Control Summary

• Solution Pack Controls - These controls provide dashboards and management for the Solution Pack as a whole. The Global Setup control should be implemented before anything else in the Solution Pack. Other controls can be implemented in any order. Run the Dashboard Status report at any time to show the overall status of implementation. Note that many controls leverage the same infrastructure components like maps. You may find in implementing a control that some steps have already been performed; you may be able to skip those implementation steps in the latter control.
  • Global Setup - The content and implementation steps in this control are prerequisites for the entire Solution Pack. You need to implement and test this control prior to all other controls in this Solution Pack. This control provides the "Sentinel Core White Label Template" report, on which all other reports in this solution pack are depended on.
  • Dashboard Status - This control provides a dashboard view of the current status of the Solution Pack. The dashboard helps you determine how close you are to compliance overall and within each control category.
  • Implementation Audit Trail - This control monitors and manages the deployment of the Solution Pack within Sentinel.
• Requirement 1: Maintain Firewall Configuration - Requirement 1: Install and maintain a firewall configuration to protect cardholder data. "Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity’s trusted network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement 1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Requirement 1." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/
  • Control 1.1.1: Firewall Configuration Changes - "Establish and implement firewall and router configuration standards that include the following: A formal process for approving and testing all network connections and changes to the firewall and router configurations." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/ This control monitors all firewall and router configuration change events and generates a report You can compare the report data with the list of approved configuration changes to verify the compliance. To enable Multi Tenancy feature in report 1.1.1.a Firewall Configuration Management Documentation, refer Overview -> Configuration -> Configuring Multi Tenancy section of Solution Pack documentaion
  • Control 1.1.5: Detect Unauthorized Firewall Administration - "Establish firewall and router configuration standards that include the following: Description of groups, roles, and responsibilities for management of network components. " -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/ This control monitors role membership and sends alerts if non-members attempt to modify firewalls. This control also detects policy violations. To enable Multi Tenancy feature in report 1.1.5 Firewall Administration Roles Documentation, refer Overview -> Configuration -> Configuring Multi Tenancy section of Solution Pack documentaion
  • Control 1.3.5: Restrict Access from PCI Systems to the Internet - PCI DSS 1.3 requirement: Prohibit direct public access between the Internet and any system component in the cardholder data environment. PCI DSS 1.3.5 requiremnet: Restrict outbound traffic from the cardholder data environment to the Internet. -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control ensures that there is no direct access from PCI servers to the Internet. This control is enforced using firewall rule sets, and detects any misconfiguration or deliberate modification that might allow invalid traffic to flow.
• Requirement 3: Protect Cardholder Data - Requirement 3: Protect stored cardholder data "Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/.
  • Control 3.5: Protect Cardholder Data Cryptographic Keys - "Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/ . This control monitors access to cryptographic key storage locations and sends alerts if unauthorized users attempt to access the cryptographic keys. Cryptographic Key Role Reserved for users for user-specific data. (String)
• Requirement 7: Restrict Cardholder Data Access - Requirement 7: Restrict access to cardholder data by business need-to-know. "To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/
  • Control 7.1: Restrict Access to Cardholder Data - "Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following: - Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities. - Assignment of privileges is based on individual personnel's job classification and function. - Requirement for a documented approval by authorized parties specifying required privileges - Implementation of an automated access control system." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. In most enterprises, access to cardholder data is mediated by job function and therefore by system roles or groups. This control ensures that only members of delegated roles access cardholder data. To enable Multi Tenancy feature in report 7.1.4 Cardholder Data Role Documentation, refer Overview -> Configuration -> Configuring Multi Tenancy section of Solution Pack documentaion
• Requirement 8: Identity Management - Requirement 8: Assign a unique ID to each person with computer access. "Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users." -- From PCI-DSS v3, https://www.pcisecuritystandards.org/
  • Control 8.5.1: Control Creation, Deletion, and Modification of User Accounts - Control addition, deletion, and modification of user IDs , credentials, and other identifier objects. -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control provides reports that display addition, deletion, and modification of user objects. Note: NetIQ recommends that you use an Identity Management system to enforce enterprise-wide identity and role management policies around user management.
  • Control 8.2.6: Change Passwords after First Use - Set passwords for first-time use and resets to a unique value for each user and change immediately after the first use. -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control detects violations of this password policy even in cases where the event source cannot enforce the control by using native tools or when those tools are circumvented by administrators.
  • Control 8.1.3: Revoke Access for Terminated Users - Immediately revoke access for any terminated users. -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control provides a report that displays user account disable and delete events. You can compare this list with the list of terminated employees. If your organization uses an identity management system, this report can help in even stronger evidence of proper user termination and access revocation.
