This document provides an overview of a presentation on adapting compliance strategies for PCI DSS 3.0. The presentation covers the key changes in PCI DSS 3.0 including more rigorous penetration testing and log review requirements. It then discusses how a unified security management platform can help address the new requirements through integrated asset discovery, vulnerability assessment, network and host intrusion detection, log management and security intelligence. Specific capabilities that can help meet each requirement are outlined. The presentation concludes with contacting information for further discussion.
PCI DSS v3.0: How to Adapt Your Compliance Strategy
1. PCI DSS 3.0: HOW TO ADAPT YOUR
COMPLIANCE STRATEGY
2. INTRODUCTIONS
Meet today’s presenters
Carlos Villalba
Director of Security Services
Terra Verde Services
Sandy Hawke
VP, Product Marketing
AlienVault
Patrick Bass
Director of Security Solutions
Terra Verde Services
2
3. AGENDA
•
•
•
•
•
What’s New in PCI DSS 3.0
Key considerations for adapting
your compliance strategy
Technology recommendations
for addressing new requirements
How our clients have
simplified PCI DSS compliance
Q&A
4. PCI DSS PRIMER
WHAT’S CHANGED FROM V2 TO V3
Carlos A. Villalba
Director, Security Services
5. IT’S FINALLY HERE!
Nov 7
2013
Jan 1
2014
Dec 31
2014
• PCI DSS v3 was published
• PCI DSS v3 becomes effective
• PCI DSS v2 expires
7. WHAT DID THEY WANT TO FIX
Divergent interpretations of the
standard
Weak or default passwords
Slow detection of compromise
Security problems introduced by
3rd parties and various areas
8. HIGHLIGHTS
The twelve domains remain
Some sub-requirements added
Descriptions of tests are more precise
Aligned language of requirement and test
Clarified what to do to verify compliance
More rigor in determining scope of
assessment
More guidance on log reviews
More rigorous penetration testing
10. A PENETRATION TEST METHODOLOGY
Based on industry-accepted approaches,
e.g. NIST SP800-115
A new clause 11.3
Test entire perimeter of CDE & all critical systems
Validate all scope-reduction controls—segmentation
Test from inside and from outside of the network
Test network-function components and OSs
As a minimum, perform application tests for the vulnerabilities listed
in Requirement 6.5
11. SECURE SDLC
Programmers of internally-developed and
bespoke applications must be trained to avoid
known vulnerabilities
List expanded to include new requirements for
Coding practices to protect against broken
authentication and session management
Coding practices to document how PAN and SAD
are handled in memory
Combating memory scraping is a good idea for PA-
DSS
This was a bit contentious for PCI-DSS
12. AUTHENTICATION
Requirement text recognizes methods other
than password/passphrases, e.g. certificates
Minimum password length is still
7 characters
Authentication credentials
―Alternatively, the passwords/phrases must
have complexity and strength at least
equivalent
to the parameters specified above.‖
A service provider must use a different
password for each of its clients.
Educate users
13. CHANGE MANAGEMENT
Deploy a change-detection mechanism to alert
personnel to unauthorized modification of critical
system files, configuration files, or content files
Configure the software to perform critical file comparisons at
least weekly.
New requirement, 11.5.1, mandates the
implementation of a process to respond to any alerts
generated by that mechanism.
14. MANAGED SERVICE PROVIDERS
New requirement, 12.8.5, mandates the documentation
of which DSS requirements are managed by the 3rd
party.
New requirement, 12.9, mandates that 3rd parties must
acknowledge in writing that they will comply with the
DSS to protect CHD entrusted to them or, if managing
some aspect of the CDE, state they will comply with the
DSS in performing that management.
15. ADAPTING YOUR COMPLIANCE STRATEGY
Assess gaps between v2 and v3 requirements
What process changes are required?
What technology improvements are required?
How long will these take?
Do you have the necessary expertise and technology
in place?
Document migration plans to v3
Consider a unified approach to PCI security monitoring
16. A UNIFIED APPROACH TO PCI DSS COMPLIANCE:
USM OVERVIEW
Sandy Hawke
VP, Product Marketing
AlienVault
17. KEY QUESTIONS FOR PCI DSS
Pre-audit checklist:
Where do your PCI-relevant assets live, how are they configured, and
how are they segmented from the rest of your network?
Who accesses these resources (and the other W’s… when, where,
what can they do, why and how)?
What are the vulnerabilities that are in your PCI-defined network – app,
OS, etc? Are there any known attackers targeting these?
What constitutes your network baseline? What is considered
―normal/acceptable‖?
