This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
George_Ellis
Advisor
‎2023-05-10 05:56 AM

PCI Audit Proof of Resolution database?

Those that are having the ongoing or annual audits may know the pain.  The auditors want before and after 'pictures' of resolutions to rules that they feel are out of compliance.  Of course, some are and some are not.  As evidence, many insist on screen shots of the rules they flagged.  And a new twist, this year they want before evidence documented too.

Question:  Has anyone found or are using a database application that can tie to an incident or finding to a resolution using screen shots.  One that is organized and cross references?

0 Kudos
12 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-05-10 06:15 AM

Glad you posted this, as I had customer brought this up last year...lets see what others say.

Best,
Andy
0 Kudos
George_Ellis
Advisor
‎2023-05-15 07:46 AM
In response to the_rock

Apparently it is a mythical creature.  Sigh.

(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-05-15 09:54 AM
In response to George_Ellis

Have you ever opened an official TAC case to see what they say?

Andy

Best,
Andy
0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-05-11 03:03 AM

Perhaps the following options might help:

1) Open the relevant Revision in Read Only - before and after the change.

2) Run the Changes report between the two relevant Revisions

 

Just go to - SmartConsole > Manage & Settings > Sessions > Revisions 

Select the relevant Revision and either apply View to open in Read Only or select - Actions > Changes > Compare selected with previous in list to just see the differences between Revisions.

 

Revisions.png

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-05-11 04:33 AM
In response to Tal_Paz-Fridman

@Tal_Paz-Fridman ...I think this is how most folks would do it, but I feel like there has to be better way of doing this.

Andy

Best,
Andy
0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-05-11 05:17 AM
In response to the_rock

Hi @the_rock - I think using Changes report between Revisions is an excellent option as it shows the exact change and as an image (picture).

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-05-11 05:20 AM
In response to Tal_Paz-Fridman

@Tal_Paz-Fridman ...well, one can argue its an excellent option, as it appears to be the ONLY option lol

Best,
Andy
0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-05-11 05:53 AM
In response to the_rock

As I wrote, there is also the option to open the Revision in Read Only mode. 

I think the Changes option is excellent because it actually shows the change made and does it visually (unlike using Audit Logs)

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-05-11 05:56 AM
In response to Tal_Paz-Fridman

Well, we will agree to disagree, as they say 🙂

Best,
Andy
0 Kudos
George_Ellis
Advisor
‎2023-05-11 06:22 AM
In response to the_rock

Part of my process it to work a compliance list from Skybox (or Tufin, or AlgoSec).  I investigate the rule and mark it for remediation.  When I have done the first pass, I create a Firewall Change Request in Skybox per fw by lines marked for remediation.  At this time, I can snapshot the rule.  Then the change request is fulfilled.  I then go back and validate the rule changes.  Here, I clean up the tag for remediation (I don't use tags, but write "Remediate" in the rule name).  At this point, I can snapshot the result.  All because auditors want pictures as 'proof'.  It is much easier to run web_api_show_package before and after and show the comparison, but they won't accept that.  You would swear they get a royalty from one of the screen capture companies (I use ScreenPresso (purchased), so they are not getting anything there.)

Edit - this syntax works in R81.10 
$MDS_FWDIR/scripts/web_api_show_package.sh -o /var/log/output -k <Policy_Name> -c -d <domain ip or name> --show-membership false

whereas /var/log/output is an existing directory.

Edit # 3 - In the second pass, I also use logs to verify the traffic (Start with Rule UID).  With information I get in the log analysis, I see if there can be rule optimization that might 'fix' it by combination or tweak.

0 Kudos
George_Ellis
Advisor
‎2023-05-11 06:09 AM
In response to Tal_Paz-Fridman

While this is an alternate method to get the information of the change, it does not solve the real problem.  What to store this change information in that an audit team could find it.  Auditors tend to be IROCs (Individuals Right Out of College).  You have to spoon feed them.  And a year(s) later, you need to point them back to previous evidence.  I could have a thousand screen shots, but if they cannot be organized, it is a huge PITA.  So it needs to be something that has a marriage of photograph organizer with a audit database.

It is looking like there is a market niche available without any players.

PS - if you are thinking something like ServiceNow, while it supports attachments, replying to a finding to attach 500+ pieces of evidence is a futile exercise.

the_rock
MVP Platinum
MVP Platinum
‎2023-05-11 06:49 AM
In response to George_Ellis

Agree 100%

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events