WHITE PAPER

PCI and PA DSS Compliance with LogRhythm

April 2011
WHITE PAPER
Complying with PCI

PCI and PA DSS Compliance Assurance with LogRhythm

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder
data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS standards apply
to all organizations that store, process or transmit cardholder data and all affected organizations must be PCI compliant.
The Payment Application Data Security Standard (PA DSS) is derived from PCI DSS, and its individual requirements
align with PCI DSS requirements.
The PCI DSS standards are enforced by the founding members of the PCI Security Standards Council: American
Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The first PCI DSS
standard is a combined effort from the results of several independent company data protection standards. The Council
is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of
security standards for account data protection. The first PCI DSS standard was released on December 15, 2004 and its
latest revision was released on October 28, 2010. LogRhythm is a participating organization in the PCI Security
Standards Council and as such, will work with the Council to evolve the PCI Data Security Standard (DSS) and other
payment card data protection standards.
The collection, management, and analysis of log data are integral to meeting PCI audit requirements. IT environments
include many heterogeneous devices, systems, and applications that all report log data. Millions of individual log
entries can be generated daily, if not hourly. The task of simply assembling this information can be overwhelming in
itself. The additional requirements of analyzing and reporting on log data render manual processes or homegrown
remedies inadequate and costly.
LogRhythm has extensive experience in helping organizations improve their overall security and compliance posture
while reducing costs. Log collection, archive, and recovery
Protecting Cardholder Data
are fully-automated across the entire IT infrastructure.
The Six Domains of PCI DSS Requirement
LogRhythm automatically performs log data
categorization, identification, and normalization to
facilitate easy analysis
Network and reporting. LogRhythms best-of-breed log management
Security capabilities enable automatic identification of the most
Devices critical events and notification of relevant personnel
through its powerful Alarming capabilities.
Monitor
Vulnerability
And Test LogRhythm provides out-of-the-box PCI compliance
Management
Networks
support. As part of the PCI Compliance Package, enterprise
Cardholder assets are categorized according to Network Security,
Data Cardholder Data, Vulnerability Management, Access
Systems Control, Network Monitoring and Testing, and Information
Security Policy. LogRhythms PCI DSS Compliance
Package can be used to help meet PA DSS standards as
Information Access well. LogRhythms extensive support for both commercial
Security Control and custom payment applications enables comprehensive
Policy Systems
and efficient collection, processing, review and reporting
of all log sources specified in both the PCI and PA data
security standards.
To ensure compliance with PCI requirements, information systems and payment applications are monitored in real-
time. Investigations, Reports and Alarm Rules are provided, allowing for immediate notification and analysis of
conditions that impact the integrity of the organizations cardholder data. Areas of non-compliance can be identified
in real time. Additional Investigations, Reports and Alarm Rules are provided as part of LogRhythms standard
Knowledge Base to further augment the usefulness of the log data. Reports can be generated as needed by the PCI
Security Assessor and scheduled to run at pre-determined intervals.

2
WHITE PAPER
Complying with PCI

The table below explains how LogRhythm and the PCI Compliance Package address the six sections of the standard:

PCI Section and Purpose LogRhythm Compliance Support

Build and Maintain a Secure Network
LogRhythm supports most popular firewall products and associated network protection systems
such as intrusion protection systems, unified threat managers, and content inspection systems. Also
specified is the removal of default passwords and to enforce the secure deployment of equipment in the
organization. LogRhythm provides monitoring for insecurity such as use of default passwords. Alarming
is provided when they are detected.

Protect Cardholder Data LogRhythm monitors for proper operations and configuration changes that may jeopardize the security of
cardholder data. Alarms are provided to identify suspicious network activity in real-time.

Maintain a Vulnerability Management Program Anti-virus software can be monitored for proper signature updates. Malicious software is centrally
reported. Investigations can be launched to identify activities related to malware infections to assess
exposure, incident handling and response. Vulnerabilities may be detected by systems and collected in
real-time, allowing for faster awareness than spotcheck vulnerability assessments.

Implement Strong Access Control Measures
Access to card holder systems and data, changes in permissions and access rights, and suspicious
behavior are all collected in real-time by LogRhythm. Investigations can be rapidly performed for any
suspected abuses or compromises to PCI DSS protected data. Shared account usage can be easily
spotted, as well as after-hours access or unusual account access frequency. Access successes and
failures to systems, applications, and objects are collected and processed by LogRhythm.

Regularly Monitor and Test Networks LogRhythm establishes the automated audit trail for all system components as mandated by PCI DDS
Requirements 10.2-10.7, covering one of the most difficult-to-attain requirements. By converting this
information to useful data, LogRhythm meets both the conditions and the spirit of these requirements.