  • Control 8.1.4: Remove Inactive User Accounts - Remove/disable inactive user accounts at least every 90 days. -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control provides a report that displays users who have not been authenticated for over 90 days. If no system access event exists in the event store for the given user or if the event has been moved to the network storage, the user information does not appear in this report . This reduces the number of false positives from old accounts.
  • Control 8.5: Prevent Shared Account Usage - Do not use group, shared, or generic accounts and passwords, or other authentication methods. -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control uses rules to detect event-based indications that shared or generic accounts might be in use.
  • Control 8.2.4: Enforce Periodic Password Changes - Change user passwords at least every 90 days. -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control provides the report that displays users who have not changed their password for more than 90 days. If no password change event exists in the event store for the given user or if the event has been moved to the network storage, the user information does not appear in this report. This reduces the number of false positives from old accounts.
  • Control 8.1.6: Lock Accounts on Repeated Failed Logins - "Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: Limit repeated access attempts by locking out the user ID after not more than six attempts." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control sends alerts when multiple failed or denied logins are detected; on a single system and across multiple systems to catch attackers attempting to access several systems at once. One rule in this control detects six failed logins against a single account as specified in the requirement. Another rule detects cross-system activity and uses a threshold of six failed attempts to reduce false positives; this threshold can be adjusted.
• Requirement 10: Monitor Resource Access - Requirement 10: Track and monitor all access to network resources and cardholder data. "Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/
  • Control 10.2.1: Audit User Access to Cardholder Data - "Implement automated audit trails for all system components to reconstruct the following events: All individual accesses to cardholder data." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control monitors all attempts by users to access cardholder data and identifies accounts that might have been compromised or misused. This report helps to identify accounts that might have been compromised or misused.
  • Control 10.2.2: Audit Administrative Actions - "Implement automated audit trails for all system components to reconstruct the following events: All actions taken by any individual with root or administrative privileges." -- From PCI-DSS v3.0 https://www.pcisecuritystandards.org/. This control monitors administrative activity on PCI systems. This report helps you trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and the individual.
  • Control 10.2.3: Audit Access to Audit Trails - "Implement automated audit trails for all system components to reconstruct the following events: Access to all audit trails." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control monitors all access to audit trails on monitored systems including Sentinel. For the Sentinel database, access by the service account, which is constantly writing event data, is not audited. This report helps you trace any inconsistencies or potential tampering of the logs and the individual account.
  • Control 10.2.4: Audit Invalid Logical Access Attempts - "Implement automated audit trails for all system components to reconstruct the following events: Invalid logical access attempts." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control identifies all invalid logical access events on all monitored systems. This report helps you identify any malicious attempts, such as brute force or guess a password.
  • Control 10.2.5: Audit User Authentication - "Implement automated audit trails for all system components to reconstruct the following events: Use of identification and authentication mechanisms." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control identifies any manipulation by malicious users in authentication mechanisms and provides a report that displays all user authentication mechanisms. This report helps you identify any manipulation by malicious users in authentication mechanisms, such as bypassing the authentication, impersonating a valid account, escalation of privilege, and changes to access permissions.
  • Control 10.2.6: Audit Initialization of Audit System - "Implement automated audit trails for all system components to reconstruct the following events: Initialization of the audit logs." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control detects illicit activities performed by malicious users to avoid detection of audit logs and provides a report that displays audit trail initialization events for all monitored systems.
  • Control 10.5.1: Limit Audit Trail Access by Business Need - "Limit viewing of audit trails to those with a job-related need." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control detects attempts by unauthorized users attempt to access audit trail data. This report helps you limit access to users displayed in this report.
  • Control 10.5.2: Protect Audit Trail from Unauthorized Changes - "Protect audit trail files from unauthorized modifications." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control monitors permission changes on the audit trail, creates incident response workflows when permissions are modified, and provides a report that displays these incidents and the associated user activities.
  • Control 10.5.5: Alert on Audit Trail Changes - "Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)." -- From PCI-DSS v3.0, https://www.pcisecuritystandards.org/. This control provides additional enforcement of audit trail protection by monitoring the audit data for modification. This control monitors any modifications to audit trail, creates incident response workflows when permissions are modified, and provides a report that displays these incidents and the associated event details. This report helps you determine any possibility of malicious individuals tampering with the log files.

