Knock Out 99 PCI DSS Requirements with Atomic Secured OSSEC
There are 270 PCI DSS requirements that must be addressed by any organization that accepts credit card payments. Compliance is required and can be a daunting task for all types of organizations. It often requires the implementation of dozens of software and security controls complemented by over one hundred process controls. Atomicorp has radically simplified PCI compliance by bundling required security features into a robust endpoint protection, detection and response platform (EPP/EDR). We did this to simplify our own PCI compliance efforts and it is now available to everyone.
You can comply with 99 of them by simply implementing Atomic Secured OSSEC (ASO). During ASO configuration, a PCI compliance module can be activated to conform to all these compliance controls. Of course, not all PCI requirements can be addressed by software alone. There are process steps, physical controls and documentation required as well. To further assistant organizations with their compliance efforts, Atomicorp services can be used to satisfy another 80 requirements. That means Atomicorp can help you complete 179 or 66% of all PCI compliance requirements and most of those simply requires a single setting to activate.
An Enhanced HIDS/HIPS for PCI Compliance
Payment Card Industry (PCI) standards exist to ensure safe and secure handling of consumer financial transaction data. PCI requires the implementation of many cyber security products, from firewalls to intrusion detection to vulnerability management. Atomicorp has developed a software-based solution that includes all of these products in one integrated suite.The Atomicorp team built one of the first known host-based intrusion detection systems (HIDS) around 1990 for a leading University. Later efforts were employed at The White House and other U.S. government agencies and over ten years ago Atomicorp CTO Scott Shinn started contributing to the open source HIDS project, OSSEC. The function of a HIDS is to monitor processes on computing endpoints and report anomalous activity. A HIDS is to endpoint security monitoring what a network-based intrusion detection system (NIDS) is to network security.
OSSEC has become the most robust HIDS available with proven scalability and hundreds of device and software integrations. Some of the largest organizations in the world today use OSSEC and it is not uncommon to use it to monitor and protect tens of thousands of endpoints. For example, Atomicorp recently implemented OSSEC for a global media company and that installation monitors 15,000 endpoints today and it is expected to grow to over 20,000.
However, the standard OSSEC package does not include host-based intrusion prevention system (HIPS). While the HIDS identifies anomalous behavior and generates security events that indicate a system has been compromised or an attack is underway, it does not prevent actions by malicious actors. That is why the standard OSSEC package only meets six of PCI’s 270 requirements.
Atomicorp has added HIPS functionality, a secure kernel and other protections to prevent entire classes of attacks. That means Atomic Secured OSSEC inherits all of the scalability and feature benefits of standard OSSEC while enhancing protections and covering over 15 times more PCI requirements. So, it you are looking to implement OSSEC to support your PCI compliance programs, you can get far greater impact for your efforts by using ASO. And, it is a simple setting selected during set-up that automatically implements the PCI DSS compliance package.
Examples of FIM, DLP and other Compliance Features
A full review of how ASO meets key requirements can be found in this comprehensive PCI compliance checklist. Some examples include:
Requirement |
Description |
ASO Feature |
3.4 (milestone 5) |
Render primary account number (PAN) unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
• One-way hashes based on strong cryptography, (hash must be of the entire PAN) • Truncation (hashing cannot be used to replace the truncated segment of PAN) • Index tokens and pads (pads must be securely stored) • Strong cryptography with associated key-management processes and procedures. |
Detects card hold information on system, prevents egress (DLP) of card holder information by automatically redacting it |
3.6.1 (milestone 5) | Generation of strong cryptographic keys | Feature included. |
5.1.1 (milestone 2) | Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. | Atomic Secured OSSEC automatically removes or quarantines malware, and unlike other solutions removes web malware in real time from compromised websites without quarantining compromised code, even modifying code on the disk. |
10.2.4 (milestone 4) | Track and monitor invalid logical access attempts. | Atomic Secured OSSEC addresses this and uses an active response mechanism to prevent additional attempts when they exceed limits or are known to be malicious |
10.5.4 (milestone 4) | Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. | Atomic Secured OSSEC supports sending audit trail files to remote servers, and supports multiple methods (remote system log, JSON, XML, remote database(s), Amazon Glacier and more) |
10.5.5 (milestone 4) | Use File Integrity Monitoring (FIM) or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added cannot should not cause an alert). | Real time FIM is provided in the Atomic Secured OSSEC, and detects and alerts changes to logs plus logs are cryptographically signed. Role Based Access control system can also be used to prevent changes to log files. |
This is just a small sample of what Atomic Secured OSSEC does to ensure PCI DSS compliance. The document referenced above lists 93 additional PCI DSS requirements met by ASO and outlines another 80 that Atomicorp can assist with that are services and documentation oriented.If you would like to learn more about how Atomic Secured OSSEC can simplify and enhance your PCI DSS compliance efforts join us at the 2018 OSSEC Conference in April. Atomicorp will have a featured presentation and workshop at the conference discussing PCI DSS compliance in depth. So register today and get a hands on lesson in tackling PCI compliance. It is only $245 to attend and early bird savings is available now if you register before March 1st. We hope to see you there.