StealthWatch Helps Demonstrate PCI Compliance

Lancope’s StealthWatch, a unified platform for flow-based security, network and application performance monitoring, delivers the visibility, accountability and measurability required to maintain Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) compliance across physical and virtual networks. StealthWatch leverages flow data from existing routers and switches to provide continuous monitoring throughout the enterprise. The system fills in the gaps between application logging and traditional, signature-based IDS/IPS to help organizations achieve and demonstrate comprehensive, network-wide compliance for sections of PCI requirements 1, 2, 8, 10, 11 and 12. 

StealthWatch supports PCI DSS compliance efforts by:

  • Supplying real-time visibility and awareness of network- and host-based behaviors down to individual users
  • Increasing user accountability for introducing security risks
  • Tracking, measuring and prioritizing network risks for faster remediation
  • Providing the in-depth data needed to conduct forensic analysis for security incidents
  • Easily extending network and security monitoring to virtual environments

    Increased Network Visibility to Ensure Compliance

    Compliance calls for “visibility into the risk management controls, the business and the assets being protected.1 StealthWatch supplies organizations with the means to:

    • Monitor and investigate individual host and broad network communications across physical and virtual environments
    • Maintain the network availability critical to the function of the payment card application
    • Passively discover and inventory the underlying assets of the payment card application’s network environment

    User Accountability for Security and Network Risks 

    Compliance also calls for increased levels of accountability within the enterprise. This includes identifying users responsible for all malicious, suspicious and accidental actions. StealthWatch supplies organizations with the means to:

    • Tie individual users to payment card performance problems
    • Connect individual users to the introduction of security risks inside the network
    • Support key principles of internal control including “segregation of duties” and “least privilege”

    Risk Measurement, Prioritization and Optional Mitigation 

    Measuring levels of risk and quantifying risk exposure are also key components of compliance. StealthWatch supplies organizations with the means to:

    • Rapidly identify and prioritize the greatest sources of risk to payment card data
    • Quickly respond to security incidents not addressed by traditional perimeter-based defenses
    • Determine and enhance the effectiveness of traditional security controls currently in place

      How StealthWatch Supports PCI DSS Compliance

      StealthWatch’s comprehensive network and security monitoring capabilities help organizations comply with many of the PCI DSS requirements by:

      PCI DSS Requirements 1 and 2 

      1.1.2

      Verifying that real-time network communications match the policies implied in the network diagram

      1.1.5

      Monitoring and profiling all services and ports in use on the network to:

      • Confirm that ports and services are necessary for normal business
      • Highlight those ports and services that may have been overlooked
      • Profile and optionally block unnecessary ports and services

      1.2

      Verifying firewall policy configurations by quickly identifying traffic that is out of compliance

      Optionally mitigating violations to firewall configuration policy

      Facilitating network segmentation planning, simulation and monitoring efforts by providing:

      • Valuable host and network communication patterns useful for network segmentation planning efforts
      • “Zone locking” to simulate network segments without disrupting actual network communications
      • Continuous network monitoring to ensure accidental misconfigurations are identified and remediated

      1.3.2

      Providing a means for restricting inbound Internet traffic to only IPs within the DMZ

      1.3.7 
      (PA-DSS 9.1)

      Employing zone locking technology to ensure that systems storing cardholder data are not connected to the Internet

      2.2.1

      Ensuring that each virtual machine within the network environment is only performing one primary function

      2.2.2

      Ensuring that unnecessary or unsecured protocols or services are not being consumed

      2.3
      (PA-DSS 12.1)

      Continuously monitoring the network for the presence of telnet, rlogin or other network protocols being used to gain administrative access without proper encryption

      PCI DSS Requirements 8 and 10

      8.5.6

      Determining when accounts are active and what they did during periods of activity

      10.1

      Auditing access to everything on the network and tying activity to an individual user, including administrative accounts

      10.1 - 10.3 
      (PA-DSS 4.1-4.3)

      Binding user names to IP addresses found in flows to:

      • Track login/logout activity
      • Link all activities conducted within the payment application to individual users
      • Expedite and streamline incident investigations

      10.5.3 
      (PA-DSS 4.4)

      Providing centralized logging of network flows to:

      • Extend mandatory centralization of application logs with centralized logging of each and every network connection made to/from the payment card application
      • Provide a comprehensive account of everything that happens within the payment environment
      • Ensure that organizations are 100% covered when it comes to the auditing of centralized logging regulations
      PCI DSS Requirements 11 and 12
      11.2 Continuously but passively monitoring host behaviors to look for deviations from normal processes. StealthWatch not only identifies signs of zero-day compromise, but also identifies anomalous network communications resulting from misconfigured files.
      11.4 Detecting compromised hosts based on how they are behaving, regardless of signature availability. When traditional IDS/IPS fails, StealthWatch fills the gap to detect zero-day attacks that bypass perimeter defenses, including walk-in worms and internal misuse and abuse.
      12.9 Supplying both the insight and tools necessary to respond quickly to security incidents with surgical precision

      To learn more or request a demo, contact sales@lancope.com.

      For more information on PCI requirements, visit

      1 Gartner, “The Chief Information Officer’s Guide to Compliance,” 12 January 2006, ID Number: G00136911