease.

LogRhythmcantrackandreportonwhenpatchesareinstalledondevices,showingwhichsystemshavehadpatchingwithinthepastmonth,oranyothertimeframeasdictatedbyorganizationalpolicy.Example Reports:•PatchesApplied

Createserverpatchingreports.

Createworkstationpatchingreports.

LRAppliancespatchingReport

Wewereabletosuccessfullycapture patch update informationonwindowsoperatingsystems.

6.3Developsoftwareapplications(internalandexternal,andincludingwebbasedadministrativeaccesstoapplications)inaccordancewithPCIDSS(forexample,secureauthenticationandlogging),andbasedonindustrybestpractices.Incorporateinformationsecuritythroughoutthesoftwaredevelopmentlifecycle.

LogRhythmprovidesloggingintelligencethatcustomwrittensoftwareneedstobeeffective.Byprovidinganintelligencesystemforlogstobesentto,rulescanbecreatedtoprovideproperalarming,reporting,andenhancementtotheabilitiesofanycustomapplicationtobeusedinthecardholderdataenvironment.

CaptureexistingIISlogsviaflatfile.TheLRapplianceiscapableofcapturingcustomlogs.

Successfullyconnectedexistingwebserver/applicationlogstoLRappliance.

6.4.2Separationofdutiesbetweendevelopment/testandproductionenvironments.

LogRhythmcanreportoncommunicationsbetweenproductionanddevelopmentenvironmentstoensureseparation.

Createdalarmsforconnectionstraversingtest/developmentandproductionsubnets.IPbasedalarm.

Successfullyalertedonusers/connectionsattemptingtoconnectfromtestsubnetstoproductionsubnets.




6.5Developapplicationsbasedonsecurecodingguidelines.Preventcommoncodingvulnerabilitiesinsoftwaredevelopmentprocesses.


Vulnerabilitiesoutlinedinsection6.5canbedetectedbyreal-timeexaminationtoolsorbyusingcompatiblevulnerabilityscanningsystems.Attemptstoattackthewebapplications,suchasbyacross-sitescriptingvulnerability(XSS),canbealarmedoninreal-timebyLogRhythm.Example Reports:•VulnerabilitiesDetected

ScannerintegrationwithLogRhythmwasnottestedinthelab.

Thisfeaturewasvalidatedthroughobservationofvendordemonstration.

6.6Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychanges

•Installingaweb-applicationfirewallinfrontofpublic-facingwebapplications

LogRhythmcanaddresseithersolutionbyworkinginconjunctionwithwebexploitsystems,suchasIntrusionDetectionSystems,Web-ApplicationFirewalls,StatefulInspectionFirewalls,WebServers,andotherlogsourcestoanalyzedetectedpotentialabusesaswellasprovideawaytoinvestigatesuspectedbreaches.Example Reports:•SuspiciousActivitybyUser•TopTargetedHosts•SuspiciousActivitybyHost•TopTargetedApplications•TopSuspiciousUsers•VulnerabilitiesDetected

ScannerintegrationwithLogRhythmwasnottestedinthelab.

Thisfeaturewasvalidatedthroughobservationofvendordemonstration.

7.1Limitaccessestosystemcomponentsandcardholderdataonlythoseindividualswhosejobrequiressuchaccess.

Accesstocardholderdatacanbemonitoredbythecustodian(s)ofthedatainreal-timebycollectingaccesscontrolsystemdata.Accountcreation,privilegeassignmentandrevocation,andobjectaccesscanbevalidatedusingLogRhythm.Example Reports:•HostAuthenticationSummary•DisabledAccountsSummary•ApplicationsAccessedbyuser•RemovedAccountSummary

Testperformedwithalerts,reports,andinvestigations.

TheLRappliancewasabletosuccessfullyabletotrackaccountsandcomponentsthataccessthecardholderenvironment.

8.1AssignallusersuniqueIDbeforeallowingthemaccesstosystemcomponentsorcardholderdata.