Maintain an Information Security Policy Most organizations need a security policy that extends into all areas of the business, and these
environments may mirror the PCI standards or use more robust policies such as CobiT or ISO
27001/27002. LogRhythm supports enterprise-class systems that can be far more diverse than just the
organizations PCI environment and ensure compliance with other security frameworks and regulations.

The tables on the subsequent pages outline how LogRhythm directly meets requirements of the PCI sections. The
requirements listed come directly from the PCI compliance documents located at the PCI Security Standards Council
web site (http://www.pcisecuritystandards.org). The How LogRhythm Supports Compliance column describes the
capabilities LogRhythm provides that will meet, support or augment PCI compliance.

3
WHITE PAPER
Complying with PCI

1. Install and maintain a firewall configuration to protect data

LogRhythm collects logs from firewall devices to ensure and validate compliance.

Compliance Requirements How LogRhythm Supports Compliance

1.1.5 Documentation and business justification for use of
all services, protocols, and ports allowed, including
documentation of security features implemented for
those protocols considered to be insecure
LogRhythm provides monitoring and investigations to perform testing procedures 1.1.5a
and 1.1.5b by showing the use of protocols in the network environment. Testing requires
verification that all used services, protocols and ports have a business need.
Example Investigations:
Network Service Summary
Network Connection Summary

1.1.6 Requirement to review firewall and router rule LogRhythm supports intrusion detection and protection systems, including SourceFire, Cisco,
sets at least every six months. Tipping Point, ISS, McAfee, and others. Events collected from these systems can be analyzed
at all boundary points and correlated against other log sources to provide deep investigations of
boundary traffic. Long term trending and analysis is achieved with the LogMart database which
can be used to quickly view trended information for days, weeks and months.
Example Reports:
Attacks Detected
Compromises Detected
Top Attackers
Top Targeted Applications
Top Targeted Hosts

1.2.1 Restrict inbound and outbound traffic to that which Verification that inbound and outbound traffic is properly controlled (limited and/or denied) for
is necessary for the cardholder data environment. the cardholder data environment. LogRhythm detects and alerts on inbound internet activity
within the cardholder data environment, providing verification of proper and the presence of
improper network activities.

1.2.2 Verify that router configuration files are secure LogRhythm identifies synchronization events and can be used to verify the proper functioning
and synchronized. of routers, firewalls, or other collaborative network devices. Reports provide a consolidated
review of internal/external activity and threats.
Example Reports:
Firewall And Router Policy Synchronization

1.3.2 Limit inbound Internet traffic to IP addresses LogRhythm detects and alerts on inbound and outbound internet activity not restricted to the DMZ,
within the DMZ. identifying non-compliant network traffic or attempts to access services inside the DMZ that are not
approved for Internet accessibility.
Example Investigations:
Network Service Summary
Network Connection Summary

1.3.3 Do not allow any direct routes inbound or LogRhythm can detect and alert on activity where internal addresses are not passed from the
outbound for traffic between the Internet and the Internet into the DMZ.
cardholder data environment. Example Investigations:
Network Service Summary
Network Connection Summary

1.3.5 Do not allow unauthorized outbound traffic from the LogRhythm detects and alerts on any outbound activity not necessary for the payment card
cardholder data environment to the Internet. environment. Any accesses to IP addresses to unauthorized networks can be quickly identified.
Example Investigations:
Network Service Summary
Network Connection Summary

4
WHITE PAPER
Complying with PCI

2. Do not use vendor-supplied defaults for system passwords and other security parameters
LogRhythm monitors the network for indications of improper behavior and signs of weak security configuration.

Compliance Requirements How LogRhythm Supports Compliance

2.1 Always change vendor-supplied defaults before
installing a system on the networkfor example,
include passwords, simple network management
protocol (SNMP) community strings, and
elimination of unnecessary accounts.
LogRhythm can alarm on detected use of default passwords or known default accounts
that should not be used in a secure deployment.
Example Alarms:
Alarm On Default Account Usage
Alarm On Anonymous Or Guest Account Usage

2.3 Encrypt all non-console administrative access LogRhythm provides a record of all services used and can alarm on the use of
using strong cryptography. Use technologies nonencrypted protocols.
such as SSH, VPN, or SSL/TLS for web- Example Investigations:
based management and other non-console Network Service Summary
administrative access. Network Connection Summary
Use Of Non-Encrypted Protocols

3. Protect stored cardholder data

LogRhythm provides monitoring of changes in the cardholder environment and can alarm on changes to security
critical resources.

