PCI DSS Compliance Internal Vulnerability Scan

Industry data indicates that PCI DSS Requirement 11, “Regularly test security systems and processes” is the most commonly failed requirement. Vulnerability scanning (Requirement 11.2) is a key component of Requirement 11. AlienVault Unified Security Management (USM) combines PCI internal vulnerability scanning with all the essential security capabilities you need to demonstrate compliance – into a single, easy-to-use solution.

The Easiest Way to Pass the Most Commonly Failed PCI DSS Requirement

Are you trying to sort out what’s needed with respect to vulnerability assessment?

Let’s start at the beginning. There are six subsections in requirement 11 – only one subsection outlines vulnerability scanning requirements, while the other five subsections require entirely different security system tests or processes. AlienVault USM covers every part of requirement 11 that can be addressed through technology, rather than process.

Requirement 11.2 reads:

Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

It then painstakingly breaks the subsection into nine sub-subsections describing what must be done, in language that will make your head hurt. So here’s the short version of what you need to know.

First, there’s a big difference between internal and external vulnerability scans. For external scans, you must enlist the services of an approved scanning vendor (ASV). The PCI council has approved over 100 companies to scan your internet-facing environment. So you do have options as far as which vendor you choose, but there is no other way to meet the external scanning requirement.

For internal vulnerability scans, here's some advice. Save yourself some heartburn by choosing a technology that was built with the PCI DSS requirements in mind. For example, section 11.2.1b states that you can only pass your audit if all vulnerabilities ranked “High-risk” (as defined in requirement 6.1), are resolved. Assigning a risk ranking to newly discovered vulnerabilities is a prerequisite to meeting requirement 11.2.1b. Make sure your PCI vulnerability assessment technology can do this. Another key tip here is to use multi-functional technology that combines automated asset discovery with vulnerability scanning, so you're not manually trying to document all of the systems on your network, how they're configured, and cross-correlate the vulnerabilities that exist on them. Automating the asset discovery and vulnerability scanning process will make validation and remediation a whole lot easier.

PCI DSS Vulnerability Assessments with AlienVault™

AlienVault USM not only covers requirement 11.2.1b and 6.1, it is the easiest and most cost-effective solution to help you comply with other sections of requirement 11, as well as the other nine technology related requirements. USM comes with out-of-the-box PCI dashboards and reports to quickly monitor compliance, and costs a fraction of competitive solutions.

Use Passive, Active, and Continuous Vulnerability Scanning

One of the biggest concerns IT teams have with regular internal vulnerability scanning is the fear that it will impact network or system performance. That's why it's essential to have a range of assessment options for PCI compliance. Remember that that the PCI DSS standard does not specify which scanning method you need to use, so you are free to deploy the right combination of scanning technologies to meet your unique requirements. Each scanning technology has its strengths and weaknesses, and thankfully AlienVault USM supports all three methods, with an integrated workflow and ticketing system:

  • In general, the more access your scanning technology has to an asset, the more accurate the results will be. Active and authenticated scans will deliver the most accurate findings, but they do require more processing power and will likely have a more significant impact on the systems and the network.
  • An alternative to active or authenticated scanning is to implement passive scans on assets that are in-scope for PCI DSS compliance, to reduce the effect of scans on your network.
  • Continuous vulnerability monitoring is another option to explore. AlienVault USM continually correlates the data in its dynamic asset inventory database with the data in our vulnerability database, to provide you with the most up-to-date information you need on the vulnerabilities in your network, in between your periodic scans.

Reduce False Positives for Faster Audits

When it comes time to remediate vulnerabilities, the less time spent removing false positives the better. With so many ways to meet the PCI DSS requirement for vulnerability assessment, AlienVault USM significantly reduces false positives, maximizing your time, and making those vulnerability reports look good for your PCI DSS assessor. Additionally, because USM combines asset inventory with vulnerability assessment in a single web-based console, remediation can be done quickly, easily and more accurately. Verification scans can be easily scheduled as soon as you've implemented the necessary patch or deployed a new configuration. What's more, each scan preserves a time-stamped historical record, so you can easily show your assessor that you're actively rescanning to achieve and maintain a compliant posture.

Fuel PCI Vulnerability Assessment with Integrated Threat Intelligence

Security and compliance are often positioned as divergent goals. It's true that improving your security posture doesn't guarantee you'll have an easier audit, and just because you've passed your audit doesn't mean you're secure.

Our advice is to use both to enhance the other. With integrated Threat Intelligence from AlienVault Labs powering your USM platform, you'll know exactly which vulnerabilities are being targeted, and by whom, and if any of your systems are communicating with know malicious hosts. This will help you prioritize remediation, improve security, and it will also help you meet the PCI incident response requirements included in requirement 12. All of which are good.