Accountcreationcanbemonitoredthroughreportingandinvestigationsoflogspertainingtothecreationandmodificationofaccounts.Accountsthathavemorethanoneusermaybeidentifiedthroughinvestigationsoffrequentand/orsuspiciousloginactivities.Example Reports:•AccountCreationActivity•AccountModificationActivity

Setupreports,investigationstoreviewthecreationofuniqueids.

LRcanreportandmonitorthecreationofuniqueids.




8.5.1Controladdition,deletionandmodificationofuserIDs,Credentialsandotheridentifierobjects.


Accountmodificationcanbemonitoredthroughreportingandinvestigationsoflogspertainingtothecreationandmodificationofaccounts.Example Reports:•AccountCreationActivity•AccountModificationActivity

Createdcustomalarmsforaccountmodification,creation,anddeletion.

TheLRappliancewasabletosuccessfullyalertandnotifyonallactivities.TheLRappliancealsoprovidedaccurateaudittrailfortheseevents.

8.5.4Immediatelyrevokeaccessforanyterminatedusers.

AccountmodificationcanbemonitoredthroughreportingandinvestigationsoflogspertainingtothecreationandmodificationofaccountsExample Reports:•DisabledAccountsSummary.(Report/Alarm)

•RemovedAccountSummary(Alarm/Report)

Createdcustomeralarmnotificationsforterminatedaccounts.

Wewereabletoreportandinvestigatetheterminationofusersviatheconsole.

8.5.5Removeordisableinactiveuseraccountsatleastevery90days.



Terminateduserreport

Inactiveuserreport.

TheLRappliancecouldreportonterminateduseraccountsanddisableduseraccounts.

8.5.6Enableaccountsusedbyvendorsforremotemaintenanceonlyduringthetimeperiodneeded.



•Inactiveusers.(Report/Alarm)

LRappliancealarmonaccountusage.

Useraccountsummaryreport

Disableduseraccountsummaryreport.

LRapplianceswereabletotrackandmonitorvendoraccountsviatail,investigationsandreports.

8.5.8Donotusergroup,sharedorgenericaccountsandpasswords.

•AlarmongenericUserIDs.•AlarmonDefaultorsharedadministrationactivities.

•AlarmsharedgenericuserIDsarenotusedtoadministeranysystemcomponents.

Createdalarmondefaultuseraccounts:

•Administrator•Admin•Guest• SA•NetworkAdministratoraccounts

TheLRappliancecansuccessfullytrackmonitorandreportonanytypeofaccountusageviainvestigationsorreports.

8.5.9Changeuserpasswordsevery90days.

•Reportonuseraccountmodification.•PasswordChange.Every90days.

Reportonpasswordchange(accountmodification)viauser.

LRwasabletosuccessfullyreportandmonitorpasswordchangesfromanytypeofuser.




10.2ImplementautomatedaudittrailsforallsystemcomponentstoreconstructPCIstandardspecifiedevents.


LogRhythm’scorecapabilitiesarecentralizationandpropermanagementoflogdatathatcomprisesthemajorityoftheaudittrail.Reportscanbeproducedtoshowallauditactivityfromaccountcreation,throughaccountactivity,toaccountremoval.SupportforreportingonlogdatafromcustomapplicationscontainingportionsoftheaudittrailiseasilyachievedusingLogRhythm’sbuiltinrulebuildingtools.Example Reports:•AccountCreationActivity•UserAuthenticationSummary•UserAccessSummary•AccountModification

Setupcorrelatedeventsacrossmultipledevicetypes.

Constructedafewauditscenariosforthistest.

LRapplianceisablesuccessfullytoreconstructaudittrailsacrossmultipletypesofdevicetypes.WewereabletotrackthepathofanincomingtransactionfromfirewalltoswitchestoDMZtoServerevents.

10.2.4Implementautomatedaudittrailsforallsystemcomponentstoreconstructallinvalidlogicalaccessattempts.

