PCI-DSS Deployment Guide – Meet the Compliance Requirements

The LogRhythm PCI-DSS 3.2 Compliance Automation Suite provides bundled pre-created alarms, AIE rules, investigations, layouts, lists, reports, and reporting packages to help demonstrate regulation compliance. The Auditor checks for specific line-item regulations to be met by LogRhythm. This section details the post-implementation processes necessary to meet specific PCI-DSS 3.2 compliance requirements and augment others.

Compliance Module Noise Mitigation

LogRhythm’s PCI-DSS 3.2 Compliance Automation Suite bundled alarms, AIE rules, investigations, layouts, lists, reports, and reporting packages need adjustments to ensure the likelihood of false positive events is diminished. The process to decrease false positive events involves the following steps:

• list
• filter
• suppression

List Updating

Keeping Compliance Module lists updated is a vital part of decreasing false positives within the PCI-DSS 3.2 Compliance Automation Suite. An organization’s applications, IP addresses, and users are dynamic. For this reason, the Compliance Module utilizes lists which can be dynamically updated as needed. There are many conditions which would require a list to be updated. The following section highlights a few instances where lists must be updated and directions on how to update the lists. Refer to the matrices on the home page of this module for specific AIE Rules, Investigations, and Reports where the lists are utilized. You may also leverage existing periodic reviews to incorporate updates to user lists as a result of various account access reviews performed by IT Management or HR.

Update User Lists

User lists should be updated when privileged access accounts and vendor accounts are created or deleted. Lists should also be updated when a user account is disabled or terminated. Changes to these types of accounts would be evident from details in the access granted/revoked reports and account management reports. Follow the instructions below after implementation and on a weekly basis to identify users that have not been added to the Users lists.

1. On the main toolbar, click Report Center.
2. Place a checkmark in the Action box for the Saved PCI-DSS 3.2: Account Management Activity report, right-click the report name, and then click Run.
3. Click Next to reach the Configuration screen, set the date range to Past Month, and then click OK.
4. Click on the name of the report in the Report Viewer.
5. To identify when an account may have been created, search for User Account Created common events.
6. Follow instructions 1-7 in Populating Users Lists to add applicable, enabled accounts to the MAS- TRMG: Default & Generic Accounts List, PCI-DSS 3.2: PRD Privileged Accounts List, PCI-DSS 3.2: Business User Accounts List, PCI-DSS 3.2: Shared Accounts List, PCI-DSS 3.2: Terminated Accounts List, PCI-DSS 3.2: TST Privileged Accounts List, PCI-DSS 3.2: IT User Accounts List, or PCI-DSS 3.2: Vendor Accounts List, respectively.
7. Repeat steps 1-6 above using the User Account Deleted or Account Disabled common events to add applicable deleted accounts to the PCI-DSS 3.2: Terminated Accounts List. You may also leverage any terminated account reports from an HR system to manually update this list.
8. Repeat step 2-4 for the PCI-DSS 3.2: Account Management Detail investigation.
9. Follow instructions 1-7 in Populate Users Lists to add applicable enabled accounts to the PCI-DSS 3.2: Default Accounts List, PCI-DSS 3.2: Guest Accounts List, PCI-DSS 3.2: Privileged Accounts List, MAS- TRMG: Shared Accounts List, PCI-DSS 3.2: Authorized VPN Accounts, or PCI-DSS 3.2: Vendor Accounts List, or add applicable deleted or disabled accounts to the PCI-DSS 3.2: Terminated Accounts List. You may also leverage any terminated account reports from an HR system to manually update the MAS- TRMG: Terminated Accounts list.

Filter Usage

Adjusting filter criteria is a vital part of decreasing the number of false positives within the PCI-DSS 3.2 Compliance Automation Suite. Exclude filters can remove applications, common events, hosts, IP addresses, etc. from search criteria. There are many conditions in which an exclude filter can decrease the number of false positives in a search criteria. The following section highlights how to create exclude filters for AIE Rules, investigations, reports, and tails.

Configure AIE Rule Exclude Filter Criteria

All AIE Rules included in the PCI-DSS 3.2 Compliance Automation Suite can be configured with exclude filters.

1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
2. Click the AI Engine tab.
3. Right-click a PCI-DSS 3.2 AIE Rule on which an exclude filter should be configured, and then click Properties.
4. Right-click the Rule Block, and then click Properties.
5. Click the Exclude Filters tab.
6. On the top menu, click the New icon.
7. Specify the details for the exclude filter criteria.
8. On the Log Message Filter, click OK.
9. On the AI Engine Rule Block Wizard, click OK.
10. On the AI Engine Rule Wizard, click OK.
11. On the top of the AI Engine Rule Manager, click Restart AIE Engine.

Configure Investigation Exclude Filter Criteria

All Investigations included in the PCI-DSS 3.2 Compliance Automation Suite can be configured with exclude filters.

1. Open the LogRhythm Console and click Investigate on the main toolbar.
2. Select one of the saved PCI-DSS 3.2 Investigations on which an Exclude Filter should be configured.
3. Click Next until you reach the Specify Event Selection screen.
4. In the Add New Field Filter list, select the criteria.
5. Click Edit Values and configure the criteria as required.
6. (Optional) To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.
7. Click OK.
8. Click Next until you reach the Save Investigation Configuration screen, and then click Save.
9. Click Cancel.

Configure Report Exclude Filter Criteria

All Reports included in the PCI-DSS 3.2 Compliance Automation Suite can be configured with exclude filters.

1. Open the LogRhythm Console and click Report Center on the main toolbar.
2. Click the Reports tab.
3. Select the Action check box of the report that needs exclude filters, right-click the selection, and then click Properties.
4. Click Next until you reach the Specify Additional Report Criteria Screen.
5. In the Add New Field Filter list, select the criteria.
6. Click Edit Values and configure the criteria as required.
7. (Optional) To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.
8. Click OK.
9. Click Next to reach the Report Details screen, click Apply, and then click OK.

Suppression Usage

Adjusting suppression values is a vital part of adjusting the alarming configuration within the PCI-DSS 3.2 Compliance Automation Suite. Suppression values are used to suppress the number of alarms generated from the same type of event occurring numerous times within a specified time window. The following section highlights how to adjust suppression values for AIE Rules.

Configure AIE Rule Suppression

All AIE Rules included in the PCI-DSS 3.2 Compliance Automation Suite can be configured with alarm suppression. Follow the instructions below to configure suppression for AIE Rules.

1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
2. Click the AI Engine tab.
3. Right-click a PCI-DSS 3.2 AIE Rule on which suppression should be configured, and then click Properties.
4. Click the Settings tab.

5. Type a value for the Suppression Multiple.

   

   You must select the Enable Suppression check box in order for suppression to function. The Suppression Period is the amount of time in which an alarm will be suppressed after the first occurrence. When the Suppression Period has elapsed, another alarm occurs if identical events occur.

6. On the AI Engine Rule Wizard, click OK.
7. On the top of the AI Engine Rule Manager, click Restart AIE Engine.