Compliance Requirements How LogRhythm Supports Compliance

3.6.7 Prevention of unauthorized substitution of LogRhythm may alarm on actions that affect specific files or objects, including
cryptographic keys. cryptographic keys. The details of who, when and where a key was altered will be
available in real-time to the custodian(s).
Example Reports:
File Integrity Monitoring Activity

4. Encrypt transmission of cardholder data across open, public networks

LogRhythm monitors network use to ensure that only the proper protocols are being used in the cardholder data environment.

Compliance Requirements How LogRhythm Supports Compliance

4.1 Use strong cryptography and security protocols
such as SSL/TLS or IPSEC to safeguard sensitive
cardholder data during transmission over open
public networks.
LogRhythm records which protocols are being used in the cardholder data environment,
showing when any unauthorized protocols or unencrypted services are used. In
addition, LogRhythm is capable of alarming on conditions where a system observes
unencrypted information passed when expecting only encrypted traffic.
Example Investigations:
Network Service Summary
Network Connection Summary

4.1.1 Ensure wireless networks transmitting cardholder LogRhythm can observe and report on detected wireless networks, identifying wireless
data or connected to the cardholder data access points that communicate with the cardholder data environment.
environment, use industry best practices (for Example Reports:
example, IEEE 802.11i) to implement strong Wireless Access Points
encryption for authentication and transmission.
Note: The use of WEP as a security control was
prohibited as of 30 June 2010.

5
WHITE PAPER
Complying with PCI
5. Use and regularly update anti-virus software or programs
LogRhythm collects and can alarm on detected malware and compromises in the cardholder data environment.
Compliance Requirements
5.2 Ensure that all anti-virus mechanisms are
current, actively running, and capable of
generating audit logs.
6. Develop and maintain secure systems and applications
Compliance Requirements
6.1 Ensure that all system components and software
have the latest vendor-supplied security patches
installed. Install critical security patches within one
month of release.
6.3 Develop software applications in accordance with
PCI DSS (for example, secure authentication and
logging) and based on industry best practices,
and incorporate information security throughout
the software development life cycle.
6.4.2 Separation of duties between development/test
and production environments.
6.5 Develop applications based on secure coding
guidelines. Prevent common coding vulnerabilities
in software development processes.
6.6 For public-facing web applications, address new
threats and vulnerabilities on an ongoing basis and
ensure these applications are protected against
known attacks by either of the following methods:
Reviewing public-facing web applications via
manual or automated application vulnerability
security assessment tools or methods, at least
annually and after any changes
Installing a web-application firewall in front of
public-facing web applications
How LogRhythm Supports Compliance
LogRhythm detects and alerts on any error conditions originating from anti-virus applications,
when the services are started and stopped, as well as identifies when new signatures are
installed. Alarming can be configured to inform the custodian(s) of when any malware is
detected inside the cardholder data environment.
Example Reports:
Malware Detected
Anti-Virus Signature Update Report
Example Alarms:
Alarm On Malware
How LogRhythm Supports Compliance
LogRhythm can track and report on when patches are installed on devices, showing
which systems have had patching within the past month, or any other time frame as
dictated by organizational policy.
Example Reports:
Patches Applied
LogRhythm provides intelligence for logs written by custom software. By providing an
intelligence system for logs to be sent to, rules can be created to provide proper alarming,
reporting, and enhancement to the abilities of any custom application to be used in the
cardholder data environment.
LogRhythm can report on communications between production and development
environments to ensure separation.
Vulnerabilities outlined in section 6.5 can be detected by real-time examination tools or by using
compatible vulnerability scanning systems. Attempts to attack the web applications, such as by a
cross-site scripting vulnerability (XSS), can be alarmed on in real-time by LogRhythm.
Example Reports:
Vulnerabilities Detected
LogRhythm can address either solution by working in conjunction with web exploit sensitive
systems, such as Intrusion Detection Systems, Web-Application Firewalls, Stateful Inspection
Firewalls, Web Servers, and other log sources to analyze detected potential abuses as well as
provide a way to investigate suspected breaches.
Example Reports:
Suspicious Activity by User Top Targeted Hosts
Suspicious Activity by Host Top Targeted Applications
Top Suspicious Users Vulnerabilities Detected
6
WHITE PAPER
Complying with PCI

7. Restrict access to cardholder data by business need to know

LogRhythm monitors access privilege assignments and suspicious data accesses.

