Guidelines for Implementing MF-PCIDSS Compliance

Summary:

To effectively implement compliance scorecards using a SIEM system to meet PCI DSS requirements, it is crucial to focus on specific mainframe SMF (System Management Function) record types that have significant meaning for security event correlation. The key records mentioned include: 1. **SMF 15** - This record indicates that a dataset was written to disk. It can be used to monitor user activity related to credit card data stores, with suspicious activities being logged into a help-desk system for investigation. 2. **SMF 80** - This record contains all IBM RACF (Resource Access Control Facility) and CA Top Secret security data, including event type, user ID, terminal name, etc. It is crucial for tracking privileged users who have access to the credit card data store. 3. **SMF 100, 101 & 102** - These records are related to DB2 activities and are essential for PCI DSS compliance as they provide information about DB2 operations that need to be monitored for security purposes. 4. **SMF 119** - This record indicates TCP/IP or FTP activity, which should be tracked and logged remotely for better management of physical access restrictions. To streamline this process and enhance efficiency, implementing the CorreLog SIEM Agent for z/OS is recommended. This agent can convert large volumes of SMF record types into formats suitable for integration with IBM QRadar and HP ArcSight, providing certified integrations that aid in the collection and analysis of mainframe data. ### Implementing PCI DSS Compliance through a SIEM System: 1. **Maintaining Secure Systems and Applications:** - Monitor user activity related to credit card data stores using SMF 15 records. Suspicious activities should be logged into a help-desk system for further investigation. - Ensure that only privileged users with "business need-to-know" have access to the credit card data store by tracking this through SMF 80 records within the SIEM system. 2. **Restricting Physical Access:** - Implement encryption policies and record remote access activities, including those captured in SMF 119 records. 3. **Centralizing Log Data:** - Centralize log data in a single location for easier management and quicker retrieval of relevant information. This approach can save time and resources compared to previous methods. 4. **Common Sense Practices:** - Assign unique IDs to users and regularly update anti-virus software, which are common practices that should be followed regardless of the SIEM system implementation. ### Importance of Technology: The role of technologies like the CorreLog SIEM Agent for IBM z/OS is crucial in converting z/OS security events into syslog format for delivery to various SIEM systems. This helps organizations enhance their cybersecurity defenses against potential threats and prevent data exposure and breaches. For example, implementing a proactive SIEM system can help mitigate incidents like those experienced by Target, where sensitive customer information was compromised after 19 days. ### CorreLog Products: - **CorreLog Correlation Server™**: Handles user/system event logs via Syslog, Syslog-NG, and SNMP protocols to facilitate log management and event correlation. - **CorreLog SIEM Agent™ for z/OS**: Converts mainframe SMF data into distributed syslog format for real-time transmission to SIEM systems. - **CorreLog Visualizer™ for z/OS**: Offers live z/OS dashboard data within the CorreLog Server, enhancing visibility and management of mainframe activities. - **CorreLog dbDefender™ for DB2**: Monitors the secure state of IBM's DB2 database by providing real-time DB2 data to SIEM systems, enhancing security visibility. For more information on CorreLog's solutions and their compliance with various regulatory standards, visit

(http://www.correlog.com/library).

Details:

