Monitoring is the most reliable method of identifying and tracking users who are accessing data on company systems. Whether you’re on the lookout for an unauthorized employee viewing confidential patient data, or a malicious outsider trying to steal cardholder data, monitoring is indispensable to a strong security posture.
As well, monitoring is a requirement for just about every major compliance framework and regulation, from PCI DSS to HIPAA and beyond. For the sake of this post, we’ll be focusing on security monitoring requirements for PCI DSS and HIPAA, two of the most widely applicable regulations today.
Monitoring: A Dedicated PCI DSS Rule
E-commerce sales for the second quarter of 2016 are estimated to reach $97.3 billion, an increase of 4.5 percent from the first half of the year. As online sales continue to increase quarter-over-quarter, more transaction and credit card data needs to be protected from theft and fraud, so PCI DSS understandably requires monitoring for suspicious activity to keep merchants and their customers protected. Specifically, PCI DSS Requirement 10 requires that merchants:
Track and monitor all access to network resources and cardholder data
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.
It goes on to explain that merchants must have a process that links together access to system components and individual users, which is exactly what monitoring provides. The intent of such a specific rule is to ensure that all merchants have visibility into who accessed what system, when they did it, and what they did there in order to detect any breach and resolve it quickly. Without this information, companies can’t connect the dots between systems and users and are often unable to catch sneaky vulnerabilities, leaving the gates wide open to cardholder data theft, and major financial and reputation consequences. As Acer found out the hard way, security monitoring is critical to data protection — which can have a big impact on compliance posture.
Monitoring: An Integral Part of HIPAA Requirements
It’s not news that healthcare companies are being hit hard with attacks lately. Fortunately, the regulating body behind HIPAA (the Office of Civil Rights, or OCR) is starting to take a more proactive stance on auditing and education to ensure that covered entities and business associates alike understand and implement the right controls, especially when it comes to monitoring to prevent breaches.
The OCR has been known to be pretty lax about HIPAA enforcement, so covered entities and business associates could get away with doing the bare minimum to check the boxes. You could do as little as purchase the necessary tools and outline some processes, but not actually implement them. Yet still say you met the requirements. That’s certainly not a good way to do business, but up until very recently, you could get by this way. With attacks on the rise, not only is the OCR cracking down, but also businesses are getting more serious about conducting due diligence before working with others.
So it’s in the best interest of your business, your customers, your partners, and, of course, HIPAA, that you get each piece right. And if you’ve taken a look through HIPAA requirements, you’ve probably seen monitoring listed in many places, covering everything from logins to files, and even physical computer access.
Just as monitoring can serve as evidence in the case of a breach for PCI DSS-compliant companies, it also offers rock solid proof for healthcare data. For example, if you see that Jane keeps opening a certain patient record, or if Jake logged onto your EHR system at 2 a.m. when no one was in the office, that’s grounds for investigation, with monitoring as your proof.
Continuous Security Monitoring for Continuous Compliance
So, maybe you’re wondering if this whole compliance hassle is actually worth it. Maybe you’re a small business or don’t think you have data worth exploiting. But it’s not just the big name companies that are targets anymore; hackers are increasingly going after small businesses, whether to steal data or simply to steal server and network resources for an attack aimed at someone else. That means just about any business can be a target, which is why everyone should have monitoring in place to catch suspicious activity before it spins out of control.
In contrast to the way monitoring operated in an on-premise world (clunky and disjointed), thanks to the consistent nature of the cloud, monitoring like Threat Stack’s deploys all at once across an organization’s entire cloud environment and continuously checks for anomalous activity, ensuring that you’re continuously upholding your compliance requirements with a solution that’s always-on, proactively protecting you from tomorrow’s attacks.
Built for teams that are running fast in the cloud, the Threat Stack agent quickly deploys across your cloud infrastructure and continuously monitors for anomalous activity, while at the same time alerting on what’s abnormal for your specific environment so that when we flag you, you know it’s a real alert. That’s a big time saver, and every efficiency you can gain is a win.
Even better, Threat Stack is a comprehensive cloud security platform that provides other mandated compliance and security features such as threat intelligence, vulnerability management, and, of course, compliance reporting, so you can do the bulk of your compliance prep all in one place rather than race around to find dozens of point solutions and deal with the inconvenience of implementing and managing them — which often just doesn’t happen.
Work Smarter, Not Harder
To meet compliance needs in the cloud today, you want to speed up the discovery work that’s required and minimize the number of places to look for the information you need in the event of a breach. Whether it’s cardholder or patient data at risk, it’s your responsibility to your customers, partners, and the law to protect it. Effective security monitoring with Threat Stack enables you to record and rebuild activities so you can pinpoint the source and identity of malicious user and activities, enabling you to continue doing business with little to no impact on your users.
To learn more about how to meet compliance requirements today, follow along with our weekly compliance series by subscribing here: http://get.threatstack.com/compliance-blog-series. As a bonus, we’ll make sure you’re the first to receive the Compliance eBook we’re releasing in September.
If you have questions, tweet us @ThreatStack, or send an email to [email protected]