PCI Demo Script Version 1.1

Summary:

The provided information is comprehensive and illustrates the role of ArcSight in managing and demonstrating compliance with the Payment Card Industry Data Security Standard (PCI DSS). Here's a summary of the key points discussed: 1. **Purpose of ArcSight in PCI Compliance**: - ArcSight, as a SIEM system, helps organizations manage compliance with PCI DSS by creating a closed-loop workflow for cases related to PCI compliance. This includes tracking cases through various stages until closure. 2. **Closed-Loop Workflow**: - The workflow involves accessing vulnerability reports, understanding the reporting process, and checking scanner reports to identify vulnerabilities in critical systems. It also covers data collection, generating PCI compliance metrics, and reviewing AV signature levels. 3. **Customization of Reports**: - ArcSight allows users to customize reports by adding specific conditions like "Category Outcome=Failure" for tailored content according to individual needs. This flexibility helps in preparing for audits and demonstrates compliance during the audit process. 4. **Reporting on Vulnerabilities and Compliance**: - ArcSight can report on vulnerabilities present on assets, which is crucial for demonstrating compliance with PCI DSS requirements. The system uses its own vulnerability scanner collectors to gather data for this purpose. 5. **Real-Time Event Monitoring and Forensic Analysis**: - By leveraging real-time event monitoring capabilities, ArcSight supports PCI compliance by automating workflows that track vulnerabilities and compliance status through predefined stages until resolved. This includes generating historical reports for forensic analysis. 6. **Role in Maintaining Security Standards**: - The system's ability to maintain security standards for regulated systems under PCI requirements is highlighted, ensuring that all processes are aligned with the necessary protocols and standards set forth by PCI DSS. In conclusion, ArcSight provides a robust framework for managing PCI compliance through its SIEM capabilities, enabling organizations not only to efficiently prepare for audits but also to demonstrate their adherence to PCI DSS requirements effectively. The system's flexibility in customizing reports and leveraging real-time monitoring features are key aspects that support these goals.

Details:

The provided script outlines a demonstration setup for introducing PCI Compliance Insight Pack (PCI) in an environment. Here's a summary of the steps involved in setting up and demonstrating the PCI compliance features: **Initial Setup:** 1. **Editing Rule Actions:**

• Modify rule action to create a case each time it triggers, naming it "PCI 1.6.6 Violation - Disallowed Ports - DMZ to Cardholder Data." Include instructions in the case description to call the firewall manager, justify port usage, and log findings.

• Rename another rule to reflect restricted building access by contractors, changing its name to "PCI – Restricted Building Access by Contractor," and updating the description to include investigation of unauthorized access and reporting findings. Set the owner to an existing demo user like Demo or SOC1.

2. **Adding Users:**

• Ensure a list of allowed users is populated in "ArcSight Solutions/PCI/Allowed Users."

3. **Copying Dashboards and Channels:**

• Copy selected dashboards (PCI Compliance Status, Req 1: Firewall passed traffic, Req 7: Business need-to-know, Req 8: Unique User ID) and active channels to personal folders for easy access during demonstrations.

4. **Configuring Events File:**

• Start the pciDemo.events file from around EPM 100; it contains a few hundred events but ensures continuous data flow on dashboards throughout the demo.

5. **Opening Channels and Dashboards:**

• Open Demo Live channel, All Events Related to PCI Systems channel, and the previously mentioned dashboards for visualizing compliance status and related events.

**Demonstration Methodology:** 1. **Introduction to PCI Compliance Insight Pack:**

• Present the rules tree in the Navigator pane as a starting point to discuss the content and methodology of PCI compliance according to industry standards.

2. **Showcasing Compliance Insights:**

• Demonstrate how the provided dashboards, reports, and rules correlate with PCI requirements, illustrating real-time or simulated threat detection and reporting capabilities aligned with the PCI DSS.

3. **Interactive Discussion:**

• Engage in a discussion around the importance of compliance with PCI standards, discuss potential vulnerabilities that are monitored by these tools, and how they contribute to overall security posture against data theft from cardholder information.

4. **Live Demo Setup:**

• Follow the script step-by-step during the live demo session, explaining each configuration change or dashboard presentation as outlined in the script.

