SlideShare una empresa de Scribd logo

1 final secnet_pci

Descargar como PPTX, PDF
M
mosyas

A quick overview on Vulnerability Management & PCI-DSS Compliance then both solutions of Qualys & Tenable

Tecnología
1 de 33
Mostafa Moraad Security Solution Consultant Vulnerability Management & PCI-DSS Compliance
Agenda • Vulnerability Management Lifecycle • Why Vulnerability Management – Definitions – Concepts – Sample Security Report (Cisco 2014) – Best Practice • PCI-DSS Introduction – PCI-DSS is … – PCI-DSS Role Players – Requirement – Validation Challenges – Integration of efforts • SecNet Sol#1 (Qualys) • SecNet Sol#2 (Tenable) • Deliverables • Benefits & ROI 13 April 2014 2Mostafa Moraad - SecNet L.L C.
Setup & Discovery Network Devices Planning Prioritize Assets & check Policy Vulnerability Assessment Report Remediate Verify Summary Report Monitor 13 April 2014 Mostafa Moraad - SecNet L.L C. 3 Vulnerability Management Lifecycle
Definitions • Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that may result in a security breach or a violation of the system's security policy. • Threat: The potential for a specific vulnerability to be exercised either intentionally or accidentally • Control: Measures taken to prevent, detect, minimize, or eliminate risk to protect the Integrity, Confidentiality, and Availability of information. • Vulnerability Assessment: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. 13 April 2014 Mostafa Moraad - SecNet L.L C. 4
Concepts • Vulnerabilities come from many things including i. Flaws in software ii. Faulty configuration iii. Weak passwords iv. Human error • Inappropriately assigned permission levels • System inappropriately placed in infrastructure/environment • Vulnerability Assessment is the most important subset of Vulnerability Management • Attackers have a natural advantage over the defenders. they are smart, dedicated and persistent thus No single security approach can be sufficient to stop them • New Vulnerabilities come out everyday and they don’t go away by themselves 13 April 2014 Mostafa Moraad - SecNet L.L C. 5
Sample Security Report (Cisco 2014) 13 April 2014 Mostafa Moraad - SecNet L.L C. 6
Best Practice • Proactive VS. Reactive • Vulnerability Management is a repetitive process • Create official purpose and procedures • Decide on schedule • Think in terms of risk • Document everything • Know your environment • Always be prepared 13 April 2014 Mostafa Moraad - SecNet L.L C. 7
PCI-DSS INTRODUCTION (Payment Card Industry Data Security Standard) 13 April 2014 Mostafa Moraad - SecNet L.L C. 8 How to Apply this in Financial organizations?
PCI-DSS is… • A security standard that includes requirements for security management (Vulnerability management), policies, procedures, network architecture, software design and other critical protective measures to help organizations proactively protect customer account data. • Primarily concerned with the Processing, Storage and Transmission of the Primary Account Number (PAN) on the front of every Debit and Credit Card, and its protection • A joint effort of (VISA International, MasterCard Worldwide, American Express, Discover Financial Services, JCB) • Meant for Systems (H/W, S/W), Merchants, Service Providers and any organization that Stores, Transmits or Processes cardholder data in any kind of transaction 13 April 2014 Mostafa Moraad - SecNet L.L C. 9
PCI-DSS Role Players 13 April 2014 Mostafa Moraad - SecNet L.L C. 10
Requirements (1) 12 Requirements divided into 6 Categories Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored data. 4. Encrypt transmission of cardholder data and sensitive information across public networks. Maintain a Vulnerability Management Program 5. Use and regularly update antivirus software. 6. Develop and maintain secure systems and applications 13 April 2014 Mostafa Moraad - SecNet L.L C. 11
Requirements (2) Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Routinely test security systems and processes. Maintain an Information Security Policy. 12. Establish high-level security principles and procedures. 13 April 2014 Mostafa Moraad - SecNet L.L C. 12
Validation Challenges • Annual Assessment Questionnaire • Security Vulnerability Scan – Quarterly • Fully understand and document the processes and payment environment • Tracking and monitoring of access to payments card systems and data • Controlling logical access to systems containing payment card data • Security event monitoring across a various environment • Limited security capabilities (authentication, monitoring etc…) of legacy systems • Remediation of controls across large (legacy) distributed environments • Encryption of payment card data • Putting PCI language in place for third party service providers 13 April 2014 Mostafa Moraad - SecNet L.L C. 13
QUALYSGUARD Solution #1 13 April 2014 Mostafa Moraad - SecNet L.L C. 15 IT SECURITY & COMPLIANCE SUITE
Qualys at a Glance • Founded in 1999 Build as a Software as a Service (SaaS) implementation from inception • Financials $65M in Funding - Last round of funding in Dec 2004 • Subscriber Base 4,000+ active subscribers (very diversified customer base) 42% Fortune 100, 22% Fortune 1000 and 15% Global Forbes Global 2000 Americas 70% - EMEA 25% - Asia Pacific 5% • Global Strategic Partnerships MSSPs: Symantec, IBM, BT, SecureWorks, Savvis, Verizon Business, Tata, NTT, Telus, Orange Business Systems Security Consulting Organizations: IBM, HP, Cisco, HCL, Wipro , Fishnet, Accuvant, Deloitte, PwC, Computacenter 13 April 2014 Mostafa Moraad - SecNet L.L C. 16
QualysGuard IT Security & Compliance Suite 13 April 2014 Mostafa Moraad - SecNet L.L C. 17 • QualysGuard Vulnerability Management - Globally Deployable, Scalable Security Risk and Vulnerability Management • QualysGuard Policy Compliance - Define, Audit, and Document IT Security Compliance • QualysGuard PCI Compliance - Automated PCI Compliance Validation for Merchants and Acquiring Institutions • QualysGuard Web Application Scanning - Automated Web Application Security Assessment and Reporting that Scales with your Business • QualysGuard Malware Detection (New) - Free Malware Detection Service for Web Sites • Qualys GO SECURE (New) - Web Site Security Testing Service and Security Seal that Scans for Vulnerabilities, Malware and SSL Certificate Validation
