For any company that deals with credit cards, PCI DSS Compliance still reigns king. You may be aware of how our Threat Exposure Management solutions, Nexpose and Metasploit, have been designed to directly meet PCI DSS, as well as comply with many other standards. Today, let's look at how our Intruder Analytics solution, UserInsight, joins your security detail to identify threat actors across your ecosystem, whether it be attackers masking as employees, or insider threats.

Here is an excerpt of PCI requirements UserInsight can help with – check out the full list in the Rapid7 PCI DSS Version 3.0 Compliance Guide:

  • Requirement 3.5.1: UserInsight lets you monitor which users access critical systems or restricted network zones that may hold cryptographic keys. This provides you with an access audit trail.
  • Requirements 6.4.1 & 6.4.2: You can define the production environment as a network zone, and receive automatic alerts if an outside group (e.g. developers) authenticates into that closed off area/segment/zone.
  • Requirements 7.1, 7.1.1, 7.1.2:UserInsight lets you flag systems in the cardholder data environment (CDE) as critical, and alerts you to unusual authentications. A common step in the attack chain is to use an exploit to elevate a compromised user's privileges. Any user that has an unexpected privilege escalation, which could be used to access a CDE system will trigger an automatic alert. Further, you have instant visibility into the administrators and privileged users within the organization. With automatic insight into endpoints, you detect local lateral movement and pass-the-hash attacks as well.
  • Requirements 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5: UserInsight helps you monitor user behavior from the endpoint to the cloud. Attackers love to gain a foothold on the network through disabled users, cloud services, and by attacking endpoints. By being designed by a team with a deep knowledge of attacker methodology, UserInsight identifies compromised credentials as well as risky internal behavior, such as shared accounts and unnecessary administrators.
  • Requirement 8.2.4: You'll have instant visibility into accounts with passwords set to never expire, as well as the date the password was last changed.
  • Requirements 10.1, 10.2: UserInsight collects a variety of logs across your network, correlates them by user, and tracks authentication attempts, giving you full visibility. Administrative activity across both on-premise and cloud services (IaaS, SaaS and PaaS) are tracked, helping identify previously unknown administrators as well as intruders using compromised credentials to lurk on your systems. Through an Agentless Endpoint Monitor, we can even identify actions taken on your endpoints, including local lateral movement and log deletion – two behaviors any security administrator wants to know about.
  • Requirement 10.6.1: Security teams are already strained by false-positive alerts, parsing through disparate log data, and writing and maintaining rules. UserInsight sanitizes your logs down to the security-relevant events and stores them in perpetuity. By aggregating and running analytics on your endpoint, on-premise, and cloud services, there is a complete picture of user activity – you receive only the alerts that matter. By helping you store your security data on the UserInsight platform, you have a permanent audit trail that can't be tampered or deleted by the attacker.

Please see a more comprehensive description of how UserInsight helps you comply with PCI DSS 3.0 in the Rapid7 PCI DSS Version 3.0 Compliance Guide.

UserInsight provides benefit to many compliance frameworks outside of PCI DSS, such as the SANS Critical Security Controls. Of course, our vision extends beyond compliance; UserInsight looks to automatically detect attacks, help you quickly investigate security incidents, and monitor user behavior across your entire network ecosystem. Learn more about UserInsight.