Using Splunk Enterprise Security to ensure PCI compliance
Laws and policies that cover the protection of customer data can apply to businesses of all kinds, from local businesses to multi-million-dollar corporations. Protecting customer information, especially financial information, should not only be a top priority but is also a legal expectation due to the emergence of standards designed to ensure privacy and data protection.
This is where Splunk Enterprise Security and its extensive use case flexibility enters the picture. Splunk Enterprise Security provides threat management with a granular and centralized view of enterprise security - an essential need for organizations that need to ensure PCI DSS compliance.
This article is part of Splunk's Use Case Explorer for Security, which is designed to help you identify and implement prescriptive use cases that drive incremental business value. In the Security maturity journey described in the Use Case Explorer, this article is part of Compliance.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is the international standard for protecting card owner data from malicious use or theft. It was developed to encourage and improve cardholder data security, as well as facilitate the global adoption of consistent data security measures. PCI DSS applies to any entity involved in payment card processing. This includes merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD).
PCI DSS is made up of a minimum set of requirements for protecting account data and can be enhanced by additional practices, including local, regional, and sector regulations, to further mitigate risks. The Security Controls and Processes for PCI DSS Requirements combine 12 requirements and corresponding testing procedures into a security assessment tool. It is designed for use during PCI DSS compliance assessments as part of an entity’s validation process.
Some questions you might have about using Splunk Enterprise Security for PCI compliance include:
- How do I protect, and ensure card holder information isn’t being exposed in my data?
- How can I determine if my systems are exposed to vulnerabilities and malware?
- How do I ensure my access control measures are really working or being violated?
- How do I know if my network security controls are being exploited?
Because PCI DSS is a comprehensive regulation, there are many steps you need to take to ensure and maintain compliance. Implementing value-driven use cases in your Splunk Enterprise Security environment benefits your business significantly in meeting the requirements of PCI DSS. Splunk Enterprise Security provides investigative capabilities, threat detection, compliance reports, data management, and alerting of anomalies. Splunk Enterprise Security also helps your business in many other areas of data security, such as data collection, normalization, and storage to automatically demonstrate compliance.
Value-added use case solutions
Let’s look at specific ways that you can use Splunk Enterprise Security to your advantage to keep in line with PCI DSS compliance.
Detecting user account compromise
Splunk Enterprise Security correlation can track user activities to prevent, detect, and minimize the impact of compromised data and user activity. For example, by ingesting authentication and access data, Splunk Enterprise Security can identify abnormal user behavior through correlation. Additionally, with Splunk User Behavior Analytics, Splunk can establish patterns of behavior based on roles and determine what activity looks normal day-to-day versus deviations from that activity. Splunk Enterprise Security use cases can create risk-based alerts to warn SOC teams in case of access to unusual data or systems at suspicious hours.
Detecting privilege escalation attacks
Threat actors need elevated permissions to get to the most valuable data. One of the main targets of PCI compliance should be to detect privileged user account access promptly. Splunk Enterprise Security can immediately identify users that increase authorization on critical systems to perform privileged activities.
Detecting network beaconing (command and control communications)
After a user account has been compromised, threat actors look to maintain presence in the network. Using command and control to install additional malware and to persist in the network challenges SOC teams in a game of hide and seek. These teams must be able to discover external attackers and the activity that attackers use to stay embedded. Splunk Enterprise Security can associate network traffic with the threat intelligence feed, Intelligence Management, to locate malware that communicates with external attackers.
Detecting APT behaviors (lateral movement)
Lateral movement is a technique that cyber attackers use to progressively move through a network as they search for key data and assets to target in their attack campaigns. This activity can often be difficult to detect and monitor as it is done through low and slow methods. Splunk Enterprise Security and risk-based rules in use cases can be implemented to detect and alert on activity that aligns with threats and tactics in the MITRE ATT&CK framework.
Detecting data exfiltration and data leakage
Splunk Enterprise Security and its use case catalog, plus Splunk Security Essentials, have a variety of use case searches that can be implemented easily to detect when data is possibly being exfiltrated or has been leaked onto the internet. It does this by utilizing a combination use case search correlation and Intelligence Management feeds to analyze incidents that may seem unrelated.
Examples of some types of data that may be at risk are:
- Sensitive email contents from misconfigured email services
- Proprietary company data kept in cloud storage services
- Transmitting consumer credit card data in clear text through a local network
Overall, Splunk Enterprise Security can be a valuable tool when safeguarding data within your organization. While any SIEM product is not an end-all solution for being PCI DSS compliant, such tools can help to address some of the requirements for appropriate technical and security controls under the PCI DSS. To do more with Splunk Enterprise Security, try the use case Detecting non-privileged user accounts conducting privileged actions. For additional use cases associated with monitoring and detections that can aid in PCI DSS compliance in Splunk Security Essentials, read Getting Started with Splunk Security Essentials for Security Use Cases.
Still having trouble? Splunk has many resources available to help get you back on track. We recommend the following:
- Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants on a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.
com if you require assistance.
- Splunk Answers: Ask your question to the Splunk Community, which has provided over 50,000 user solutions to date.
- Splunk Customer Support: Contact Splunk to discuss your environment and receive customer support