LogRhythmidentifiesfailedaccessandauthenticationattemptsforenterprisenetworkeddevices.LogRhythmautomatestheprocessofidentifyinghigh-riskactivityandprioritizesbasedonassetrisk.High-riskactivitycanbemonitoredinreal-timeoralertedon.LogRhythmreportsprovideeasyandstandardreviewofinappropriate,unusual,andsuspiciousactivity.Example Reports:•DisabledAccountsSummary•RemovedAccountSummary•AuditExceptionsEventSummary•UserObjectAccessSummary•FailedHostAccessByUser•FailedApplicationAccessByUser

Createdreports/tail/investigationsfor:

DisabledAccountsSummary(Report)•RemovedAccountSummary.•AuditExceptionsEventSummary.

•UserobjectsAccessSummary.

•FailedHostAccessbyUser.•FailedApplicationAccessbyUser.

LRwasabletotrack,monitorandreportviaautomatedaudittrailsforallsystemcomponentstoreconstructallinvalidlogicalaccessattempts.

10.3RecordUseridentification,typeofevent,dateandtime,successorfailure,originationandidentityofaffecteddataorsystemforeachaudittrailentry.

LogRhythmtimestampsandclassifieseacheventreceivedtomatchthisrequirement,aswellasextractusefulinformationsuchasuseridentification,IPaddressesandhostnames,objectsaccessed,vendormessageids,amountsaffected(bytes,monetaryvalues,quantities,durations),affectedapplicationsandotherdetailsusefulforforensicinvestigationoftheauditlogs.

ThroughouttheauditingoftheLRapplianceconstantcheckingoftimestampsanduserinformationwascaptured.

TheLRappliancewasabletosuccessfullycapturetimestampuseraccountinformationforeachaudittrailentry.

10.4Synchronizeallcriticalsystemclocksandtimes.

Manyenvironmentscannotsynchronizesystemclockstoasingletimestandard,soLogRhythmindependentlysynchronizesthetimestampsofallcollectedlogentries,ensuringthatalllogdataistime-stampedtoastandardtimeregardlessofthetimezoneandclocksettingsofthelogginghosts.

Verifiedsystemtimestampofalllogs.

LogRhythmautomaticallysynchronizesalltimestampsthroughouttheloggingenvironment.




10.5.1Limitviewingofallaudittrailstothosewithajob-relatedneed.


LogRhythmincludesdiscretionaryaccesscontrolsallowingyoutorestricttheviewingofauditlogstoindividualsbasedontheirroleandNeed-To-Know.

Createduserrolesandtestedforabilitytoview/manipulateloginformationandfeatures.

TheLRapplianceconsolewasabletosuccessfullylimitwhatuserscanseewhatdata.TheRolebasedpermissionsalsolimitedtheabilityofchangingconfigurationsettingsontheLRappliances.

10.5.2 Protect audit trail filesfromunauthorizedmodifications.

UsingLogRhythmhelpsensureaudittrailareprotectedfromunauthorizedmodification.LogRhythmcollectslogsimmediatelyaftertheyaregeneratedandstorestheminasecurerepository.LogRhythmserversutilizeaccesscontrolsattheoperatingsystemandapplicationleveltoensurethatlogdatacannotbemodifiedordeleted.

LRappliancescanalertandnotifyonanyuserlookingtomanipulatelogslogsourcesandLRappliances.Administratorswithaccesswillalertandnotify

LRapplianceswereabletosuccessfullybackup(doesthisfunctioninrealtime.)Theapplianceisalsoverycapableofofflineencryptedstorageoflogs.

10.5.3Promptlyback-upaudittrailfilestoacentralizedlogserverormediathatisdifficulttoalter.

