Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
PCI Compliance Every Day – Requirement 5
In this latest post of my PCI compliance blog series, we will explore Requirement 5, which has four distinct requirements that imply they need to be addressed at least daily:
The first requirement (5.1) necessitates that an organization maintain an accurate inventory of their devices and the operating systems on those devices. However, configuration management data base (CMDB) solutions are notorious for not being completely implemented. As a result, it can be quite an exercise to determine if every system that needs anti-virus software has it installed. Regardless, in order to keep things manageable, someone within the organization is going to have to ensure that every system that needs anti-virus has it, which usually is a daily task.
The next hurdle with requirement 5.1 is that while almost everyone understands that any implementation of Microsoft Windows is covered by the statement, “commonly affected by malicious software,” we still run into tremendous push back from Apple Macintosh and Linux users/administrators over their need to run an anti-virus solution. Yet a review of the CVE database clearly debunks those claims. Yes, these systems have fewer vulnerabilities than Windows, but they still would be “commonly affected” given the number of vulnerabilities and the frequency with which those vulnerabilities get published. Many of the enterprise-level anti-virus solutions provide clients for Macintosh and various forms of Linux, so it is not like they cannot comply. In a lot of cases, their existing contract with the anti-virus vendor allows them to use the Macintosh and Linux clients just like the Windows client, so an argument over additional cost is likely moot.
Never mind the push back from server administrators who swear that any anti-virus solution takes too much CPU to run and adversely affects server performance. While getting better, we still regularly encounter people who make this claim but then have no documented proof of it. Not that we do not believe them as I do know that some anti-virus products can adversely affect performance. However, in most cases the person making the case is just parroting back claims made by current and former co-workers and what they have read on the internet regarding anti-virus solutions. The bottom line is that unless they can provide current documented proof of their claim, that claim is not believable.
The last three requirements can be monitored and alerted from whatever enterprise anti-virus solution’s master console your organization has implemented. In fact, it is highly unusual if an organization is not already monitoring these areas. Almost every person we have ever interviewed regarding anti-virus can quickly tell us through the console which systems are not running the current anti-virus signatures, which are not running the current version of the client, which have not run a scan in the last week and which systems are not properly configured.
However, where anti-virus does have a shortcoming is in its ability to detect viruses and malware. Testing of these products confirms time and again that anti-virus solutions are only around 30 to 40 percent effective in detecting viruses and malware. That means there is a high likelihood that an organization could get infected and not immediately recognize it. This is particularly true with today’s attacks where attackers use modified versions of malware to go undetected by anti-virus solutions.
For organizations looking for a higher level of security, we recommend an additional product that uses white/black listing, critical file monitoring or some other method of flagging viruses and malware to enhance the ability of an organization to detect viruses and malware. While still not 100 percent effective, such an approach makes detection of viruses and malware more likely than relying on anti-virus solutions alone.
One place we do encounter an occasional problem is in complying with log data in 5.2.d. While the anti-virus solution usually provides more than adequate logging capabilities, the log data is not retained for at least 90 days with immediate access and for at least a year on back up media. The anti-virus main server(s) could retain this log data to meet the PCI requirement, but a lot of organizations do not configure it for that sort of retention. That means they are not in compliance with requirement 10.7 to retain log data for 90+ days online and at least a year offline. The easiest fix for this is to route the anti-virus solution’s master server(s) log data to your security information and event monitoring (SIEM) solution. This also will allow you to monitor and alert on the anti-virus solution in your operations area as well as with your anti-virus team as a double-check and back-up.
Ultimately, the good news in this section is that almost every enterprise implementation of anti-virus solution we have ever encountered can meet the PCI requirements through their master console and master server(s). All it takes is to properly configure the solution.
September 19, 2017
Optiv works with your organization to optimize its investment in RSA Archer.
Let us know what you need, and we will have an Optiv professional contact you shortly.