Documentation Center
AlienVault® USM Appliance™

PCI DSS 3.2 Requirement 11: Regularly Test Security Systems and Processes

Applies to Product: USM Appliance™ AlienVault OSSIM®

Testing Procedure

How USM Appliance Delivers

USM Appliance Instructions

USM Appliance Documentation

11.1.d If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to notify personnel.

USM Appliance can provide alerting for events that are collected and sent to the SIEM.

Verify that policies, especially those in the "Policies for events generated in server" section, are enabled and configured to use an Action that generates an email to the appropriate contact.

Tutorial: Configure a Policy to Send Emails Triggered by Events

11.1.1 Examine documented records to verify that an inventory of authorized wireless access points is maintained and a business justification is documented for all authorized wireless access points.

USM Appliance provides asset management features that can assist in collecting this data.

Schedule Asset scans to run regularly in USM Appliance.

Running Asset Scans

Run the existing Asset Report for an inventory of all assets

How to Run Reports

If you find any information outdated or missing, you may edit the asset to enter the appropriate information.

Editing the Assets

11.2.1.a Review the scan reports and verify that four quarterly internal scans occurred in the most recent 12-month period.

Configure Vulnerability Scan in USM Appliance to satisfy this requirement.

See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans.

Viewing the Scan Results

11.2.1.b Review the scan reports and verify that the scan process includes rescans until all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved.

Configure Vulnerability Scan in USM Appliance to satisfy this requirement.

See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans.

Viewing the Scan Results

11.2.3.b Review scan reports and verify that the scan process includes rescans until:
• For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
• For internal scans, all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.

Configure Vulnerability Scan in USM Appliance to satisfy this requirement.

USM Appliance keeps copies of scans results.
Use them to show that ongoing internal scanning is being performed

See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans.

Viewing the Scan Results

11.4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic:
• At the perimeter of the cardholder data environment
• At critical points in the cardholder data environment.

USM Appliance provides NIDS/HIDS functionality and NetFlow information to trace data flow.

From Analysis > Security Events, select “AlienVault NIDS” from the Data Source dropdown. Verify that events are being generated from network traffic that is not local to the USM Appliance device.

Security Events View

11.4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion- prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection.

USM Appliance provides NIDS/HIDS functionality and NetFlow information to trace data flow.

From Analysis > Security Events, select “AlienVault NIDS” from the Data Source dropdown. Verify that events are being generated from network traffic that is not local to the USM Appliance device.

Security Events View

11.5.a Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities.
Examples of files that should be monitored:
• System executables
• Application executables
• Configuration and parameter files
• Centrally stored, historical or archived, log and audit files
• Additional critical files determined by entity (i.e., through risk assessment or other means)

USM Appliance provides registry integrity monitoring and File Integrity Monitoring (FIM) through AlienVault HIDS.

Create a Security Events view with the search on Event Name containing "integrity" and the data source as "AlienVault HIDS". Then export the view as a report module and run the report.

Create Custom Reports from SIEM Events or Raw Logs

Additionally, create a directive to Alert on occurrences of HIDS integrity change events, which triggers immediate alarms.

Tutorial: Create a New Directive to Detect DoS Attack

Examine long term logging on Analysis > Raw Logs by performing a search for any events containing "integrity" and data source as "AlienVault HIDS".

Search Raw Logs

11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly.

USM Appliance provides File Integrity Monitoring (FIM) through AlienVault HIDS.

Create a Security Events view with the search on Event Name containing "integrity" and the data source as "AlienVault HIDS". Then export the view as a report module and run the report.

Create Custom Reports from SIEM Events or Raw Logs

Additionally, create a directive to Alert on occurrences of HIDS integrity change events, which triggers immediate alarms.

Tutorial: Create a New Directive to Detect DoS Attack

Examine long term logging on Analysis > Raw Logs by performing a search for any events containing "integrity" and data source as "AlienVault HIDS".

Search Raw Logs