3 Replies Latest reply on Jul 28, 2017 8:02 AM by marcusmm8

    FIM Alerts for PCI compliance

    ezguine

      I am having difficulty finding information on what alerts need to be given from LEM to satisfy our auditors.  I am aware of what needs to be monitored and have my LEM setup for monitoring.  

      It is the alerting I am having issues with.  What alerts need to be given, specifically.  I know any monitored file change, or read or write, or permission change but that would be several thousand alerts a day.

      As an example, I have a file server.  I have the FIM connector setup with the PCI template (C:\, Windows, System32 for ini, exe, dll, bat and such) C:\Program files and 2 directories which hold PCI data.  

      Directory 1.) Holds credit card data.  Auditors say must monitor for all file reads, creates, writes and deletes and permission changes.     Hundreds of FIM events per day just for this directory

      Directory 2.) Holds voice recording files. Auditors also say must monitor for all file reads, creates, writes and deletes and permission changes.   There is an automated process that downloads, extracts then copies fresh voice files into the monitored directory.  We are a call center, thousands of calls per day generate thousands of voice files.   These files generate logs that the the files are created first as .tmp files, then new permissions are assigned to them (Inherited from directory permissions).

      To make a long story short, the auditors only repeat like parrots all file reads, creates, writes and deletes must generate an alert and I have no idea what I can exclude and still keep them happy.  

      I appreciate and direction on this, we are really stuck

       

      EZguine

        • Re: FIM Alerts for PCI compliance
          jrouviere

          Unfortunately this is a conversation few are going to be able to contribute to significantly.  Here's what my suggestion would be:

           

          Clarify what they mean when they say "alert".  To Support, an Alert is an e-mail notification.  If you need to get an e-mail or other active notification any time one of these file actions is taken you're going to be hard pressed to find a tool (or an exchange server) that will keep up with that volume.

           

          However, if all they need is that an event is generated, logged, and monitored in some form then there's easier ways to accomplish this.  Firstly, if you have FIM set up and you're watching that directory, you already have the generation and logging in hand.  At that point you will likely want to demonstrate that your'e reporting on it or monitoring it in some fashion on an ongoing basis, but the auditor tends to have the final say on what they are looking for and what is good enough.

            • Re: FIM Alerts for PCI compliance
              mesverrum

              jrouviere is right, you have to pick apart what they want from you. 

               

              In some environments where I have worked with clients on LEM their auditors were looking for periodic reports highlighting anomalies, along with some kind of indication that these reports were being reviewed and investigated within a specified time frame. 

               

              One elegant method I came across for organizing the mess of reports that people can end up with was that for every line item they were addressing from their standards they would name the report to match it.  So if the report was intended to satisfy the third requirement of their standard they were saving them to a file share and naming the folder Requirement 3, put all the relevant reports into that folder, established their policy regarding the reports and how they were to be investigated/acknowledged and included it as a document in the folder.  That way when they sat down with the auditor it was extremely simple to roll through the list with them and have all the necessary information at hand.

            • Re: FIM Alerts for PCI compliance
              marcusmm8

              What i usually do is create a group of false positives (which is updated constantly in order to decrease false positives in reporting and also provides evidence of review). In addition, schedule a daily search report which is emailed to have evidence of report received daily summary in the morning. Once the report is received, I look to see if there are any anomalies.

               

              For live monitoring, i use a filter which has the same query as the scheduled reporting.

               

              NOTE: the false positives usually occur on workstations. However servers should not have many false positivies if your FIM configuration is looking for the correct extensions (the exception being patching cycles).