The situation
The client, a fintech provider, needed to comply with various aspects of PCI DSS in order to continue providing payment solutions to their customers.
The client was using a third party managed security service provider (MSSP) to manage their infrastructure and monitor their environment. After the client decided to move everything to AWS, they decided to carry on outsourcing the monitoring of their environment to keep things simple.
However, the relationship between the client and the MSSP quickly started to deteriorate. The MSSP began to lose interest in the client, which led to the client getting increasingly frustrated with the poor level of service they were receiving.
As a result, the client decided to give notice to their MSSP and find a different vendor that could monitor their environment 24/7, help them comply with PCI DSS and give them the high standard of service they wanted.
It was important for the client to resolve their situation before the contract with their old provider ended to prevent any loss of service. This left a total of four weeks to find and onboard with a new Managed SIEM vendor.
Client technology stack highlights
- AWS environment hosting:
- 2x Windows Server 2019 VMs
- 2x Linux Debian VMs
- Active Directory VM
- AWS CloudTrail
- ClamAV
- pfSense firewall
- Microsoft Defender
The solution
Defense.com is a Level 1 PCI DSS Service Provider and also has a PCI Compliant Managed SOC, which was a factor in the client’s decision to trust us to provide a 24/7 monitoring service.
The Defense.com team firstly had an onboarding call with the client to talk through their service requirements and to complete their customer profile, which included information such as:
- Typical operating hours, maintenance schedule and patching times
- Out of hours contacts
- Known admin users
- Users who can log in out of hours
- Countries to expect connections from
- High-value stakeholders, including other third party service providers
- Asset and software list, network diagram and other technology stack information
This information helped our SOC team to build a detailed profile of what ‘normal’ looked like for the client. This enabled the Defense.com analysts to flag anything that deviates from the standard baseline activity and minimise the number of events that were raised as false positives.
Once the necessary log collection agents and API calls were deployed and configured in the client’s environment, a handover call was scheduled with the Defense.com SOC team to:
- Confirm that all log sources were sending data correctly into the SIEM
- Discuss the client’s business profile so that any alerts could be tailored to their specific requirements
- Agree processes for managing P1 events in and out of hours
- Schedule regular follow up calls to review the service, optimise the SIEM deployment and anticipate any changes to the client’s environment
After this handover call, the Defense.com SOC analysts started to map the baseline level of activity within the client’s environment before starting the live service. This included making any adjustments to the SIEM alerts and runbooks based on the client’s business profile.
Complying with PCI DSS
In addition to ensuring they were detecting and responding to cyber threats 24/7, the client needed to comply with specific areas of PCI DSS. We worked closely with the client to help them to address the individual requirements and put measures in place to stay compliant.
Requirement 10
Requirement 10 of PCI DSS requires organisations to track and monitor all access to network resources and cardholder data. The client was able to achieve this with all of the SIEM features in Defense.com account, including the collection, searching and archiving of security logs.
In particular, sub-requirement 10.7 mandates businesses to retain an audit trail for at least one year, and have at least three months of history immediately available for analysis. Since Defense.com offers 90 days of ‘hot data’ searching and one year of archived data as standard, the client was able to easily meet this requirement.
Requirement 11
Requirement 11 of PCI DSS requires businesses to regularly test the security of their software and systems. The client had already scheduled quarterly vulnerability scans to stay compliant with PCI DSS Requirement 11.2, which states that organisations must run internal and external network VA scans on a regular basis.
These scans create lots of activity in a network, which could initially be mistaken for malicious activity, therefore it was important for our SOC team to know when these scans were being run so they can anticipate any sudden deviations in network activity.
To comply with PCI DSS Requirement 11.5, the client also needed to implement a change detection mechanism to alert them when specific files had been created, modified or deleted. To fulfil this requirement, the Defense.com team helped the client set up File Integrity Monitoring (FIM) as part of their SIEM deployment. Alerts from the FIM tool could then be raised, investigated and actioned as appropriate with the assistance of the Defense.com SOC analysts.
The outcome
The client had their SIEM solution deployed well within their required timeframe, which meant they could confidently cut ties with their old MSSP at the end of their contract. This was a big win for the client, as they wanted to get away from their old provider as soon as possible while avoiding any loss of service or additional charges.
Within the first month of the Managed SIEM service Defense.com processed over 25 million logs for the client. During the baselining phase, the Defense.com SOC team investigated two SSH login events, however these were closed as false positives.
The Defense.com team also observed four instances of a cmp command being run on a daily basis to compare sensitive Linux files with their relevant .bak files. This was expected activity for this client as part of their efforts to comply with Requirement 11.5 of PCI DSS, therefore the events were closed as false positives.
In addition to the ongoing monitoring service provided by the SOC team, the client received a detailed list of threat intelligence data in their Defense.com account based on the different types of assets in their environment. This informed the client about 20 vulnerabilities and over 30 ransomware variants that could potentially affect their business. Each threat contained actionable advice from the Defense.com SOC team to help the client harden their networks and remediate any issues.
Client feedback
The client was pleased that their Managed SIEM service now enabled them to meet many of the requirements for PCI DSS compliance and monitor their environment 24/7 for cyber threats.
The client mentioned that they had access to much more information in the Defense.com SaaS platform in comparison to their previous provider. They also stated that they were really happy with how the service had been onboarded and delivered, especially with the excellent level of support they had received from the Defense.com team.
The client also noted that they are looking to become compliant with PCI DSS v4 in the near future and recognise that their partnership with Defense.com will enable them to achieve this when they are ready to take this next step.
Learn more about Defense.com™
Detect and respond to cyber threats and protect your business with Defense.com. Try for free to see our platform in action and find out how you can increase your cyber resilience.