top of page
Search
danielpwilson

PCI with Splunk - Wireless

Updated: Feb 7, 2019


So this is the first post in many in solving PCI with Splunk. A couple years ago I was asked to solve the following requirement


Problem

11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

- WLAN cards inserted into system components

- Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.)

Basically you need to be able to PROVE that someone didn't walk up install a wireless NIC on your server and do a quick ad-hoc dump of files.


The Assumption

For the most part Windows and Linux event logs solved the problem for us in previous years. We create alerting/Notables on that and we're set.

- We had to handhold the auditors through the logs

- But it made for poor reporting and wasn't really "aligned" to PCI as much as it was an after thought. The data lacked that PCI metadata.

- We also had the problem of spam from the alert and USB usage was common place. I as was our auditor were more concerned with Network activity.


Response -

In response to this ask I wrote this TA right here. I set out to solve the host wireless problem as fast as possible and as simple as possible.

https://splunkbase.splunk.com/app/3263/


Benefit -

- reduction in log spam

- Cleaner logs and easier to read logs

- Improved reporting and better self service in Splunk for our PCI team and auditors.

- Dedicated sourcetypes and inputs








22 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page