If you’re dealing with any form of payment card data, starting on January 2015, security audits will need to prove PCI 3.0 compliance. Banks, card brands and regulators are stepping up action in the face of recent significant breaches in name brand companies. If you are running the unsupported open source agent for event logging, you will most likely fail your audit as they do not address several key aspects of the PCI DSS V3.0 audit requirements:
1. There is no technical, product, vendor or customer support – i.e. you are on an unsupported security tool/platform.
2. More than half of the critical event log data is in the custom event logs which are not processed by the open source agents, allowing forensic evidence to be lost.**
3. Best Practices, such as event data encryption, TCP protocols and caching in case of network outages or spikes, are not available.
To take a crucial step towards compliance, we encourage you to try the Snare Enterprise Agents, which are used by the world’s leading organizations and enterprises in finance, defense, e-commerce and retail.
Snare Enterprise Agents assist with PCI DSS compliance by collecting all applicable event logs out-of-the-Box. To learn how the Snare Enterprise agent is used to address PCI, click on PCI DSS Best Practices with Snare Enterprise Agents.
For Snare Server, sample PCI objectives may be loaded. To do this go to SYSTEM\Administrative Tools\Snare Server Configuration Wizard\ and navigate to the section on additional objectives near the bottom of the list. Select the last option which will import from the local system. Once loaded you will now have the extra objectives in the Reports Menu under Compliance Pack, in there are: NISPOM, SOX and PCI. From there you can copy/clone these objectives and customise to suit your needs.
** Warning about Open Source logging: You risk missing more than half of your critical logs
The Open Source agents will not stand up to compliance or auditing standards (e.g. PCI), with more than half of the critical logs not being captured, including privileged user activity, system and Group Policy changes, dhcp logs, system time changes, host firewall policy changes and access logs, terminal service access, and print logs, just to name a few. Therefore, using open source versions will risk failing audits and will not be able to detect all serious malicious attacks or unauthorized changes on your systems. This can lead to loss of customer data, major brand damage and significant financial penalties depending upon which standard has been failed and the degree of damage caused. There are approximately 70 system event logs which you will not collect details from.