Blog
How Reveal(x) Supports PCI DSS Compliance
July 9, 2021
Since its launch in 2004, the Payment Card Industry Data Security Standard (PCI DSS) framework has mandated the use of intrusion detection and prevention systems to detect threats in the network. PCI specifically defines intrusion detection systems (IDS) as those that "compare the traffic coming into the network with known 'signatures' and/or behaviors."
The catch is, for all the good intentions that come with IDS, for the most part, they're regarded as a beacon of false alarms—required for security compliance, but ineffective in their execution. Given that PCI specifically calls out signature-based IDS, the lack of clarity around next-generation solutions signals risks for adoption: If you trade in your traditional IDS for effective next-generation tools, could you potentially be sacrificing compliance?
ExtraHop Reveal(x) network detection and response (NDR) is a next-generation IDS solution that includes machine learning to offer higher-fidelity alerts across a broad spectrum of attacks. For organizations frustrated with the limitations of traditional IDS, we worked with cybersecurity advisor Coalfire to audit the capabilities of Reveal(x) against PCI DSS 3.2.1 to see how an organization using our solution might fare in a PCI audit.
Coalfire scrutinized how Reveal(x) performed as a full-spectrum intrusion detection solution, including behavior-based detections and anomaly-based detections to support PCI DSS 11.4, which IDS is typically used to satisfy. In addition, Coalfire evaluated other ways Reveal(x) supports other PCI DSS compliance use cases, adding a score for each requirement. They concluded that Reveal(x) helps organizations achieve compliance far beyond the capabilities of traditional IDS, by extending coverage across controls 2, 4, 8, 10, 11, and 12.
How Reveal(x) Helps Organizations Achieve Compliance
Device Inventory
Coalfire notes how the Reveal(x) device inventory functions fully support an organization's ability to assess connected hardware and software components, both as a standalone feature, and through integration with other products. They determined that this fully supports requirement 2.4.a.
Detections for Weak Ciphers and Passwords
While Coalfire maintains that configuration of systems is a customer's responsibility, they acknowledge that Reveal(x) supports controls 2.3 and 8.2.1 by monitoring for cleartext usernames and passwords.
Coalfire determines that "Reveal(x)'s ability to provide real time detection of weak cipher suites in that Reveal(x) performs real time monitoring and alerting for insecure ciphers in use." This feature helps organizations maintain coverage for requirements 4.1, 4.1.c, and 8.2.1.
Requirement 11.4, Intrusion Detection System
By using machine learning with both behavior-based detections and pattern-based rules, Reveal(x) offers broad-spectrum, higher fidelity alerts than traditional IDS technology. This extends coverage far beyond known vulnerabilities to detect unknown techniques used by today's advanced threats, including zero-days, APTs, and supply chain attacks. Unlike traditional IDS, Reveal(x) also provides post-compromise detection should an attacker breach perimeter defenses, providing a comprehensive defense aligned with the twelve tactics of the MITRE ATT&CK Framework.
As Coalfire put it, "the Reveal(x) platform almost fully supports all of requirement 11. Reveal(x), an NG-IDS technology, can be used to meet and exceed the requirements for PCI DSS 11.4, commonly associated with traditional intrusion detection systems (IDS)." Reveal(x) uses both rules-based and behavior-based detections to support requirement 11.1, 11.1.1, and 11.4, according to Coalfire.
Compliance Plus Security in Any Environment
In their assessment, Coalfire looked at how Reveal(x) supports compliance in a range of environments, including on-premises, hybrid, and cloud. Coalfire concludes by saying, "the reviewed Reveal(x) solution can be effective in providing substantial support for PCI DSS payment entities' objectives and requirements. This opinion applies to public cloud, hybrid cloud, and on-premises scenarios."
While no one tool can achieve complete compliance alone, the assessment offers an answer for organizations who feel bound to an outdated technology. To get a detailed look at how Reveal(x) supports PCI DSS compliance, download the white paper.
Discover more