PCI DSS 3.2 Requirement 11: Regularly Test Security Systems and Processes

Applies to Product:

USM Appliance™

LevelBlue OSSIM^®

Testing Procedure	How USM Appliance Delivers	USM Appliance Instructions	USM Appliance Documentation
11.1.d If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to notify personnel.	USM Appliance can provide alerting for events that are collected and sent to the SIEM.	Verify that policies, especially those in the "Policies for events generated in server" section, are enabled and configured to use an Action that generates an email to the appropriate contact.	Tutorial: Create a Policy to Send Emails Triggered by Events
11.1.1 Examine documented records to verify that an inventory of authorized wireless access points is maintained and a business justification is documented for all authorized wireless access points.	USM Appliance provides asset management features that can assist in collecting this data.	Schedule Asset scans to run regularly in USM Appliance.	Running Asset Scans
		Run the existing Asset Report for an inventory of all assets	How to Run Reports
		If you find any information outdated or missing, you may edit the asset to enter the appropriate information.	Editing the Assets
11.2.1.a Review the scan reports and verify that four quarterly internal scans occurred in the most recent 12-month period.	Configure Vulnerability Scan in USM Appliance to satisfy this requirement.	See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans.	Viewing the Scan Results
11.2.1.b Review the scan reports and verify that the scan process includes rescans until all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved.	Configure Vulnerability Scan in USM Appliance to satisfy this requirement.	See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans.	Viewing the Scan Results
11.2.3.b Review scan reports and verify that the scan process includes rescans until: • For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS. • For internal scans, all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.	Configure Vulnerability Scan in USM Appliance to satisfy this requirement. USM Appliance keeps copies of scans results. Use them to show that ongoing internal scanning is being performed	See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans.	Viewing the Scan Results
11.4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic: • At the perimeter of the cardholder data environment • At critical points in the cardholder data environment.	USM Appliance provides NIDS/HIDS functionality and NetFlow information to trace data flow.	From Analysis > Security Events, select “AlienVault NIDS” from the Data Source drop-down. Verify that events are being generated from network traffic that is not local to the USM Appliance device.	Security Events Views
11.4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion- prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection.	USM Appliance provides NIDS/HIDS functionality and NetFlow information to trace data flow.	From Analysis > Security Events, select “AlienVault NIDS” from the Data Source drop-down. Verify that events are being generated from network traffic that is not local to the USM Appliance device.	Security Events Views
11.5.a Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities. Examples of files that should be monitored: • System executables • Application executables • Configuration and parameter files • Centrally stored, historical or archived, log and audit files • Additional critical files determined by entity (i.e., through risk assessment or other means)	USM Appliance provides registry integrity monitoring and File Integrity Monitoring (FIM) through AlienVault HIDS.	Create a Security Events view with the search on Event Name containing "integrity" and the data source as "AlienVault HIDS". Then export the view as a report module and run the report.	Create Custom Reports from SIEM Events or Raw Logs
		Additionally, create a directive to Alert on occurrences of HIDS integrity change events, which triggers immediate alarms.	Tutorial: Create a New Directive to Detect DoS Attack
		Examine long term logging on Analysis > Raw Logs by performing a search for any events containing "integrity" and data source as "AlienVault HIDS".	Search Raw Logs
11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly.	USM Appliance provides File Integrity Monitoring (FIM) through AlienVault HIDS.	Create a Security Events view with the search on Event Name containing "integrity" and the data source as "AlienVault HIDS". Then export the view as a report module and run the report.	Create Custom Reports from SIEM Events or Raw Logs
		Additionally, create a directive to Alert on occurrences of HIDS integrity change events, which triggers immediate alarms.	Tutorial: Create a New Directive to Detect DoS Attack
		Examine long term logging on Analysis > Raw Logs by performing a search for any events containing "integrity" and data source as "AlienVault HIDS".	Search Raw Logs

Feedback

Questions or comments on this page's content? Let us know.

Feedback

Feedback

We have received your feedback. Thank you.