The article discusses the importance of adhering to PCI DSS (Payment Card Industry Data Security Standard) requirements for mainframe security. It highlights that although mainframes are crucial components in global banking and retail networks, their specific role in credit card processing is often overlooked. PCI DSS requirement #5 states that all systems must be protected against malware and regularly updated with anti-virus software. The article points out the prevalence of mainframes among top 25 global banks (25%) and top 25 U.S. retailers (23%), as well as their storage of critical enterprise data, including credit card transactions. Despite these facts, there has been an increasing number of documented successful external mainframe breaches. The article concludes by questioning the approach to addressing PCI DSS anti-virus requirements on mainframes and suggests that vendors need to provide specialized solutions for protecting these systems from malware and ensuring compliance with relevant standards like PCI DSS. File Integrity Monitoring (FIM) is a method that takes a snapshot of the secure state of an operating system and monitors it for changes, including unauthorized access attempts even by authorized users. Although FIM is well established in distributed environments, its implementation on mainframe systems faces challenges due to siloed interactions with SIEM systems, language barriers between technical teams, and limited real-time data exchange capabilities. Mainframe systems often operate independently from distributed networks, making it difficult for SIEM systems to provide immediate alerts or updates about potential security threats. The article discusses a divide between mainframe systems and distributed computing in enterprise environments, where mainframe specialists seldom collaborate on IT-related issues with those working in distributed resources. When dealing with legacy log files from mainframes that need conversion for SIEM systems, homegrown code might be used to automate the process but runs as part of nightly batch processes. This delays notification of potential breaches or viruses by several hours to days, compromising security tracking and alerting. The article emphasizes the critical role of mainframe systems in large banks, retailers, healthcare providers, governments, and defense contractors, which handle vast amounts of sensitive data including payment card information, medical records, and government intellectual property. Despite their strategic importance, these mainframe systems are often poorly protected by network perimeter defenses that rely on outdated security notifications, sometimes delayed by days or even weeks. The article also highlights the PCI DSS requirement to maintain secure networks and systems, emphasizing the need for a File Integrity Monitoring (FIM) policy tailored specifically for mainframes with real-time data monitoring to ensure maximum protection against potential threats. The article discusses the importance of real-time data from SIEM (Security Information and Event Management) systems in preventing data breaches, especially when dealing with large amounts of data such as schematics for F16s or surface-to-air missiles, 10,000 credit card numbers, or even gigabytes of data. It cites the Target breach of 2013 as an example where real-time alerts and immediate remediation would have significantly reduced the impact if detected early. The article also highlights that mainframe monitoring procedures should be similar to those for distributed systems to comply with PCI DSS (Payment Card Industry Data Security Standard) requirements, even though the standard was initially aimed at distributed systems when it was developed in 2004. Mainframes are specialized computers used in large enterprise datacenters for handling high-value and sensitive data like identity, banking, and classified government information. Despite their importance, mainframes were often excluded from broader IT security systems due to the different operating systems they use. However, with increasing threats of insider misuse leading to data breaches, including mainframe log data in SIEM (Security Information and Event Management) systems has become crucial. A report by Verizon reveals that over 12,000 incidents were related to insider misuse, most commonly due to privilege abuse. This means many employees, contractors, or partners have access to sensitive information which poses a significant security risk if not monitored properly. To bridge the gap between traditional distributed systems and mainframes for better security, guidelines suggest monitoring user access to mainframe files closely, using tools like File Integrity Monitoring (FIM) that are adapted from PCI DSS version 3.0’s anti-virus principles. This involves regularly checking and updating logs of mainframe activities to integrate them into a SIEM system where more sophisticated analysis can be performed for threat detection. The guidelines emphasize basic security controls like monitoring user access to files on the mainframe, which is challenging due to limited available tools that support IBM z/OS file monitoring in SIEM systems. The goal is to make mainframes an integral part of enterprise SIEM strategies by closely integrating them with the defense perimeter for enhanced security against potential data breaches affecting both corporate and national security aspects. The document outlines the process of monitoring mainframe user activity in real-time to detect suspicious activities using a combination of tools including RACF (Resource Access Control Facility) and SIEM (Security Information and Event Management). Firstly, RACF is used to provide information about the identity and level of privilege of users who access sensitive files on the mainframe. However, this method does not offer real-time alerts. To address this, the system must monitor user activity in real time, receiving notifications only at midnight as opposed to real-time alerts. Secondly, once real-time log data (specifically IBM z/OS SMF records) are collected, they need to be converted into a format that can be read by the SIEM tool and then stored according to compliance standards for further analysis and potential malicious behavior correlation. It is crucial to focus on specific mainframe SMF record types that have significant meaning for security event correlation. The key records mentioned are:

• SMF 15 (a dataset was written)

• SMF 18 (a dataset has been renamed)

• SMF 80 (all IBM RACF and CA Top Secret security data, including event type, user ID, terminal name, etc.)

