Skip to main content
Sumo Logic

Lab 13 - Prevent insecure data in transit for firewalls

Learn how analyze AWS data to detect when there has been unauthorized root account usage, monitor security groups, and logins from two different IP addresses.

Sumo serves as your audit reporting tool for Payment Card Industry Data Security Standard, PCI DSS and HIPAA, monitoring the Center of Internet Security (CIS) controls and benchmarks, accelerating your compliance with GDPR, CCPA, and other data privacy regulations. It also monitors security controls such as firewall and access controls, and masks and encrypts your Screen Shot 2020-08-10 at 4.38.42 PM.pngdata for data breach protection. Additionally, Sumo allows you to track configuration changes and updates and be aware of any security concerns that would require configuration changes to remove default passwords and ensure proper encryption.

In this lab you will take a look at one of our out of the box compliance apps for PCI using Palo Alto incoming logs. Palo Alto Networks is focused on providing secure firewall technology, and it is critical to track PCI standard requirements. PCI maintains, evolves, and promotes standards for the safety of cardholder data across the globe, touching the lives of hundreds of millions of people. The breach or theft of cardholder data affects the entire payment card ecosystem creating damages that are challenging to repair. To protect your data, you will navigate to a monitoring environment which allows you to track whether or not customer data is being passed securely in transit, as well as properly encrypted at each stage of the data pipeline. You will gain insights into firewall data. You also have the option to monitor VPC, Linux, Windows, or AWS CloudTrail data depending on the available sources and most relevant data for your audit requirements. You will parse with csv and format with the transpose operator. Optionally you may establish an alert when results are surfaced or above a certain threshold and update the panel for the dashboard.

Lab Activity

Downloading the App  

  1. To install the PCI app, click App Catalog. In the search window, enter pci.
    Screen Shot 2020-08-10 at 4.57.47 PM.png

  2. Click PCI Compliance For Palo Alto Networks.

  3. Click Add to Library.

  4. For the App Name, type your initials###  (### is a 3 digit number) to make the name unique for you to find later.

    Screen Shot 2020-08-10 at 5.13.23 PM.png

  5. For the Source Category type Labs/PaloAltoNetworks.

  6. Click Add to Library. Now you have installed the PCI app for Palo Alto Network incoming logs.

  7. Click each dashboard to open them for view. Take a moment to familiarize yourself with what the data looks like for the various dashboards. When you are ready, go to the dashboard called PCI Req 02, 04 - Insecure Data In Transit . This dashboard is designed to addresses compliance required items 2 and 4 from the PCI checklist below. 


PCI DSS Requirements

All 12 requirements are listed below and are all supported in Sumologic. They are standards covering the technical and operational system components included in or connected to cardholder data obtained from PCI DSS Organization. We will be applying 2 and 4 in this lab.

Goals PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors



Examine the query  

  1. At the panel called Insecure Allowed Traffic by Target Port and Involved Host click Show In Search to open the underlying query.
     
  2. The query opens in a Log Search tab and looks like this:

_sourceCategory = Labs/PaloAltoNetworks TRAFFIC allow (21 or 23 or 80 or 8008 or 8080 or 513) /* scoping in on the data that is allowable traffic on potentially unencrypted ports */
| csv _raw extract 1 as f1, 2 as Receive_Time, 3 as serialNum, 4 as type, 5 as subtype, 6 as f2, 7 as LogGenerationTime, 8 as src_ip, 9 as dest_ip, 10 as NAT_src_ip, 11 as NAT_dest_ip, 12 as ruleName, 13 as src_user, 14 as dest_user, 15 as app, 16 as vsys, 17 as src_zone, 18 as dest_zone, 19 as inbound_interface, 20 as outbound_interface, 21 as LogAction, 22 as f3, 23 as SessonID, 24 as RepeatCount, 25 as src_port, 26 as dest_port, 27 as NAT_src_port, 28 as NAT_dest_port, 29 as flags, 30 as protocol, 31 as action,32 as bytes, 33 as bytes_sent, 34 as bytes_recv, 35 as Packets, 36 as StartTime, 37 as ElapsedTime, 38 as Category, 39 as f4, 40 as seqNum, 41 as ActionFlags, 42 as src_Country, 43 as dest_country, 44 as pkts_sent, 45 as pkts_received, 46 as session_end_reason, 47 as Device_Group_Hierarchy , 48 as vsys_Name, 49 as DeviceName, 50 as action_source, 51 as Source_VM_UUID, 52 as Destination_VM_UUID, 53 as Tunnel_ID_IMSI, 54 as Monitor_Tag_IMEI, 55 as Parent_Session_ID, 56 as parent_start_time, 57 as Tunnel, 58 as SCTP_Association_ID, 59 as SCTP_Chunks, 60 as SCTP_Chunks_Sent, 61 as SCTP_Chunks_Received
| where type = "TRAFFIC" and action="allow" and dest_port in ("21", "23", "80", "8008", "8080", "513")

// Unencrypted traffic default ports (FTP - port 21, telnet - port 23, http - port 80, 8008, 8080, rlogin - port 513)
| if ((compareCIDRPrefix("172.16.0.0", dest_ip, toInt(12)) or compareCIDRPrefix("192.168.0.0", dest_ip, toInt(16)) or compareCIDRPrefix("10.0.0.0", dest_ip, toInt(8))), dest_ip, src_ip) as %"Cardholder Host" /*check to see if looking to see if the IP's that the query is looking at match private or public networks */ 
| dest_port as %"Destination Port" 
| count as Incidents by %"Cardholder Host", %"Destination Port", Protocol 
| transpose row %"Destination Port", Protocol column %"Cardholder Host" 

  1. One of the best ways to learn code is to run part of the code and comment the other lines. Omitting the first 2 lines of code, let's comment out the rest. Insert // at the beginning of each line comment all except the first 2 lines of code and run the query for the Last 24 hours.