Ask your team… What do we NEVER want to happen in our PCI environment?
How do we capture those events when they do happen?
18. Security
Piece it all
Intelligence
Asset Discovery
•
•
•
•
together
Look for strange
Behavioral
activity which could
Monitoring
indicate a threat
Start looking
Threat
for threats
Detection
What do
Unified
we need
Security
for PCIManagement
DSS?
Figure out what
Asset
is valuable
Discovery
Identify ways the
Vulnerability
target could be
Assessment
compromised
Active Network Scanning
Passive Network Scanning
Asset Inventory
Host-based Software
Inventory
Vulnerability Assessment
•
Network Vulnerability Testing
Threat Detection
•
•
•
•
Network IDS
Host IDS
Wireless IDS
File Integrity Monitoring
Behavioral Monitoring
•
•
•
Log Collection
Netflow Analysis
Service Availability Monitoring
Security Intelligence
•
•
SIEM Correlation
Incident Response
BTW… this is just the technologies… Terra Verde can help with process!
19. ALIENVAULT LABS THREAT INTELLIGENCE:
COMPLETE COVERAGE TO STAY AHEAD OF THE
THREAT
Network and host-based IDS signatures – detects the
latest threats in your environment
Asset discovery signatures – identifies the latest OS’es,
applications, and device types
Vulnerability assessment signatures – dual database
coverage to find the latest vulnerabilities on all your
systems
Correlation rules – translates raw events into
actionable remediation tasks
Reporting modules – provides new ways of viewing data
about your environment
Dynamic incident response templates – delivers
customized guidance on how to respond to each alert
Newly supported data source plug-ins – expands your
monitoring footprint
20. WHY ALIENVAULT FOR PCI DSS COMPLIANCE?
All-in-one functionality
Easy management
Multiple functions without multiple
consoles
Automate what and where you can*
―Baked in‖ guidance when you can’t
Flexible reporting & queries… as detailed as
you want it.
Threat intelligence from AlienVault Labs
*Disclaimer: Despite the hype, you can’t automate EVERYTHING nor
would you want to. This is cyber security we’re talking about!
20
22. PCI COMPLIANCE STRUGGLES
You aren’t alone
96% of breach victims were not compliant (Verizon, 2012).
5 common failures
Testing security
Monitoring networks
Maintaining firewalls
Using vendor defaults
Maintaining a security policy
23. TVS CLIENTS
USM components that have helped
our clients the most:
Log aggregation, correlation, analysis
Network intrusion detection
Host intrusion detection
Wireless intrusion detection
Vulnerability scanning
File integrity monitoring
Key USM advantages:
•
•
•
•
•
Consolidated features
Essential security
capabilities
Reduced cost &
complexity
Single pane-of-glass
Easy to use & deploy
24. REQUIREMENT 1:
Install and maintain a firewall configuration to protect data
PCI DSS
Requirement
USM Capabilities
Benefits
1.1, 1.2, 1.3
NetFlow analysis
Unified and correlated NetFlow analysis and
firewall logs delivers ―single pane of glass‖
visibility into access to cardholder-related data
and resources
Built-in asset discovery provides a dynamic
asset inventory and topology diagrams.
Cardholder-related resources can be identified
and monitored for unusual activity.
Accurate and automated asset inventory
combined with relevant security events
accelerate incident response efforts and
analysis.
System availability monitoring
SIEM
Asset discovery
25. REQUIREMENT 2:
No use of vendor-supplied parameter defaults
PCI DSS
Requirement
USM Capabilities
Benefits
2.1, 2.2, 2.3
Network intrusion detection
(IDS)
• Built-in, automated vulnerability assessment
identifies the use of weak and default
passwords.
Vulnerability assessment
• Built-in host-based intrusion detection and file
integrity monitoring will signal when password
files and other critical system files have been
modified.
Host-based intrusion detection
(HIDS)
26. REQUIREMENT 3:
Protects stored cardholder data
PCI DSS
Requirement
USM Capabilities
Benefits
3.6.7
Log management
• Unified log review and analysis, with triggered
alerts for high risk systems (containing credit
cardholder data).
Host-based intrusion
detection (HIDS)
File integrity monitoring
NetFlow analysis
SIEM
• Built-in host-based intrusion detection and file
integrity monitoring detect and alarm on changes
to cryptographic keys.
• Unified NetFlow analysis and event correlation
monitors traffic and issues alerts on unencrypted
traffic to/from cardholder-related resources.