Software-as-a-Service (SaaS) 13 April 2014 Mostafa Moraad - SecNet L.L C. 18 • SaaS applications can easily be deployed globally • SaaS simplifies security • SaaS enables a shorter time from development to delivery of application enhancements • SaaS allows for easier integration between point solutions and transparent delivery for the user • SaaS business model has security built-in • SaaS Model allows short Sales Cycle with extremely quick PoC Turnaround time.
QualysGuard Global Infrastructure 13 April 2014 Mostafa Moraad - SecNet L.L C. 19  Annual Volume of Scans: 200+ million IP audit scans (maps and scans) with 7,000 scanner appliances in over 85 countries with 6 Sigma scanning accuracy (less than 3.4 defects per million scans)  The world's largest VM enterprise deployment: at a Forbes Global 50 with 223 scanner appliances deployed in 52 countries scanning over 750,000 IPs
13 April 2014 Mostafa Moraad - SecNet L.L C. 20 IT Security + Compliance Posture Actionable Reporting for all Stakeholders SECURITYAUDITORS MANAGEMENT OPERATIONS
QualysGuard Vulnerability Management 13 April 2014 Mostafa Moraad - SecNet L.L C. 21 Reduce Security Risks to the Business by Operationalizing the Management of Network Vulnerabilities –Discover and prioritize all network assets with no software to install or maintain –Identify security vulnerabilities –Distribute and audit remediation –Integrate with 3rd party and customer applications
QualysGuard Policy Compliance 13 April 2014 Mostafa Moraad - SecNet L.L C. 22 Provides a Comprehensive Compliance Posture of the Global IT Infrastructure – Distributes and Audits Remediation –Identify policy violations remotely across all network assets –Supports multiple regulatory initiatives and mandates –Controls Library mapped directly to frameworks such as COBIT, ISO, HIPAA, Basel II, etc. –Detailed reporting tailored to the unique needs of auditors, IT security and compliance users
QualysGuard® Policy Compliance(Audit Results & Reports) 13 April 2014 Mostafa Moraad - SecNet L.L C. 23 • Automated Compliance Reporting – Report Templates – Compliance to Policy by Asset Group or by Host – Trend of remediation efforts – Effectiveness of compliance programs – Identify areas that need to be addressed quickly • Built-in Exception Management – Create and manage exceptions – Track remediation SLA
QualysGuard® PCI 13 April 2014 Mostafa Moraad - SecNet L.L C. 24 SaaS Platform for ASVs and QSAs to perform PCI DSS Certification and for Acquiring Banks to audit their merchants –Complete annual PCI DSS “Self-Assessment Questionnaire” –Pass network security scans every 90 days by an approved scanning vendor –Document and submit proof of compliance to acquiring banks –Meet requirement 6.6 by performing automated Web Application Scanning
QualysGuard in the Market 13 April 2014 Mostafa Moraad - SecNet L.L C. 25 Financial Services ChemicalInsurance Portals/Internet Retail Technology Consulting Financial Services
TENABLE SECURITY CENTER Solution #2 13 April 2014 Mostafa Moraad - SecNet L.L C. 26
About Tenable (Nessus) 13 April 2014 Mostafa Moraad - SecNet L.L C. 27 Growth Capital Tenable receives $50M in growth capital from Accel Partners to accelerate company growth. ACAS Tenable receives the ACAS award from DISA to become the standard for active and passive monitoring across the DOD and Intelligence Community Seamless Solution Tenable is the only vendor to deliver real-time vulnerability, threat and compliance management for mobile, cloud and virtual infrastructure by combining active scanning, patented passive monitoring. PCI Approved Scanning Vendor (PCI ASV) Tenable becomes a PCI ASV, allowing Nessus Perimeter Service customers to scan their perimeter networks and submit PCI scans for quarterly validation. • Founded in 2002 • Creator of Nessus®, de facto standard for vulnerability management – Over 15,000 customers – Over 2 million Nessus users • Highest Gartner rating • Profitable with 19 consecutive quarters of growth 4 years 552% Annual Revenue Growth
Security Center 13 April 2014 Mostafa Moraad - SecNet L.L C. 28 Enterprise Level Vulnerability Scanning and Configuration Auditing > Vulnerability and Patch Auditing > Web Application auditing > Configuration Auditing > Botnet detection
SC Continuous View 13 April 2014 Mostafa Moraad - SecNet L.L C. 29 System Analysis > Continuous Asset Discovery > Server Vulnerabilities > Client Side Vulnerabilities > SSL Certificate Auditing > File Share Listings > Social Network Application > Trust Relationships > Mobile Device Identification Create New Logs That Don’t Exist > Log administration sessions for SSH, VNC and Windows Remote Desktop > Log all SSL sessions > Log all files transferred via HTTP, SMB, NFS, FTP and SMTP > Log all DNS queries and web requests > Convert SQL queries to log statements > Identify new hosts and new ports in real-time > Identify interactive and encrypted network sessions Events Sources > System Logs > Firewalls > NIDS > File Integrity > Mainframes > Netflow > Anti Virus > Web Logs > Logins > Honeypots > Email Logs Correlations > Threatlist connections > Intrusion Events that target Vulnerabilities > Tracking all events by User ID > Statistical increases in events > First time seen events > Continuous event stream Active System Analysis > Asset Discovery > Vulnerability Auditing > Web Application Testing > Patch Auditing > Configuration Auditing > Sensitive Data At Rest > Botnet Identification > Software Enumeration > User Enumeration > Anti Virus Agent Auditing
Reports Samples 13 April 2014 Mostafa Moraad - SecNet L.L C. 30
PCI Compliance Report 13 April 2014 Mostafa Moraad - SecNet L.L C. 31
3D Network Visualization 13 April 2014 Mostafa Moraad - SecNet L.L C. 32
Benefits & ROI • Protect customers’ personal data • Boost customer confidence through a higher level of data security • Lower exposure to financial losses and remediation costs • Maintain customer trust and safeguard the reputation of the brand • Provide a complete “health check” for any business that stores or transmit customer information 13 April 2014 Mostafa Moraad - SecNet L.L C. 33
Thank You