LogRhythmautomaticallycollectsaudittrailsandstorestheminacentralandsecurerepository.Whenalogiscollected,itisstoredinadatabaseforanalysisandreportingandacopyiswrittentoanarchivefile.Thearchivecopyofthelogalsoservesasabackup.ArchivefilescanbewrittentoSAN,NAS,orothercentrallocationprovidingforadditionalredundancy.SegregationcanbeperformedbyallowingonlylogtraffictopassthroughLogRhythmviafirewall,filtercontrolonarouter,orconfiguringtheLogRhythmappliance’sfirewalltorejectunanticipatedconnections.

Thisfunctionisperformedautomatically.TherearetwocopiesoftheeventdatastoredonLMandEMappliances.

FurtherarchivingtoaSANorNASmustbeconfiguredandencryptionkeymustbeestablished.

LRappliancescreateabackupcopyoflogsoncepresentedtotheLRappliancestorage.Verifythatallauditdataispromptlybackeduptoacentralizedlogserverorprotectedstoragemedia.

10.5.5Usefile-integritymonitoringorchange-detectionsoftwareonlogstoensurethatexistinglogdatacannotbechangedwithoutgeneratingalerts.Althoughnewdatabeingaddedshouldnotcauseanalert.)

LogRhythmincludesanintegratedfileintegritymonitoringcapabilitythatensuresourcollectioninfrastructureisnottamperedwith.Additionally,LogRhythmserversutilizeaccesscontrolsattheoperatingsystemandapplicationleveltoensurelogdatacannotbemodifiedordeleted.Alertsarecustomizabletopreventorallowalarmsonacasebycasebasis,includingnotcausinganalertwithnewdatabeingadded.

ConfiguredfileintegritymonitoringonsourceloghostandLRLMandEMappliances.

TheLRappliancewasabletodetectmanipulationoraccessoflogsonLM,EMandsourcehostlogsusingfileintegritymonitoring.Fromtheconsoleadministratorscanexcludetheactivityfromtheserviceaccountcapturingtheeventinformation.

10.5.4Writelogsforexternal-facingtechnologiesontoalogserverontheinternalLAN.

LogRhythmcansecurelycollectlogsfromtheentireITinfrastructureincludingexternalfacingtechnologiesforstorageonaninternalLANNetworkwhereaLogRhythmapplianceresides.

ArchivelogstoragefromEMtoastoragelocationontheLAN.

TheLRappliancewasabletosuccessfullystorelogstoashareontheLANsubnet.LRappliancealsowasabletoencryptthedata.




10.6Reviewlogsforallsystemcomponentsatleastdaily.Logreviewsmustincludethoseserversthatperformsecuritylogfunctionslikeintrusion-detectionsystem(IDS)andauthentication,authorizationandaccountingprotocol.


LogRhythmsuppliesaonestoprepositoryfromwhichtoreviewlogdatafromacrosstheentireITinfrastructure.Reportscanbegeneratedanddistributedonautomaticallyonadailybasis.LogRhythmprovidesanaudittrailofwhodidwhatwithinLogRhythmandareportwhichcanbeprovidedtoshowproofoflogdatareview.Example Reports:•LogRhythmUsageAuditing

Createdcustomandleveragedexistingreportsforsummaryofeventsthatrequirefrequentreview.Reportscanbeemailedandorstoredataconfiguredlocationonthenetwork.

TheLRappliancesarecapableofcapturingandpresentingrelevantdatathatmustbereviewedbyadministratorsonafrequentbasis.

10.7Retainaudittrailhistoryforatleastoneyear,withaminimumofthreemonthsimmediatelyavailableofanalysis.

LogRhythmcompletelyautomatestheprocessofretainingyouraudittrail.LogRhythmcreatesarchivefilesofallcollectedlogentries.Thesefilesareorganizedinadirectorystructurebydaymakingiteasytostore,backup,anddestroylogarchivesbasedonyourpolicy.

WithexistingstoragespaceontheEMandarchivingcapabilitiestheLRapplianceisverycapableofdataretentionformanyneeds.Theframeworkisveryflexibleforincreasedstorageandofflinestorage.

TheLRappliancesarecapableofhandlinglargeamountsofdatalocallyandhavetheabilitytoarchiveencryptedbackupsoflogdataforlongtermstorage.

