Splunk App for PCI Compliance

See how the Splunk App for PCI Compliance can help you meet PCI requirements, measure the effectiveness and status of PCI compliance technical controls and more.


Video Transcript

Welcome to this demonstration of the Splunk app for PCI compliance which we'll call the app. The app, which is developed and supported by Splunk, is used to meet PCI requirements for audit trail collection and review, to measure the overall effectiveness and status of PCI compliance technical controls in real time, and to identify and investigate areas of non-compliance. Let's get started.

We're starting off here on the PCI Compliance Posture page, which gives us an overview of our overall state of PCI compliance. Driving this page are pre-built Splunk correlation searches that run against underlying machine data in Splunk to identify areas of PCI non-compliance, such as default credentials being used or credit card numbers moving unencrypted across the network. When a correlation search is violated, the app generates what we call a notable event, which in turn is mapped back to a specific PCI requirement.

Up at the top here, the Compliance Status panel shows us our notable events over the last 24 hours by urgency and by owner. And further down here, we have covered circles for each of the 10 requirement areas which are trackable via events and machine data generated by other products in the cardholder environment. Green, orange, and red indicate in compliance, compliance is in progress, or noncompliance.

Further down, we have a notable event history as well as notable event history by requirements. And it's important to point out that basically, every graphic and image on this page as well as every page in the app can be clicked on to easily drill down to the underlying detail. So let's continue by moving to the Instant Review page which has information on all the notable events. We'll do this by starting here on requirement 7 related to access monitoring, which shows 20 new events and a red-colored circle.

Let's click on the number here to move to the Incident Review page which will list these 20 notable events. On this page, we review notable events as well as initiate workflow on them so they're remediated appropriately. At the very top here, we have some filters to narrow down or expand the results. And to the right here, we have a timeline of matching notable events. Below this we have a list of all our notable events in chronological order, and for each, we see the time generated, the title, urgency, status, and owner.

If we expand a notable event, we get more information on it. In this case, we see a machine in our PCI environment is exhibiting behavior related to brute force attacks. By expanding the notable event here, we can better understand the event context and severity. We see more information around the suspicious activity, and below it, more information around the involved assets and identities which comes in via lookups against an external asset or employee directory. These external lookups can be used to enrich raw events for reporting purposes or correlation searches.

An example could be to only generate a notable event involving an employee not authorized to view PCI-related data or an IPS attack targeting a server flagged as containing cardholder information. To the right, we see the correlation search that was violated, the specific PCI sub requirements that were violated. And via link, we can see all the raw logs of the authentication events that in aggregate violated the search. These logs come from authentication-related data sources such as Active Directory or Windows event logs.

Let's now show you the workflow built into the app. For demo purposes, let's just say we want to perform workflow actions on all these notable events to change their status to closed. We'll click here on Edit All 20 Matching Events. And notice up here the app allows the user to change the status and urgency and the owner, and even add comments here for each notable event. This allows you to assign notable events to the appropriate analysts as part of business processes.

So I'm going to close these all out and save the changes. And now let's go back to the PCI compliance posture where the colored circle from requirement 7 will now appear green. Now if we scroll down here, we'll see the colored circle under requirement 7 has changed from red to green because we've closed out the events.

Now let's move on to continue to discuss scorecards. For each of the 10 PCI requirements tracked in the app, it has a scorecard with underlying detail on the related notable events. I'm going to select the scorecard here for requirement 1, which has to do with network traffic and other security devices related to PCI data.

Here is the detail behind PCI requirement 1. On this page, we see information on compliance status, notable events by urgency, and notable events by owner. Note at the lower left here is a list of the three reports behind requirement 1. As part of PCI compliance, these reports should be reviewed on a daily basis. This report tells you if they have been viewed today or not. Let's drill into one of these reports via the top of the UI.

So the app has numerous reports for each major requirement, and I'll show you a couple of them here. These reports, unlike scorecards, include raw event detail and not just notable events. We're now on the report for network traffic activity. Notice at the top, the filters appear again to narrow down the underlying data in the panels on the page. For example, by using the dropdown filters up here, we could isolate traffic flows to just the ones that we're interested. In this case, perhaps we want to see just the traffic flows from the cardholder environment to an untrusted environment, which is a violation of PCI compliance.

And by doing that and clicking Submit, we're now going to see the relevant flows all updated down here on all the other panels on the page. Here we can hone in on the traffic by source and destination domain. Over on the right, we have recent notable events. And then further down, we get the raw traffic detail from all the firewalls and other network security products in the environment.

And we can click on this to get down to the raw detail if need be. So with that, we conclude the demo. Hopefully you've seen how the Splunk app for PCI compliance uses correlation searches an incident review framework, dashboards, and reports to enable efficient and continuous PCI compliance. Thanks for your time.