    _sourceCategory = Labs/PaloAltoNetworks TRAFFIC allow (21 or 23 or 80 or 8008 or 8080 or 513) /* scoping in on the data that is allowable traffic on potentially unencrypted ports */
    | csv _raw extract 1 as f1, 2 as Receive_Time, 3 as serialNum, 4 as type, 5 as subtype, 6 as f2, 7 as LogGenerationTime, 8 as src_ip, 9 as dest_ip, 10 as NAT_src_ip, 11 as NAT_dest_ip, 12 as ruleName, 13 as src_user, 14 as dest_user, 15 as app, 16 as vsys, 17 as src_zone, 18 as dest_zone, 19 as inbound_interface, 20 as outbound_interface, 21 as LogAction, 22 as f3, 23 as SessonID, 24 as RepeatCount, 25 as src_port, 26 as dest_port, 27 as NAT_src_port, 28 as NAT_dest_port, 29 as flags, 30 as protocol, 31 as action,32 as bytes, 33 as bytes_sent, 34 as bytes_recv, 35 as Packets, 36 as StartTime, 37 as ElapsedTime, 38 as Category, 39 as f4, 40 as seqNum, 41 as ActionFlags, 42 as src_Country, 43 as dest_country, 44 as pkts_sent, 45 as pkts_received, 46 as session_end_reason, 47 as Device_Group_Hierarchy , 48 as vsys_Name, 49 as DeviceName, 50 as action_source, 51 as Source_VM_UUID, 52 as Destination_VM_UUID, 53 as Tunnel_ID_IMSI, 54 as Monitor_Tag_IMEI, 55 as Parent_Session_ID, 56 as parent_start_time, 57 as Tunnel, 58 as SCTP_Association_ID, 59 as SCTP_Chunks, 60 as SCTP_Chunks_Sent, 61 as SCTP_Chunks_Received
    //| where type = "TRAFFIC" and action="allow" and dest_port in ("21", "23", "80", "8008", "8080", "513")

    // Unencrypted traffic default ports (FTP - port 21, telnet - port 23, http - port 80, 8008, 8080, rlogin - port 513)
    //| if ((compareCIDRPrefix("172.16.0.0", dest_ip, toInt(12)) or compareCIDRPrefix("192.168.0.0", dest_ip, toInt(16)) or compareCIDRPrefix("10.0.0.0", dest_ip, toInt(8))), dest_ip, src_ip) as %"Cardholder Host" /*check to see if looking to see if the IP's that the query is looking at match private or public networks */ 
    //| dest_port as %"Destination Port" 
    //| count as Incidents by %"Cardholder Host", %"Destination Port", Protocol 
    //| transpose row %"Destination Port", Protocol column %"Cardholder Host" 
  2. To see the incoming log results, click Messages tab. Scroll over the the far right to see the incoming log messages and confirm that the keywords in the scoping line only provided the ones that matched. This query parses the Comma Separated Values CSV into fields which you will also see their columns listed as you scroll across.
  3. To see the aggregated data, remove all the comments //, and click Aggregates tab. On the third line of code, the where filter, returns only results for all allowed unencrypted traffic for FTP, telnet, http, 8008, 8080, and rlogin. These are common ports that you want to monitor for any unencrypted/insecure data.
  4. The if is looking for internal destination ip to call the card holder host. We are trying to identify the card holder host as to whether they are on our private, LAN, or public, WAN. Inside the if, we use both compareCIDRPrefix and toInt to determine the subnet mask/CIDR for private or public network isolation. The subnet mask determines the range of IP addresses available in my LAN. The toInt uses 8, 12,  and 16 CIDRs to determine whether the subnet mask is 255.0.0.0 which is 8 bits (255 as an integer=11111111 in binary, a 1 masks that octet), 12 is 255.255.0.0 16 is 255.255.255.0. See the private IP address space table below.

    Private IP address space
    From  To CIDR Prefix Length Octet's & Subnet range
    10.0.0.0 10.255.255.255 8 2nd, 3rd and 4th octet = 2^24
    172.16.0.0 172.31.255.255 12 Half 2nd, 3rd and 4th octet = 2^20
    192.168.0.0 192.168.255.255 16 3rd and 4th octet= 2^16
     
    Further understanding:
    1. If my IP address is 10.7.15.23 and my subnet mask is 255.0.0.0 (CIDR=8), then any IP address that starts with 10.x.x.x is local or on my LAN.
    2. If my IP address is 10.7.15.23 and my subnet mask was 255.255.255.0 (CIDR=24), then any IP address that starts with 10.7.15.x is on my LAN.
    3. If it's not local, I will go to the router to fix that next IP address.
       

Formatting

  1. The last 3 lines of code do a variable assignment, aggregate by counting our results, and formatting the results using transpose to define what appears on the columns and the rows.
  2. Click on the bar graph and your results should look something like this:

Screen Shot 2020-08-24 at 7.37.22 PM.png

Optional Next Steps  

A next step might be to update the dashboard with this new visual chart. Click Update Dashboard to begin that process, refer to Save Edits to a Panel.

Another step might be to create an alert for this query, which will notify you when you have insecure data.  To learn how to create an alert, go to this lab Creating an alert.
 

Always check with your auditors that the dashboards meet their expectations.


Quiz (True or False?)

  1. I can download an app using the App Catalog.

  2. I will use CIDR operator to check for whether the IP address is private or public.

Summary

Congratulations! You’ve completed these tasks:

  1. Use an existing app for PCI compliance on standard requirements 2 and 4.

  2. Parsed CSV.

  3. Identify whether your IP address is private or public.

  4. Create an alert.