Content Summary

This Solution Pack includes the following content:

Count	Type
29	Reports
4	Report Data Definitions (RDDs)
23	Correlation Rules
16	Action Instances
9	Event Actions
9	Maps
8	Dynamic Lists
7	Workflows

Configuring data synchronization to show past events in the reports

Some reports in this solution pack use the Sentinel 7.x data synchronization technology, which copies and stores filtered event data from the local event store to database, to enhance the report efficiency. The Report Data Definitions (RDD), included in this solution pack enables data synchronization for the associate report. The default installation triggers data synchronization only for future events to prevent the possibility of undesirable initialization load if the system were to attempt to synchronize events from the past. To enable your RDD based reports to show events from the past (for example, previous day, previous week, previous month, last 90 days, and so on) relative to the date you have installed them from the solution pack, the following options are available:

• During installation of solution pack, adjust the "Synchronization Start Time" for each RDD in the Solution Pack installation wizard.
• After the installation of the solution pack or to change the range of past events at any time, perform the following steps:
1. Log in to the Sentinel Web interface with a user account that is part of the administrator role.
2. Click Storage > Data Synchronization.
3. Click Resynchronize action for the RDD on which your report depends.
4. Click synchronize data from field.
5. Select the date and time from which you want the data to sync into the RDD table or view.
6. Click Synchronize to start the synchronization process.

Installation and Upgrade Procedure Notes

This Solution Pack should be deployed using the standard procedures outlined in the core product documentation about Solution Packs and the Solution Manager. Additional notes are included for specific platforms.

Sentinel 7.x

To upgrade from an earlier version of this solution pack on Sentinel version prior to 7.2.1 :

1. Import the latest Solution Pack into Sentinel, from Plug-ins website, using Solution Manager
2. Select the Solution Pack and Click on 'Open with Solution Manager' button/icon to open in the Solution Manager.

You may update any existing content by selecting that control and pressing the "Update" button on Solution Manager.  This will overwrite any existing content related to that control with the newer content included in the Solution Pack.
You may install any new content by selecting the control and pressing the "Install" button on Solution Manager.

To get all of the content of the solution pack:

1. Select the top node in the Solution Pack and press "Install". This will install all new controls on your system.
2. Select the top node in the Solution Pack and press "Update". This will update all existing controls on your system.

Instructions To Upgrade RDD:

NOTE: You can still continue to schedule reports for ALL tenants without updating and re-synchronizing RDDs.

If you are using Sentinel versions prior to 7.2.1 and running a RDD based report for a specific tenant without updating and re-synchronizing the RDDs, an error will be thrown in the web UI as below.

Caused by: org.postgresql.util.PSQLException: ERROR: column "rv39" does not exist Position:

Following RDDs are modified to add 'rv39'(Tenant Name) field to support Multi tenancy feature:

• Failed Logins
• Inactive Users
• Password Change Violations
• Shared Account Usage

If you are using Sentinel versions prior to 7.2.1, to use multi tenancy feature in the reports listed above, update the RDDs by following the below procedure.

To upgrade RDDs follow the below steps:

1. Sentinel does not support automatic update of RDDs. They had to be uninstalled and installed again.
2. Uninstall specific Control under which RDD is present from controls list clicking “UnInstall” button. For example, to redeploy RDD for Event Source reports, first uninstall Event Source control from Event Management Control list by selecting Event Source Control and clicking “Uninstall” button.
3. To verify deletion of RDDs, go to Sentinel Web UI. Click Data Synchronization under Storage.
4. Re-install control which was uninstalled in step # 2 clicking “Install”.
5. RDDs should get re-installed. To confirm, go to Sentinel Web UI. Click Data Synchronization under Storage.
6. Re-synchronize RDDs to get data in RDDs.

NOTE: Uninstalling a Solution Pack Control will remove all the contents under that control in Sentinel. NetIQ recommends you to save the reports generated for compliance or other purposes in the past before uninstalling a control. 
Refer section 16.5 Installing and Managing Solution Packs from NetIQ Sentinel 7.x Administration Guide for more information about how to Install/UnInstall control using Solution Pack Manager and refer section 5.6 Configuring Data Synchronization from NetIQ Sentinel 7.x Administration Guide for more information about how to Resynchronize data in RDD.

Configuring Multi Tenancy

Perform the following steps to enable multi tenancy in 1.1.1.a Firewall Configuration Management Documentation, 1.1.5 Firewall Administration Roles Documentation, and 7.1.4 Cardholder Data Role Documentation reports.

1. Go to Incidents tab in Sentinel Control Center.
2. Create a new incident.
3. Provide Title for incident.
4. Provide Category according to scenario.
5. Open iTRAC and select the appropriate workflow.
6. open Notes tab.
7. Click on Add button and provide the tenant name.