Compliance Requirements How LogRhythm Supports Compliance

7.1 Limit access to system components and
cardholder data to only those individuals whose
job requires such access.
Access to cardholder data can be monitored by the custodian(s) of the data in real-time
by collecting access control system data. Account creation, privilege assignment and
revocation, and object access can be validated using LogRhythm.
Example Reports:
Host Authentication Summary Disabled Accounts Summary
Applications Accessed by user Removed Account Summary

8. Assign a unique ID to each person with computer access

LogRhythm helps identify shared account usage in the network, including unobvious accounts with more than one user.

Compliance Requirements How LogRhythm Supports Compliance

8.1 Assign all users a unique ID before allowing Account creation can be monitored through reporting and investigations of logs pertaining to
them to access system components or the creation and modification of accounts. Accounts that have more than one user may be
cardholder data. identified through investigations of frequent and/or suspicious login activities.
Example Reports:
Account Creation Activity
Account Modification Activity

10. Track and monitor all access to network resources and cardholder data
LogRhythm automates collection, centralization and monitoring of logs from servers, applications, security and
other devices, significantly reducing the cost of compliance.

Compliance Requirements How LogRhythm Supports Compliance

10.2 Implement automated audit trails for all system LogRhythms core capabilities are centralization and proper management of audit log data.
components to reconstruct PCI Standard Reports can be produced to show all audit activity from account creation, through account
specified events. activity, to account removal. Support for reporting on log data from custom applications
containing portions of the audit trail is easily achieved using LogRhythms built in rule building
tools.
Example Reports:
Account Creation Activity
User Authentication Summary
User Access Summary
Account Modification

10.2.2 Implement automated audit trails for all system
components to reconstruct all actions taken by any
individual with root or administrative privileges.
LogRhythm collects all account management activities. LogRhythm reports ensures policy
adherence by providing an easy-to-review record of all account management activity.
Example Reports:
Account Creation Activity
Account Modification Activity
User Access Summary
Host Access Granted & Revoked

7
WHITE PAPER
Complying with PCI

Compliance Requirements How LogRhythm Supports Compliance

10.2.4 Implement automated audit trails for all system
components to reconstruct all invalid logical
access attempts.
LogRhythm identifies failed access and authentication attempts for enterprise networked
devices. LogRhythm automates the process of identifying high-risk activity and prioritizes
based on asset risk. High-risk activity can be monitored in real-time or alerted on. LogRhythm
reports provide an easy-to-review record of inappropriate, unusual and suspicious activity.
Example Reports:
Disabled Accounts Summary
Removed Account Summary
Audit Exceptions Event Summary
User Object Access Summary
Failed Host Access By User
Failed Application Access By User

10.3 Record user identification, type of event, date and LogRhythm timestamps and classifies each event received to match this requirement, as well
time for each audit trail entry. as extract useful information such as user identification, IP addresses and host names, objects
accessed, vendor message ids, amounts affected (bytes, monetary values, quantities, durations),
affected applications and other details useful for forensic investigation of the audit logs.

10.4 Synchronize all critical system clocks and times. Many environments cannot synchronize system clocks to a single time standard, so
LogRhythm independently synchronizes the timestamps of all collected log entries, ensuring
that all log data is time-stamped to a standard time regardless of the time zone and clock
settings of the logging hosts.

10.5.1 Limit viewing of audit trails to those with a job- LogRhythm includes discretionary access controls allowing you to restrict the viewing of audit
related need. logs to individuals based on their role and Need-To-Know.

10.5.2 Protect audit trail files from unauthorized Using LogRhythm helps ensure audit trails are protected from unauthorized modification.
modifications. LogRhythm collects logs immediately after they are generated and stores them in a secure
repository. LogRhythm servers utilize access controls at the operating system and application level
to ensure that log data cannot be modified or deleted.

10.5.3 Promptly back-up audit trail files to a centralized
log server or media that is difficult to alter.
LogRhythm automatically collects audit trails and stores them in a central and secure repository.
When a log is collected, it is stored in a database for analysis and reporting and a copy is written
to an archive file. The archive copy of the log also serves as a backup. Archive files can be written
to SAN, NAS, or other central location providing for additional redundancy. Segregation can be
performed by allowing only log traffic to pass through LogRhythm via firewall, filter control on a
router, or configuring the LogRhythm appliances firewall to reject unanticipated connections.

10.5.4 Write logs for external-facing technologies onto a LogRhythm can securely collect logs from the entire IT infrastructure including external-facing
log server on the internal LAN. technologies for storage on an internal LAN Network where a LogRhythm appliance resides.

