Compliance is difficult and expensive. This is a lesson that enterprise technology leadership has learned through painful years of vendor webcasts promising the moon but delivering buggy products and subpar support. Patch management systems that manage the entire stack, from firmware to operating system to application updates. "Security Event and Incident Management" software that guarantees complete visibility of all events on the network (I'm looking at you, RSA Envision). Network intrusion detection systems that don't require a full time system manager. Right. No individual five- or six-figure tool can meet compliance requirements, despite what the salesperson with dollar signs in his eyes suggests. Those of us with time in the trenches understand that technology is currently too diverse and non-standard to manage universally. For instance, how can a log management system capture and correlate events from Cisco switches, Oracle databases, Apache web servers and Windows middleware to assemble meaningful trail of activity? The multitude of sources and types precludes accuracy. There is no sense in spending tens of thousands of dollars trying. Instead, I propose a common sense approach that will satisfy any auditor and won't break the bank. Effective, mature open source tools can save money and provide the same value as the closed solutions. Take advantage of a large community of support without the contract costs that provide little real world value. Use proprietary tools only where they make sense. Let's explore just a few compliance requirements from one common standard, the PCI Data Security Standard, and the open source solutions that address them. The PCI DSS is an easy standard to pick on since the requirements are very clear and concise, but these recommendations apply equally to other regulatory requirements such as HIPAA, SOX, and FISMA.
- Requirement 6.4. Follow change control procedures for all changes to system components. Use an open source ticketing system to track changes and document approval. OTRS is an ITIL-compatible change management system geared towards a help desk servicing customer needs, but can easily be adapted to tracking changes for a large internal IT department. For best results, create a process in which each ticket contains testing and back out procedures, impact documentation, and management approval.
- Requirement 6.5. Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project. Yep. This requirement even refers to OWASP in the description. OWASP is the industry-acknowledged standard for developing secure applications. All developers should be closely following the OWASP Top Ten, implementing concepts from the OWASP Guide, and using the OWASP security tools. I'll be presenting a web application security model at the Front Range OWASP Conference this June.
- Requirement 6.6. For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected.... Use ModSecurity, an open source Apache module that provides web application firewall services. It has a huge community of support and a large rule base. Developing new rules is straightforward thanks to excellent documentation. Many proprietary appliances look pretty and come with a guy in a suit but use ModSecurity behind the scenes.
- Requirement 10.2. Implement automated audit trails for all system components to reconstruct the following events: [snip] This is one area where the requirements are a bit vague and, frankly, are ahead of the curve. What "system components" means is subject to some interpretation. However, some open source tools can certainly help out. Snare offers open source agents that collect log data from Windows, Solaris, AIX, ISA server, IIS Server, Apache, and more and send them to a syslog server. A commercial server project from the same company helps manage the logs. The Simple Event Correlator is a Perl script that correlates events based on regular expressions and takes arbitrary actions. This is a great option for a UNIX/Linux-centric environment.
- Requirement 11.2. Run internal and external network vulnerability scans at least quarterly... The easy answer here used to be Nessus, but it is now a closed source tool with a paid subscription for the latest signatures. It remains one of the least expensive options available. Arguably, the combination of Nmap and Metasploit could meet this requirement.
- Requirement 11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic... The Snort NIDS has an active community and thousands of rules. Like all NIDSs, it requires a lot of administrative attention, especially for large environments. I strongly recommend the use of a GUI front end such as Sguil or Aanval.
- Requirement 11.5 Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files... The best open source tool in this space is OSSEC. A central server can manage hundreds of agents. Agent software exists for UNIX/Linux and Windows. It's an excellent alternative to the now expensive Tripwire.
These are just a few of the many open source tools that help with compliance. I also like RANCID for network device configuration management and Nagios for IT infrastructure monitoring. Don't forget about the many IT policy resources, such as the templates available from SANS. It doesn't always make sense to use open source to solve compliance problems, however. For instance, while Clam AntiVirus is an excellent personal AV tool, it doesn't offer the features that many enterprises would consider requirements. No great tool exists for full enterprise patching, but WSUS is an excellent free but closed source tool from Microsoft for managing Windows updates.