• SMF 100, 101 & 102 (related to DB2 activities crucial for PCI DSS compliance)

• SMF 119 (TCP/IP or FTP activity)

To streamline this process and enhance efficiency, a CorreLog SIEM Agent for z/OS is recommended. This agent can convert a large volume of SMF record types into formats suitable for integration with IBM QRadar and HP ArcSight, providing certified integrations that aid in the collection and analysis of mainframe data. This text discusses the implementation of compliance scorecards using a SIEM (Security Information and Event Management) system to meet PCI DSS (Payment Card Industry Data Security Standard) requirements. The specific PCI DSS requirements covered include: 1. Maintaining secure systems and applications, which can be monitored through user activity related to credit card data stores. Suspicious activities are logged into a help-desk system for investigation. 2. Ensuring that only privileged users with "business need-to-know" have access to the credit card data store, which should be tracked by the SIEM system. 3. Restricting physical access to the data (Requirement #9), including implementing encryption policies and recording remote access activities. 4. Centralizing log data in a single location for easier management and quicker retrieval of relevant information. This approach has been found to significantly save time and resources compared to previous methods. 5. While many PCI DSS requirements are straightforward, such as assigning unique IDs to users and regularly updating anti-virus software, implementing these common sense practices can be challenging in practice. In the era of performing more IT work with fewer resources, enterprises may not have adequately fixed issues to comply with PCI DSS requirements. This can leave them vulnerable to breaches and data exposure. Implementing a proactive SIEM system that logs activity and alerts administrators when potential issues arise can help prevent such incidents. For example, Target experienced a breach affecting 110 million customers after 19 days, demonstrating the importance of promptly addressing security concerns. Adopting a PCI DSS strategy and incorporating it into the SIEM system could have mitigated much of the data exposure and damage to their brand. Retailers and other organizations should consider how easy or difficult it would be for cyber-criminals to steal their data, and whether they are adequately prepared to prevent such breaches. The role of technologies like the CorreLog SIEM Agent for IBM is crucial in converting z/OS security events into syslog format for delivery to various SIEM systems, helping organizations enhance their cybersecurity defenses against potential threats. The CorreLog software, named dbDefender for DB2, is designed to monitor the secure state of IBM's DB2 database by providing database activity monitoring (DAM). This tool has been certified and complies with LEEF standards, which are essential for IT security log management and event correlation across various platforms including distributed and mainframe systems. CorreLog, Inc., an ISV specializing in security log management and event correlation, develops the flagship products CorreLog Correlation Server™, CorreLog SIEM Agent™ for z/OS, CorreLog Visualizer™ for z/OS, and CorreLog dbDefender™ for DB2. The company's solutions not only cover a wide range of platforms but also support various standards such as PCI DSS, HIPAA, Sarbanes-Oxley, IRS Pub. 1075, GLBA, FISMA, NERC, among others, ensuring compliance with auditing and forensics requirements in the IT security sector. The CorreLog Correlation Server™ uses a unique correlation engine that handles user/system event logs via Syslog, Syslog-NG, and SNMP protocols. The SIEM Agent for z/OS converts mainframe SMF data into distributed syslog format for real-time transmission to SIEM systems. Additionally, the Visualizer for z/OS offers live z/OS dashboard data within the CorreLog Server. CorreLog dbDefender provides real-time DB2 data to SIEM systems, enhancing visibility into the secure state of DB2 in a real-time environment. The company markets its products through both direct sales channels and indirect partner channels, providing comprehensive coverage for various regulatory standards across different sectors. For more information on CorreLog's solutions, visit their website at http://www.correlog.com/library.