PCI DSS 4.0 FIM Requirements Simplified with Qualys File Integrity Monitoring

Meeting PCI 4.0 FIM Requirements: Qualys FIM Has You Covered
Qualys FIM The Noise Cancellation Solution
Advanced Noise Cancellation in FIM with Threat Intelligence to Detect Malicious or Suspicious Hashes
Learn More about Qualys FIM
Additional Contributor

File Integrity Monitoring (FIM) is one of the essential requirements under PCI DSS 4.0. It helps organizations detect and respond to unauthorized changes in critical system files, configuration files, or content files, which is crucial for maintaining the security of cardholder data.

Organizations that handle credit card transactions are required to implement FIM as part of their compliance with PCI DSS 4.0 standards.

Meeting PCI 4.0 FIM Requirements: Qualys FIM Has You Covered

Here is a comprehensive list of PCI DSS 4.0 FIM-specific key requirements and information about what’s new.

10.2.1 Audit logs are enabled and active for all system components and cardholder data.

10.2.1.1 Audit logs capture all individual user access to cardholder data.
10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
10.2.1.3 Audit logs capture all access to audit logs.
10.2.1.7 Audit logs capture all creation and deletion of system-level objects.

Qualys FIM meets the above requirements by storing audit logs as FIM events on the Qualys Cloud platform. This approach ensures comprehensive compliance with each facet of Requirement 10.2.1, providing a secure and centralized method for monitoring, capturing, and managing critical audit information.

10.2.2 Audit logs record the following details for each auditable event:

User Identification
Type of Event
Date and Time
Success and Failure Indication
Origination of Event
Identity or name of affected data, system component, resource, or service (for example, name and protocol)

Qualys FIM ensures adherence to these requirements by capturing critical details within its FIM events. Check the accompanying screenshot to see how Qualys FIM provides a thorough and detailed record of auditable events.

10.3.4 File integrity monitoring or change-detection mechanisms are used on audit logs to ensure that existing log data cannot be changed without generating alerts.

Qualys FIM offers a robust solution to safeguard the integrity of audit logs. The FIM rules and specially crafted dashboard widgets are designed to meet this demand.

10.4.1.1 New Requirement: Automated mechanisms are used to perform audit log reviews.

Qualys FIM solution offers auto-correlation of events using Qualys Query Language (QQL), allowing you to match specific events based on specific criteria. This functionality enables the automatic creation of incidents and immediate notifications to designated SOC teams for further review.

Moreover, these incidents can be accessed through Public APIs and seamlessly integrated with any SIEM solution, facilitating additional correlations for comprehensive analysis.

Qualys FIM offers native integration with prominent SIEM solutions such as Splunk, IBM QRADAR, and Service Now. This compatibility streamlines your security infrastructure, ensuring smooth data flow and real-time insights.

10.5.1 Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.

Qualys FIM meets this requirement through its 13-month data retention policy, guaranteeing immediate accessibility to all events for comprehensive forensic analysis in the event of an incident.

10.7.2 New Requirement: Failures of critical security control systems, such as change-detection mechanisms, are detected, alerted, and addressed promptly.

The automated reporting capabilities are specifically tailored for non-compliant FIM assets. These reports, indicating where the FIM solution is not operational on hosts, are generated automatically and can be scheduled for timely delivery to designated recipients. This proactive approach gives security teams complete visibility, eliminating surprises during PCI audits and ensuring readiness for PCI 4.0 compliance.

11.5.2 A change-detection mechanism (file integrity monitoring tools) is deployed.

By activating Qualys FIM on your PCI-scoped assets, you gain comprehensive coverage for this requirement.

12.10.5 The security incident response plan includes monitoring and responding to alerts from Change-detection mechanisms for critical files.

A3.5.1 A methodology is implemented to promptly identify attack patterns and undesirable behavior across systems.

Qualys FIM offers an Incident Management Workflow that allows manual and automated incident creation. This feature is highly configurable, enabling the automatic incident generation based on specific criteria such as:

Deletion of activities by non-privileged users,
Detection of changes in ownership or permission by non-privileged users,
Detection of malicious or suspicious files on the host,
Unauthorized modification of initialization files, and more.

This functionality streamlines incident response, helping organizations identify and address security concerns promptly.

7.2.4 Ensure user accounts and access remain appropriate based on job function.

Qualys FIM supports Role Based Access Control, which ensures that the FIM users have access only to the tasks they are authorized for. These roles give an additional level of security to accomplish required tasks and prevent users from accessing anything that’s beyond their assigned roles.

Qualys FIM – The Noise Cancellation Solution

FIM solutions often get a bad rap for creating unnecessary noise. But Qualys FIM is here to challenge that misconception head-on. We understand PCI DSS 4.0 and have designed our solution accordingly, with one primary focus: Noise Cancellation.

As per Requirement 10.3.4, the FIM solution should monitor files that do not regularly change, and new log data being added to an audit log should not generate an alert.

As per Requirement 11.5.2, the change-detection mechanisms, such as file integrity monitoring products, usually come pre-configured with critical files for the related operating system.

The idea here is to reduce noise because if your FIM solution is applied to files that undergo frequent changes, such as log files, configuration files, or temporary files, it may generate many alerts, leading to noise or excessive notifications.

It gets difficult for administrators or security teams to distinguish between legitimate and potentially malicious changes. Additionally, studies show that most teams ignore 30% of alerts due to difficulties creating IT support tickets and analyzing alert data, which leads to audit failures and security breaches.

So, here’s our promise: we’ll reduce the noise, and we’ll do it efficiently.

The Qualys FIM solution stands out with its expertly crafted library of essential file paths, meticulously chosen to minimize noise. These paths aren’t arbitrary; they are the most critical ones, carefully curated to meet PCI standards.

This library offers a simplified setup, eliminating the need for complex manual configurations. By leveraging this finely tuned library, administrators benefit from preconfigured settings that cover everything—from critical system files to configuration files, application files, directories, and registry objects—each selected for their vulnerability to unauthorized changes.

Focusing more on monitoring efforts on these critical files and directories ensures administrators receive only the most pertinent alerts. With Qualys FIM, you can enhance efficiency and clarity in your security operations.

Advanced Noise Cancellation in FIM with Threat Intelligence to Detect Malicious or Suspicious Hashes

Qualys FIM goes beyond traditional event monitoring. Integrating threat intelligence, specifically File Reputation context, helps users swiftly distinguish if a system change is suspicious or malicious.

Utilizing simple queries like the one below, Qualys FIM simplifies the process of finding unauthorized changes and potential threats:

not (actor.userName:’NT AUTHORITY’ or actor.userName:’root’) and (reputation Status:MALICIOUS or reputation Status: SUSPICIOUS)

This streamlined approach ensures rapid identification of security risks, making your security decisions smarter and more effective. By cutting through the noise, Qualys FIM helps you focus on what matters, promptly detecting malicious changes.

Learn More about Qualys FIM

Additional Contributor

Mukesh Choudhary, Senior SME, Qualys