PCI-DSS User Guide – Network Monitor and TLS/SSL Auditing
LogRhythm Network Monitor is capable of translating TLS and SSL traffic for review and analysis. With GDPR having control requirements for security by design and default, there are AIE rules, investigations and reports designed to augment the support of these Articles. The Network Monitor sends data to LogRhythm via Syslog, which is what can be reviewed and is utilized with the automation suite’s evaluation objects.
AIE's activity threshold rules capture “bundles” of general TLS/SSL activity logs within the drill-down of their AIE events. These "activity" rules are oriented toward pairing these drill-downs with dashboards to make the collection of TLS/SSL Case Management evidence easier. Since GDPR no longer allows new implementations of TLS/SSL under most circumstances (as of October 31, 2016), the "Potential New TLS/SSL Implementation" rule is designed to flag activity on systems that have not been running TLS/SSL (the default evaluation period for this is set for two weeks, since systems running TLS/SSL are going otherwise to show that level of activity on a regular basis). Another alarm is structured to flag early TLS or SSL if they show up in the environment.
AIE Rules | Notification Area | Corresponding Investigation |
|---|---|---|
PCI-DSS: TLS Activity | Security: Activity | PCI-DSS: TLS/SSL Activity |
PCI-DSS: SSL Activity | Security: Activity | PCI-DSS: TLS/SSL Activity |
PCI-DSS: Potential New TLS/SSL Implementation | Security: Activity | PCI-DSS: TLS/SSL Activity |
PCI-DSS: Early TLS/SSL Alert | Security: Activity | PCI-DSS: TLS/SSL Activity |
There are summary and detailed reports available for the review of TLS/SSL activity, alongside reports specifically tailored to look for early versions of TLS and SSL. Versions of TLS prior to version 1.2 show up in the “Early TLS/SSL Version” reports. The table below shows which reports are built for the evaluation of this data.
Reports | Report Type | Corresponding Investigation |
|---|---|---|
PCI-DSS: TLS/SSL Summary | Summary | PCI-DSS: TLS/SSL Activity |
PCI-DSS: Early TLS/SSL Version Summary | Summary | PCI-DSS: TLS/SSL Activity |
PCI-DSS: TLS/SSL Detail | Detail | PCI-DSS: TLS/SSL Activity |
PCI-DSS: Early TLS/SSL Version Detail | Detail | PCI-DSS: TLS/SSL Activity |
As for the Investigation, it is configured to generate an overview of all TLS/SSL activity. Because there are AIE rules that can be used like Investigations for drill-downs, granular searches are more easily done with AIE drill-downs than with Investigations.
Since this rule requires LogRhythm’s Network Monitor to send TLS and SSL activity to the SIEM, a paid Network Monitor license is needed with syslog configured to be received by a LogRhythm system monitor agent. Professional Services and Support Services can assist with advanced configurations; otherwise, see the Network Monitor configuration guides.
The SIEM reflects TLS and SSL-relevant data under the “Version” metadata field. The “ProtocolVersion” metadata field on the Network Monitor side is where it can be determined whether TLS or SSL activity is showing up directly on LogRhythm’s Network Monitor, as well. The following graphic shows what to expect when trying to verify if TLS or SSL data is showing up on the SIEM.
When looking over an entire packet, this activity shows up as seen in the following graphic.
Direct Network Monitor searches can be performed under “ProtocolVersion” as well.
As noted earlier, after this data is sent to the LogRhythm SIEM via Syslog, TLS and SSL activity is reflected under the “Version” metadata field. This is the data that is utilized by the TLS and SSL-specific objects within the PCI-DSS 3.2 Compliance Automation Suite. For more information on using the LogRhythm Network Monitor, there are various guides that can be used for reference, including but not limited to documents and videos on its capabilities uses and features. This information can be found on the LogRhythm Community.