8
WHITE PAPER
Complying with PCI
Compliance Requirements
10.5.5 Use file-integrity monitoring or change-detection
software on logs to ensure that existing log data
cannot be changed without generating alerts
(although new data being added should not
cause an alert).
10.6 Review logs for all system components at least
daily. Log reviews must include those servers that
perform security functions like intrusion-detection
system (IDS) and authentication, authorization,
and accounting protocol.
10.7 Retain audit trail history for at least one year, with
a minimum of three months immediately available
for analysis (for example, online, archived, or
restorable from back-up). An audit history usually
covers a period of at least one year, with a
minimum of 3 months available online.
11. Regularly test security systems and processes
LogRhythm can collect logs from intrusion detection/prevention systems and has integrated file integrity monitoring
capabilities. The collection of IDS/IPS logs helps to ensure and validate compliance. LogRhythms file integrity
monitoring capabilities can be used to directly meet requirement 11.5.
Compliance Requirements
11.4 Use intrusion-detection systems, and/or
intrusion-prevention systems to monitor all
traffic at the perimeter of the cardholder data
environment as well as at critical points inside
of the cardholder data environment, and alert
personnel to suspected compromises. Keep
all intrusion-detection and prevention engines,
baselines, and signatures up-to-date.
How LogRhythm Supports Compliance
LogRhythm includes an integrated file integrity monitoring capability that ensures our
collection infrastructure is not tampered with. Additionally, LogRhythm servers utilize access
controls at the operating system and application level to ensure log data cannot be modified
or deleted. Alerts are customizable to prevent or allow alarms on a case-by-case basis,
including not causing an alert with new data being added.
LogRhythm supplies a one stop repository from which to review log data from across the entire IT
infrastructure. Reports can be generated and distributed automatically on a daily basis. LogRhythm
provides an audit trail of who did what within LogRhythm and a report which can be provided to
show proof of log data review.
Example Reports:
LogRhythm Usage Auditing
LogRhythm completely automates the process of retaining your audit trail. LogRhythm creates
archive files of all collected log entries. These files are organized in a directory structure by day
making it easy to store, backup, and destroy log archives based on your policy.
How LogRhythm Supports Compliance
LogRhythm collects logs from network and host based IDS/IPS systems. Its risk-based
prioritization and alerting reduce the time and cost associated with monitoring and responding
to IDS/IPS alerts. The Personal Dashboard feature can be used to monitor intrusion
related activity in real-time. A powerful Investigator tool makes forensic search easy and
efficient. LogRhythm combined with IDS/IPS is an extremely powerful tool in identifying and
responding to intrusion related activity efficiently and accurately.
Example Reports:
Successful/Failed Host Access by User
Successful/Failed Application Access by User
Successful/Failed File Access by User
Top Attackers
Multiple Authentication Failures
Suspicious Activity By User and Host
9
WHITE PAPER
Complying with PCI

Compliance Requirements How LogRhythm Supports Compliance

11.5 Deploy file-integrity monitoring tools to alert
personnel to unauthorized modification of critical
system files, configuration files, or content files;
and configure the software to perform critical file
comparisons at least weekly.
LogRhythm agents include an integrated file integrity monitoring capability which can be used
to detect and alert on the following for any file or directory: Reads; Modifications; Deletions;
Permission Changes. This capability is completely automated. How often files are scanned
is configurable. Files can be scanned at user defined frequencies such as every 5 minutes or
once a night.
Example Reports:
File Integrity Monitoring Activity

12. Maintain a policy that addresses information security for employees and contractors
LogRhythm provides centralized intelligence that can support the organizational security policy, including incident
handling and response. Because policies are flexible, LogRhythm is ready to expand beyond the cardholder data
environment to provide support to other areas of the organization that need its critical services.

Compliance Requirements How LogRhythm Supports Compliance

12.9 Implement an incident response plan. Be prepared LogRhythm provides a centralized management system capable of alarming, reporting and
to respond immediately to a system breach. investigating security breaches to the network. LogRhythm supports an incident response
plan by providing the real-time enterprise detection intelligence to address issues quickly to
prevent damage and exposure.
Example Alarms:
Alarm On Attack
Alarm On Compromise
Alarm On Malware

LogRhythm Headquarters LogRhythm EMEA LogRhythm Asia Pacific Ltd.

3195 Sterling Circle Siena Court, The Broadway 8/F Exchange Square II
Boulder, CO 80301 Maidenhead Berkshire SL6 1NJ 8 Connaught Place, Central
303-413-8745 United Kingdom Hong Kong
+44 (0) 1628 509 070 +852 2297 2812

LogRhythm Inc. | www.logrhythm.com PCIWP_1104 10