This setup is designed to provide a comprehensive demonstration of how PCI compliance tools can be implemented within an organization's security infrastructure and used for real-time monitoring and reporting. The provided text discusses the ArcSight Compliance Insight Package for PCI, which is designed to help organizations efficiently manage PCI compliance requirements and prepare for audits. It includes automated checks, historical reporting, Active Lists, rules, reports, dashboards, and active channels. The graph view of the rules and reports available in the package demonstrates its depth and utility. Unlike other products that offer less than 25 reports for PCI without any rules or active lists (like Network Intelligence), ArcSight's Compliance Insight Package provides comprehensive coverage to compare new information against old, making it a valuable tool for ongoing compliance management. The scenario discussed is about the Disallowed Port Access to Cardholder Systems under the Ongoing Management of PCI Requirements section. The dashboard provided allows users to get an overall view of their PCI compliance status across the organization and drill down into specific requirements when necessary. This functionality helps in reducing daily compliance tasks while maintaining a strong compliance program, as claimed by ArcSight. In summary, ArcSight's Compliance Insight Package for PCI is a robust tool that simplifies and enhances ongoing management of PCI requirements through automated checks, historical reporting, detailed rules, extensive reports, comprehensive dashboards, and active channels. This approach helps organizations streamline their compliance efforts without compromising the strength or depth of their compliance program. The text provided outlines an exercise involving ArcSight, a security information and event management (SIEM) tool. It involves setting up rules for detecting unauthorized access to cardholder data via disallowed ports, using correlation rules to automatically identify violations. Here's the summary of the key points and actions described in the scenario: 1. **Real-Time Policy Violation Detection**: The system is set up to alert in real time when there's an attempt to access a cardholder data system on an unauthorized port. This functionality is demonstrated by ArcSight indicating policy violations as they occur. 2. **Custom Grid Display and Configuration**: Instructions are given to add the target port as a column in the grid for visual clarity, and it explains how various fields from the schema can be displayed within this grid interface. The user is shown how to manipulate and save these display configurations as field sets, allowing flexibility in data presentation. 3. **Correlation Rules**: These rules are explained as mechanisms that automatically identify violations without manual search or reporting. Efficiency here lies in their capability to detect issues on the fly. A specific rule setup for this scenario involves looking for an attacker categorized as DMZ and a target categorized as PCI/Cardholder Data, using conditions related to these categories. 4. **Rule Inspection**: One of the rules is double-clicked to open it in the inspector view. The user notes details such as a Check Point firewall accept event on port 139, which informs that this rule setup and its action are based on specific network activity. 5. **Correlation Trigger and Conditions**: Right-clicking on the rule leads to setting up a correlation trigger where users can specify conditions under which the rule should be activated. For instance, it checks if the target port of an event is listed in the 'Allowed Ports' for DMZ to Cardholder Data, as specified by PCI standards. 6. **Active List Management**: In the Navigator window, the user interacts with a pre-defined active list (ArcSight Solutions/PCI/Allowed Ports DMZ -> Cardholder Data) and manipulates it by adding or removing entries based on current operational needs. This flexibility in managing lists is crucial for adapting to changing security requirements. 7. **Automated Case Creation**: The scenario explains how the system automatically creates a case when a correlation event occurs, which is useful for tracking immediate issues rather than reviewing them post-event. The demonstration then moves to show how cases can be prioritized through actions set up in ArcSight. In summary, this exercise demonstrates the setup and use of real-time rules with automation capabilities in ArcSight, emphasizing efficiency through automatic case creation based on predefined conditions and standards. The text discusses utilizing ArcSight, a case management system, for PCI compliance investigations. It begins by explaining how to explore the various actions initiated when a rule fires in ArcSight. The author notes that while compliance is crucial, demonstrating capability through a case management system like ArcSight is equally important. This involves navigating to cases related to PCI 1.6.6 violations and examining events within these cases for detailed investigation. The process includes selecting specific events from the case and using features such as creating channel investigations and visualizing event graphs to analyze data more effectively. The text highlights that in a production environment, additional data might include firewall configuration changes, time/date of configurations, and user information, which would be relevant for compliance audits. ArcSight's PCI Compliance Insight Pack includes a dashboard displaying firewall traffic from the DMZ to cardholder systems, providing visual insights into network activities. The author encourages discussing how dashboards function in detail if there is sufficient time during the presentation. In conclusion, ArcSight simplifies the process of managing and reporting on compliance-related data. It allows for easy modification of default content and provides comprehensive reports on configuration changes that align with PCI standards. The scenario involves working with a system related to PCI (Payment Card Industry) compliance for unauthorized access of cardholder data. Here's a step-by-step summary of the actions taken: 1. **Opening the Report**:

• Navigated to the ArcSight Navigator window, expanded the tree structure to locate "ArcSight Solutions/PCI/Requirement 1…/PCI – Disallowed Ports – DMZ to Cardholder Data".

