Data Center Security

Hi,

I've been tasked with creating a FIM policy for PCI compliance. So far I have Windows and Linux servers to deal with. I'm using the Windows and Unix baseline detection policies and starting to tweak them with the goal of eliminating noise, but still account for everything required to comply with PCI guidelines. I thought I'd start this thread for people to chime in with any ideas or tips that might be of use.

Regards,

I think the best use is to go with an IPS policy that prevents access to any PCI data, things that contain database login info (like a applicaiton config files).  This along with the IDS side will not only get you past PCI audits, but will go further and actually prevent anyone but trusted users/processes from viewing/copying the files.

The baseline IDS policies are good, but prevention goes a lot farther.

Thanks for the suggestion. We'll need to go the IPS route to implement a self-protection mechanism for the DCS agent. Also, SEP does not have an IPS feature currently available in 12.1.x that can be applied to Linux endpoints.

What policy should be used to harden Linux? I see two options:

• sym_unix_protection_sbp
• sym_unix_targeted_prevention_sbp

I take it that the Unix protection will be similar to a Windows strict prevention policy and will require a lot of time and effort in monitoring mode along with correlation from multiple teams in order to fully test to ensure nothing breaks when prevention is enabled. This is quite a different implementation to signature based Host-IPS solutions. I certainly have reservations about preventing a superuser from doing there day-to-day activities. What would you suggest in order to roll something out that has a good baseline for Linux servers that can be deployed in a timely fashion?

Had a chance to do some testing with the above templates. I think the targeted policy that is akin to blacklisting is the one I will choose.

Thanks