Monitoring critical system files, configuration files, and content files for unusual or unauthorized activity is one of the core requirements of the PCI-DSS, the payment card industry’s security standard. As such, file integrity monitoring (FIM) is a necessary activity for companies that process or store credit card data. Security teams can choose from any number of endpoint security tools to handle FIM for PCI compliance, but some solutions do more than others.
In this article we’ll highlight the basic FIM requirements of PCI, and explain how you can meet multiple PCI compliance standards—including FIM—with one powerful endpoint security tool.
FIM: A PCI Requirement
To protect cardholder data, the PCI-DSS outlines a set of 12 requirements that apply to all businesses which store, process, or transmit payment card data. While some of these requirements have to do with physical processes, two of them—requirements 10 and 11—provide specific guidelines on how to protect the data stored within computer networks:
- Requirement 10.5.5 requires businesses to “use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).”
- Requirement 11.5 requires businesses to “deploy a change detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”
To address these PCI requirements, security teams employ file integrity monitoring software, or other security software with embedded FIM capability. FIM tools monitor all file modifications—including additions (new files being created), changes, and deletions—and alert specified personnel when unauthorized changes to files and directories occur. (Tweet this!) If not properly implemented, unauthorized changes can result in other security controls being rendered ineffective and cardholder data being stolen with no other perceptible impact.
Using Uptycs As A PCI-Compliant FIM
Finding the right file integrity monitoring software can be a challenge, particularly when you’re managing a hybrid of cloud and on-premises infrastructure across macOS, Linux, and Windows. FIM is a key capability of Uptycs, an osquery-powered security analytics platform. It allows you to manage file integrity across complex networks, so that instead of relying on several platforms to monitor Windows, Mac, and Linux, you can monitor all file activity in one unified environment. The Uptycs FIM module provides full visibility across operating systems with continuous file monitoring, flexible configuration options, file change analysis, and contextual alerts. As a result, security engineers, site reliability engineers, incident response teams and IT professionals are better equipped to secure and monitor endpoint fleet and server workloads.
When using Uptycs as a PCI-compliant FIM software, simply identify which files or paths you want to monitor, and Uptycs will look for changes as they occur. If you’ve requested alert notifications, Uptycs will notify you in real time, sending a message via email, Slack, or an incident management platform like PagerDuty. Uptycs also integrates with your SOAR and SIEM solutions.
Our file integrity monitoring solution leverages the versatility of the open source agent osquery. Using over 200 system tables, Uptycs can provide detailed insight around which file was modified, the process name and ID, the date, time, and user that performed the action, and more, allowing security team members to quickly respond to potential breaches and unauthorized modifications. The Uptycs file integrity monitoring solution also provides the ability to analyze historical data, recreating an asset at a given point in time to reveal exactly what happened to critical files, and how the incident occurred.
Using Uptycs For Other PCI-DSS Compliance Requirements
As an endpoint security analytics platform, Uptycs can also be used to meet other endpoint-focused PCI requirements:
Vulnerability detection is a way for security teams to identify potential vulnerabilities in the software running within their environments; it’s also another core requirement of the PCI-DSS. PCI-DSS Requirement 11 calls for organizations to regularly test security systems and processes, while 11.2 requires vulnerability scanning. The Uptycs platform provides out-of-the-box Linux vulnerability detection capabilities that allow organizations to meet this requirement.
Login auditing can help organizations meet Requirement 10.6, which calls for monitoring of security logs. To ensure compliance, there should be a limited set of users logging into the servers that fall under PCI requirements. Uptycs can provide greater visibility into logins, monitoring and alerting when unusual or unexpected users access the servers and infrastructure.
Ready to explore other compliance ideas with osquery? Watch the video “Thou Shalt Query: Compliance Ideas with Osquery.”
Tag(s): Endpoint Security
Other posts you might be interested in
6 min read | April 19, 2018
Is your Mac fleet secure? Tackling the myth of inherent mac securityRead More
13 min read | September 13, 2018
Deploying osquery at scale: A comprehensive list of open source toolsRead More
8 min read | February 18, 2020