• Double-clicked the report to display it in the Report Editor. The report options were shown under tabs; upon right-clicking and selecting "Run|Report", different formats like PDF, HTML, etc., were displayed for selection.

• Ran the report as per the requirements.

2. **Scheduling Options**:

• Navigated to "Schedule for Archiving" within the software settings.

• Selected the option to schedule a report for PCI compliance checks. This automated process ensured that all necessary reports are sent to designated owners for review, aligning with the statement: "The report scheduling option is a very automated way to ensure that all the appropriate reports are sent out for review by the assigned owner."

3. **PCI Compliance Dashboard**:

• Displayed the PCI Compliance Status dashboard and noted that Requirement 7 indicated a status of Non-Compliance, indicating potential security risks in accessing cardholder data.

4. **Data Monitor Exploration**:

• Double-clicked the data monitor associated with the PCI compliance check to explore the underlying events. Mentioned that most data monitors could be drilled into to show detailed events.

• Filtered on "Very High" as a specific event priority in the active channel, allowing focus on high-priority security alerts.

5. **Inspect/Edit Correlation Event**:

• Double-clicked the last correlation event named "Unauthorized Access of Cardholder Data System", which opened within Inspect/Edit mode.

• Clicked on the base event "Successful Network Logon" and noted an unauthorized user attempt in the Target User Name field.

• Within Inspect/Edit, right-clicked on the rule and selected "correlation trigger". Explained that this rule fired based on two conditions: the presence of cardholder data in the event target and a denied access attempt by a user not on the Allowed Users active list.

6. **Active Lists Exploration**:

• Expanded to view "ArcSight Solutions/PCI/Active Lists" within Navigator, noting which users were allowed based on the entries shown after right-clicking and selecting "Show Entries". The event user was found not to be in this active list, highlighting a compliance issue.

The text provides an overview of how ArcSight identifies and categorizes sensitive assets, particularly those related to PCI Cardholder Data. It explains that by right-clicking on a correlation rule in the ArcSight interface and selecting "Show Targeted Asset," one can view assigned categories for specific assets. These categories help match logon events with the relevant asset, driving compliance content like rules, dashboards, and reports. The text also discusses how to automate categorization within ArcSight by finding an existing asset range named PCI-Cardholder Data Systems, which has inherited the Cardholder Data category. Assets within this range automatically inherit categories based on IP address, simplifying the categorization process. Finally, the scenario of an inactive user ID involves displaying a dashboard that shows users accessing PCI cardholder data systems. The dashboard tracks compliance status based on recent events, with all compliant data monitors showing "Compliant" except for one user, ronaldj. Clicking into this non-compliant monitor reveals a correlation event linked to a rule about successful network logons. This document outlines how ArcSight uses active lists to monitor user access to cardholder data systems, utilizing rules and correlations to track user activity over time. The process involves creating an "Active List" where users logging onto cardholder data systems are automatically added. ArcSight utilizes various active lists for tracking purposes, which can be easily found within the software interface by navigating through the Edit menu. Each active list is assigned a TTL (Time To Live) value of 90 days, and elements in these lists can have their TTL adjusted as needed. The document then moves on to explain how ArcSight applies PCI requirement 8.5.5, which specifies tracking of inactive users for at least 90 days after their last activity. It demonstrates this by showing a correlation rule used to detect an inactive user account and discusses the automatic case creation triggered by the aging out of an active list entry. The document concludes with instructions on how to view the events within the case, emphasizing ArcSight's compliance features and efficiency in managing security requirements. The article discusses PCI (Payment Card Industry) compliance related to restricted building access by contractors. It mentions that according to PCI requirement 9, physical access to regulated systems must be monitored and reported upon. If a non-compliance is detected in the PCI compliance dashboard for this requirement, double-clicking on the monitor will show underlying events indicating unauthorized contractor access to restricted areas. ArcSight, a security information and event management tool, plays a crucial role in this scenario by providing real-time correlation of events such as badge numbers and accessed areas (e.g., data center). A specific rule within ArcSight identifies these instances and triggers an automated response, opening a case to track the incident further. The rule uses active lists to manage contractor badges assigned to different contractors, ensuring that only authorized individuals have access to restricted areas. ArcSight's case management functionality allows users to follow up on incidents by changing their stage from "Queued" and unlocking the case for review or editing. Additionally, historical reports can be generated within ArcSight to track these events efficiently under PCI requirements. The article concludes with a demonstration of how ArcSight supports PCI compliance through its real-time event monitoring capabilities and automated workflows, highlighting its role in maintaining security standards for regulated systems. This summary outlines how ArcSight, a security information and event management (SIEM) system, helps organizations manage compliance with Payment Card Industry Data Security Standard (PCI DSS). The process involves creating a closed-loop workflow for cases related to PCI compliance, tracking them through various stages until closure. This not only aids in demonstrating compliance during audits but also facilitates forensic analysis and reporting. ArcSight allows users to customize reports by adding specific conditions like /Category Outcome=Failure to tailor the content to meet individual needs. After creating a report on case metrics related to PCI, one can review the report archive to assess the status of cases. In this scenario, an executive summary showing unresolved issues and average time to resolution helps in preparing for an audit. Additionally, users can manipulate views in the ArcSight Navigator to add columns like "Owner" for more detailed case management. In conclusion, ArcSight provides a comprehensive framework for managing PCI compliance through its SIEM capabilities, enabling organizations to efficiently prepare for audits and demonstrate their adherence to PCI DSS requirements. To summarize the provided steps for using ArcSight to report on vulnerabilities and compliance with PCI standards, follow these simplified instructions: 1. **Accessing Vulnerability Report**:

