A few weeks ago we proudly announced the release of the Splunk App for PCI Compliance 3.0, which I will call in this post “the App”. The App, developed and supported by Splunk, helps organizations comply with PCI DSS, a global data security standard developed by a consortium of leading payment card companies to protect debit, credit and pre-paid card holder information.
We have many happy customers using this App and also many customers interested in evaluating it. This blog post addresses some of the most commonly asked questions around the App.
How does the Splunk App for PCI Compliance work and what pre-built content is in it?
For the App to work, first you need to index in Splunk Enterprise the machine data/events relevant to your cardholder environment and the PCI DSS requirements that have to do with technical controls. This includes data sources such as anti-virus software, firewalls, authentication systems, vulnerability scan tools, and data loss prevention software. Secondly, you need to enable the App to perform lookups against external content such as asset, identity, and network segment information so the App can understand which specific assets, employees and network segments captured in your machine data are in-scope for PCI.
The App contains many pre-built, real-time correlation searches that then run against this underlying machine data/events from your cardholder environment to identify areas of PCI non-compliance for ten of the twelve requirements of PCI DSS that are technical and can be tracked in machine data.
Specific examples of PCI non-compliance that the App can detect include default credentials being used on systems in the PCI environment, credit card numbers moving unencrypted across the network, network connections going directly from the cardholder environment to an untrusted network segment, or outdated anti-virus software running on critical systems.
When the searches in the App identify PCI non-compliance, the App generates a “Notable Event” which in turn is mapped back to a specific PCI requirement and appears on a main PCI Compliance Posture page which shows overall compliance across all ten requirements and is shown below.
These Notable Events can then be investigated and remediated via an Incident Review page in the App. Lastly, the App contains many pre-built scorecards and reports for the 10 requirements so you can drill into areas of non-compliance or see the compliance history for each requirement.
Want more detail on what data sources the App needs so its scorecards and reports will populate and so all the correlation searches are looking at relevant data? Then see this page here in the documentation for detail and then click on the reports on the page.
Check out the following demo video for more information…
What are the benefits of using the Splunk App for PCI Compliance?
Key benefits include the ability for users to:
- Measure the overall effectiveness and status of PCI compliance technical controls in real-time
- Identify and investigate area of non-compliance
- Meet PCI requirements for audit trail collection and review (requirement #10)
- Perform fast and flexible searches to quickly answer any auditor ad-hoc data request
Plus, with the App monitoring your PCI compliance on a real-time, continuous basis, this means end-of-quarter or audit-time fire drills can be a thing of the past!
I already own the prior version of the App for PCI v2.1. What is new in v3.0?
- Updated for the latest PCI DSS 3.1 standard
- New searches and panels that detect usage of SSL and TLS 1.0/1.1, which PCI DSS 3.1 has deemed to be weak encryption standards
- Better scale and speed
- Accomplished via re-architecture of underlying backend
- New architecture uses more modern Splunk capabilities such as TSIDX stats, data model acceleration, and more efficient searches
- New architecture re-uses many components (frameworks/Supporting add-ons) from Splunk Enterprise Security 4.0
- User interface updated
- More closely matches the look and feel of Splunk Enterprise Security including new Incident Review page
- New user interface uses Simple XML and more time range pickers
How do I purchase or get an evaluation version of the App? I can’t seem to do this via its Splunkbase page?
This App was built and tested by Splunk. It also is officially supported by Splunk and has a full set of documentation. Accordingly, it has a price and is not free. Please contact sales here to inquire about pricing or an evaluation. Once given access to the App, you can download it directly from Splunkbase.
So with that, hopefully you now have a better understanding of how the App works, the value it delivers, and will contact Splunk to learn more.
Sr. Product Marketing Manager, Security and Compliance