Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Any organisation, no matter the size, that is required to comply with the Payment Card Industry Data Security Standard (PCI DSS) needs to implement a comprehensive ICT security capability to ensure they pass their annual review. The PCI standard contains auditing and monitoring requirements that ask entities to collects logs and raise alerts when they are under attack from cyber adversaries. Let’s explore this requirement and look at how your managed security service can help your customers achieve PCI DSS compliance without the need to redesign their network architecture or systems infrastructure.
Most security programmes follow the age-old design methodology known as ‘defence in depth’, whereby they implement a combination of security controls covering all aspects of the defensive lifecycle: preventive, detective and corrective controls. The ‘defence in depth’ concept originates from stronghold designs and ancient castles, where a stong perimeter comprising several countermeasures, from the moat to the portcullis, keep adversaries at bay. ICT architects still think this way, and, indeed, perimeter security remains a requirement, so this approach remains valid. However, we also need to consider that cyber adversaries are smart and patient and are continually scanning for ways to bypass security controls.
This is where you have an opportunity to offer security monitoring systems to customers that directly report on system activity, allowing them to detect attackers either on the outside of the network, or operating within the perimeter.
As an MSSP you can quickly detect these kinds of activities and mobilise an incident response team that minimses the harm that non-compliance (or cyber-attack) has on customers, given the target for attacking PCI-bound organisations is often to steal customer financial data. The potential damage from a successful cyber-attack can be catastrophic, so you have an instant value proposition that demonstrates better threat detection and response to reduce risk and limit financial exposure.
Every organisation generates security events, since operating systems, network devices and applications all do this by default. In many cases, if an attack occurs, a specialist forensics team is called to identify what happened. The team combs through the evidence stored in a myriad of logs, which are often spread across many systems, piecing together what happened onto a timeline.
Most organisations, whether they realise it or not, already have all the data they need to detect cyber attacks before the intruder has a chance to complete their attack. Think about it this way, if the investigation team is able to discover all of information they need to piece together what happened, then the systems were already recording the activities as the attack took place. These activities are what your team can monitor for and at certain stages of any given chain of events, it becomes evident an attack is underway, so the incident response process can begin.
You should work with your customers to determine how they monitor, analyse and alert on attacks as are they are happening, so the incident response team (could be yours or the customer’s) has a chance of stopping the intruder.
Yet there is one major issue most security teams are left with that needs to be addressed; there is no common language across systems, and logging doesn’t have a standard structure or format so it’s very hard to dig through those logs and piece everything together. New MSSPs in particular will have a variety of logs from different sources that make correlation across systems very difficult: some logs are in text files; some are only accessible through APIs; while some are stored databases. The complexity of scanning disparate logs evolves to become an impossible task for MSSPs so a toolset is required to help you collect and normalise this data.
The best approach to monitoring customer systems is to move your security analysts into a security operations centre (SOC), dedicated to collecting and analysing logs and responding to cyber-attacks. A SOC doesn’t have to be a special facility with massive screens or glamorous theatrics (as you might have seen on television), rather it’s a place where the security team works together to coordinate monitoring and alerting across the customer base.
Tools are fundamental to the running of a SOC since this normalisation of logs across hundreds (or thousands) of sources is necessary, along with the ability to detect patterns of attack in real-time. The toolset, known as a Security Information and Event Management (SIEM) system, does all the hard work, freeing up your analyst time to triage alerts and follow investigative leads, rather than spending time correlating events manually across disparate systems. So lets look at this in the context of monitoring for customers who need to be PCI compliant.
The Huntsman Security team is often asked what should be monitored to fulfil PCI DSS compliance obligations; should we collect logs from every system, or restrict it to the systems on which we store or process customer or credit card information? We respond to this question with an analogy: when a jewel thief breaks into a bank to steal diamonds, they leave traces of the theft throughout the bank’s facility, not just on the safety deposit box where the jewels were stored. ICT systems are the same. If you can detect the attacker as they come through the door, or slip in through an open window, then you can prevent them getting to their end goal. You can adopt this analogy when talking to PCI customers, since a monitoring solution using SIEM allows them to monitor and correlate information along the entire attack path, thus being able to identify attacks before they get close to the end objective (credit card information).
The earlier you detect cyber-attacks, the more significant the reduction in overall harm to your customers. Together with your customer, you can use threat modelling to determine how attackers would reach their objectives within the context of the customer’s systems, looking at each technology and application through the eyes of the hacker. Using this approach, you can help the PCI customer prioritise the collection of logs, and tailor notifications based on the risks associated with each of those systems identifying indicators of compromise.
Next generation SIEM products have specialist collectors developed to interface with hundreds of different kinds of ICT systems, so the hard work in collecting and normalising the data is already done for you.
Once the data is ingested into the SIEM and made available to analysts, the rules pertaining to each event and their relation to other events can be programmed into the platform to alert on patterns of attack. This activity forms the basis of how you would work with PCI customers. There are, however, two specific aspects of detection and response that you can explain to a customer, since both assist in PCI DSS compliance, but more importantly they help detect and prevent security breaches that simple log analysis cannot. The first is based on gaining an understanding of user behaviour. Next generation SIEM technology can build a baseline of what regular operations look like then alert when something unusual happens. Second, is reporting, the SIEM can report the PCI customer’s compliance status on a dashboard that immediately shows issues in real-time.
Next generation SIEM technology provides essential aspects of fulfilling PCI DSS compliance obligations – something that you, as an MSSP, can use to show the value of your SOC service.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.