• Navigate to "Reports" -> "Archives" -> "ArcNet Archived Reports" -> "OWASP Vulnerability Report".

• This will display a report of vulnerabilities on OWASP systems.

2. **Understanding Vulnerability Reporting**:

• ArcSight can easily report on vulnerabilities in critical systems, but it relies on data from its own vulnerability scanner collectors.

• To see these vulnerabilities, open the "Asset tree" and right-click on "ArcNet Assets", then select "Grid View". Look at the "Asset Details" tab to find details about each asset's vulnerabilities.

3. **Accessing Scanner Reports**:

• Right-click on any top asset and choose "Scanner Reports". Select a vulnerability from the list to view its detailed information in the lower pane.

4. **Data Collection and Reporting**:

• ArcSight’s Vulnerability Scanner collectors record all vulnerabilities present on assets, which can be used for compliance reports as well as prioritizing events based on threat models.

5. **PCI Compliance Metrics**:

• For PCI compliance reporting, especially concerning the Antivirus currency of cardholder data systems, use the "ePO Compliance" report from ArcNet Archived Reports.

• This report shows compliance according to DAT signature levels, which are automatically recorded by ArcSight Antivirus collectors (Trend and McAfee AV currently).

6. **Checking AV Signature Levels**:

• Go to the "Reports, Definitions" tab in Navigator and open Asset Details to see how AV signature levels of assets are monitored.

This summary captures the main points for using ArcSight to check vulnerabilities and maintain PCI compliance by leveraging its reporting tools and data collection features. The provided information is about a process within rcSight Solutions related to PCI compliance, specifically concerning AntiVirus/PCI - ePO Out of Compliance – Signature Level Report. Here's a summary: 1. **Process Description**: This involves checking the ArcSight system for compliance issues regarding antivirus software on assets that are running Trend or McAfee AntiVirus. The compliance is evaluated through signature levels, which should be recorded in specific categories attached to these assets within ArcSight. 2. **Purpose**: The primary purpose of this process is to demonstrate compliance with auditors during PCI audits. By mapping the rules, reports, dashboards, and cases related to compliance standards, it helps in providing evidence that meets the requirements set by auditors. 3. **Functionality and Flexibility**: ArcSight provides a comprehensive suite of content for leveraging compliance but also allows customization based on specific needs and creation of new content if required. This flexibility is useful as it caters to different audit scenarios while ensuring alignment with relevant standards. 4. **Implementation**: The implementation involves navigating through the Navigator window, expanding trees such as rules, reports, and dashboards to inspect or edit details related to compliance in relation to PCI standards. In summary, this process ensures that systems are compliant with PCI requirements by providing detailed reporting on antivirus software signature levels, facilitating a clear demonstration of compliance during audits, and offering flexibility for customization and expansion if necessary.