11.4Useintrusion-detectionsystems,and/orintrusion-preventionsystemstomonitoralltrafficattheperimeterof the cardholder data environmentaswellasatcriticalpointsinsideofthecardholderdataenvironment,andalertpersonneltosuspectedcompromises.Keepallintrusion-detectionandpreventionengines,baselines,andsignaturesup-to-date.

LogRhythmcollectslogsfromnetworkandhostbasedIDS/IPSsystems.Itsrisk-basedprioritizationandalertingreducethetimeandcostassociatedwithmonitoringandrespondingtoIDS/IPSalerts.ThePersonalDashboardfeaturecanbeusedtomonitorintrusionrelatedactivityinreal-time.ApowerfulInvestigatortoolmakesforensicsearcheasyandefficient.LogRhythmcombinedwithIDS/IPSisanextremelypowerfultoolinidentifyingandrespondingtointrusionrelatedactivityefficientlyandaccurately.Example Reports:•Successful/FailedHostAccessbyUser•Successful/FailedApplicationAccessbyUser•Successful/FailedFileAccessbyUser•TopAttackers•MultipleAuthenticationFailures•SuspiciousActivityByUserandHost

TheLRapplianceswereconfiguredtocaptureIPS/IDSlogsfromanotherappliance.

•Successful/Failedhostaccessbyuser.(Alarm/Report)

•Successful/FailedapplicationAccessbyuser(Alarm/Report)

•Successful/FailedFileAccessbyUser(Report/Alarm)

•TopAttackers

•MultipleAuthenticationFailures

•SuspiciousActivitybyUserandHost.(Report/Alarm)

UsingreportsinvestigationsandalertstheLRappliancewasabletocaptureandnotifyonnetworkintrusions.Theaudittrailwasveryhelpfultodeterminethepathanintruderhadtakenandactionsperformed.

11.5Deployfile-integritymonitoringtoolstoalertpersonneltounauthorizedmodificationofcriticalsystemfiles,configurationfiles,orcontentfiles;andconfigurethesoftwaretoperformcriticalfilecomparisonsatleastweekly.

LogRhythmagentsincludeanintegratedfileintegritymonitoringcapabilitywhichcanbeusedtodetectandalertonthefollowingforanyfileordirectory:Reads;Modifications;Deletions;PermissionChanges.Thiscapabilityiscompletelyautomated.Howoftenfilesarescannedisconfigurable.Filescanbescannedatuserdefinedfrequenciessuchasevery5minutesoronceanight.Example Reports:•FileIntegrityMonitoringActivity

ConfiguredFileIntegrityMonitoringofsourcehostlogsandlocallogs.Createdalertandalarmforanyusage.

Ranfileintegritymonitoringactivityreport.

RanfileintegritymonitoringactivityreportandfoundtheLRappliancewasabletosuccessfullydetectaccessorattemptedmanipulationoflogs.




12.9Implementanincidentresponseplan.Bepreparedtorespondimmediatelytoasystembreach.


LogRhythmprovidesacentralizedmanagementsystemcapableofalarming,reportingandinvestigatingsecuritybreachestothenetwork.LogRhythmsupportsanincidentresponseplanbyprovidingthereal-timeenterprisedetectionintelligencetoaddressissuesquicklytopreventdamageandexposure.Example Alarms:•AlarmOnAttack•AlarmOnCompromise•AlarmOnMalware

LRdoesnotprovideanincidentresponseplanbuttheappliancedoesassistwithcreatingaframeworkforcapturingaudittrailsandnotifications.

LRdoesnotprovideanincidentresponseplanbuttheappliancedoesassistwithcreatingaframeworkforcapturingaudittrailsandnotifications.Testedthroughouttheentireassessment.

Documents

TechnicaL assessmenT - LogRhythm · Security Assessor (QSA) company, to provide an independent compliance validation of LogRhythm’s log and event management system. The Company’s