27. REQUIREMENT 4:
Encrypt cardholder data transmission across open public networks
PCI DSS
Requirement
USM Capabilities
Benefits
4.1
NetFlow analysis
• Unified NetFlow analysis and event correlation
monitors traffic and issues alerts on unencrypted
traffic to/from cardholder-related resources.
Behavioral monitoring
Wireless IDS
SIEM
• Built-in wireless IDS monitors encryption
strength and identifies unauthorized access
attempts to critical infrastructure.
28. REQUIREMENT 5:
Use and update anti-virus software
PCI DSS
Requirement
USM Capabilities
Benefits
5.1, 5.2
Host-based intrusion
detection (HIDS)
• Built-in host-based intrusion detection provides
an extra layer of defense against zero day
threats (before an anti- virus update can be
issued).
Network intrusion detection
(IDS)
Log management
• Unified log management provides an audit trail of
anti- virus software use by collecting log data
from anti-virus software.
• Built-in network intrusion detection identifies and
alerts on malware infections in the credit
cardholder data environment.
29. REQUIREMENT 6:
Develop and maintain secure systems and applications
PCI DSS
Requirement
USM Capabilities
Benefits
6.1, 6.2, 6.3,
6.3.2, 6.4, 6.5
Asset discovery
• Built-in and consolidated asset inventory,
vulnerability assessment, threat detection and
event correlation provides a unified view of an
organization’s security posture and critical
system configuration.
Vulnerability assessment
Network intrusion detection
(IDS)
SIEM
• Built-in vulnerability assessment checks for a
variety of well-known security exploits (i.e., SQL
injection).
30. REQUIREMENT 7:
Restrict cardholder data access to need to know
PCI DSS
Requirement
USM Capabilities
Benefits
7.1, 7.2
SIEM
• Automated event correlation identifies
unauthorized access to systems with credit
cardholder data.
31. REQUIREMENT 8:
Assign unique IDs to everyone with computer access
PCI DSS
Requirement
USM Capabilities
Benefits
8.1, 8.2, 8.4,
8.5
Log Management
• Built-in log management captures all user
account creation activities and can also identify
unencrypted passwords on critical systems.
32. REQUIREMENT 10:
Track and monitor access to all network resources and cardholder data
PCI DSS
Requirement
USM Capabilities
Benefits
10.1, 10.2,
10.3, 10.4,
10.5, 10.6,
10.7
Host-based intrusion
detection (HIDS)
Built-in threat detection, behavioral monitoring
and event correlation signals attacks in
progress—for example, unauthorized access
followed by additional security exposures such
as cardholder data exfiltration.
Network intrusion detection
(IDS)
Behavioral monitoring
Log management
SIEM
Built-in log management enables the collection
and correlation of valid and invalid authentication
attempts on critical devices.
Centralized, role-based access control for audit
trails and event logs preserves ―chain of custody‖
for investigations.
33. REQUIREMENT 11:
Regularly test security systems and processes
PCI DSS
Requirement
USM Capabilities
11.1, 11.2,
Vulnerability assessment
11.3, 11.4,
11.5, 11.6, 11.7 Wireless IDS
Host-based intrusion
detection (HIDS)
File integrity monitoring
SIEM
Benefits
Built-in vulnerability assessment streamlines the
scanning and remediation process – one console
to manage it all.
Built-in wireless IDS detects and alerts on rogue
wireless access points, and weak encryption
configurations.
Built-in host-based intrusion detection identifies
the attachment of USB devices including WLAN
cards.
Unified vulnerability assessment, threat
detection, and event correlation provides full
situational awareness in order to reliably test
security systems and processes.
Built-in file integrity monitoring alerts on
unauthorized modification of system files,
configuration files, or content.
34.
35. CONTACT US
Carlos Villalba
Director, Security Services
Terra Verde Services
carlos.villalba@TerraVerdeServices.com
877-707-7997 (x 21)
Sandy Hawke
VP, Product Marketing
AlienVault
shawke@alienvault.com
Patrick Bass
Director, Security Solutions
Terra Verde Services
patrick.bass@TerraVerdeServices.com
877-707-7997 (x 16)
36. NOW FOR SOME Q&A…
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http://www.alienvault.com/marketing/alienvault-usmlive-demo
Already a customer? TVS provides training:
http://www.terraverdeservices.com/alienvaulttraining.html
Questions? hello@alienvault.com
37. VIEW WEBCAST ON-DEMAND…
A recorded version of
this webcast is
available On-Demand,
and can be viewed
Here.
Notas del editor
Need to add their photos
Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Need to add their photos
AlienVault training page – from Terra Verde websiteEd to send me the URL to add here as a CTA