Using DLP to prevent credit card breaches

I think that Data Loss Prevention is great way to detect and prevent payment card and PII data breaches.

Certainly, all the DLP vendors think so.  Only problem is, the PCI DSS Council doesn’t even have DLP in their standard which pretty much guarantees zero regulatory tail wind for DLP sales to payment card industry players.

I’m actually impressed that Symantec didn’t manage to influence the PCI DSS council to include DLP in the standard. An impressive display of professional integrity and technology blindness.

A while back, we did a software security assessment for a player in the online transaction space.

When I asked the client and auditor what kind of real time data loss monitoring they have in place, just in case, they have a bug in their application and/or one of their business partners or trusted insiders steals data, the answers where like “umm, sounds like a good idea but it is not required by PCI DSS 2.0”

And indeed the client is correct.

PCI DSS 2.0 does not require outbound, real time or any other kind of data loss monitoring.

The phrases “real time” and “data loss” don’t appear in the standard. The authors of the standard like file-integrity monitoring but in an informal conversation with a PCI DSS official in the region, he confessed to not being familiar with DLP.

Here are a few PCI  monitoring requirements.

None of these controls directly protect the the payment card from being breached. They are all indirect controls and very focused on external attackers – not on trusted insiders nor business partners.

  1. Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
  2. If automated monitoring of wireless networks is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to personnel.
  3. Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
  4. Monitor and analyze security alerts and information, and distribute to appropriate personnel.
  5. Verify through observation and review of policies, that designated personnel are available for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, detection of unauthorized wireless access points, critical IDS alerts, and/or reports of unauthorized critical system or content file changes.

Oh man.

Related Posts Plugin for WordPress, Blogger...
Tell your friends and colleagues about us. Thanks!
Share this

2 thoughts on “Using DLP to prevent credit card breaches

  1. I LOLed when I read your comment on PCI: :An impressive display of professional integrity and technology blindness.” Ditto on Middleware technology. If it’s not an application or a database they don’t want to know b/c they can’t secure it with perimeter security. 3 words: Virtualization, Telemetry and Social Engineering. It’s great that they are “trying” to make a difference. It would be better if they listened to those of us in the trenches.

  2. The fixation on perimeter security in PCI is true to the point of absurdity. Recently, a PCI auditor for one of our clients stubbornly insisted that all the traffic from the database cluster to the application servers must be routed through a firewall. I pointed out that this could significantly impact availability and performance (and just like Cassandra – it did….) and also increased (not decreased) the threat surface. I suggested instead, that the cluster be placed on a separate segment and that the Linux db servers be configured with iptables limiting traffic to the application server cluster only. So – the answer from the PCI auditor was that “you can’t install additional applications on the database server according to section 2.4…..” At this point – I calmly pointed out that PCI is a data security standard and that inasmuch as security encompasses confidentiality, integrity and availability – he was in fact reducing the security profile of the client – which seemed to me, counter to the intent of PCI”. Needless to say – that really ticked him off and he said “you cant lecture me on security” – and I said a) “Of course I can lecture you on security” and b) this conversation is over since you’re obviously using the golden rule – i.e. he who has the gold rules.
    Danny

Leave a Reply

Your email address will not be published. Required fields are marked *