Recomendados

Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 

Recomendados

Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudKimberly Simon MBA
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS Nhat Phan Canh
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudKimberly Simon MBA
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016Erika Powell-Burson, MSIA, CISSP, CISA
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...North Texas Chapter of the ISSA
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudControlCase
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdateMerchant Link
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSSControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
Nana Owusu resume today
Nana Owusu resume todayNana Owusu resume today
Nana Owusu resume todayNana Owusu
 
Resume
ResumeResume
Resumemanean.kvs manean.kvs
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 

Más contenido relacionado

La actualidad más candente

PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS Nhat Phan Canh
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...North Texas Chapter of the ISSA
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudControlCase
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdateMerchant Link
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Nana Owusu resume today
Nana Owusu resume todayNana Owusu resume today
Nana Owusu resume todayNana Owusu
 

La actualidad más candente (20)

PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance Update
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Nana Owusu resume today
Nana Owusu resume todayNana Owusu resume today
Nana Owusu resume today
 
Resume
ResumeResume
Resume
 

Similar a 1 final secnet_pci

Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler HelpSystems
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
Managed security services
Managed security servicesManaged security services
Managed security servicesmanoharparakh
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security processUlf Mattsson
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web ApplicationsMark Garratt
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as UsualControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...SBWebinars
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsSolarWinds
 

Similar a 1 final secnet_pci (20)

Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Managed security services
Managed security servicesManaged security services
Managed security services
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web Applications
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
 
MultiValue Security
MultiValue SecurityMultiValue Security
MultiValue Security
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
 
PCI presentation
PCI presentationPCI presentation
PCI presentation
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 

Último

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Último (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

1 final secnet_pci

  • 1. Mostafa Moraad Security Solution Consultant Vulnerability Management & PCI-DSS Compliance
  • 2. Agenda • Vulnerability Management Lifecycle • Why Vulnerability Management – Definitions – Concepts – Sample Security Report (Cisco 2014) – Best Practice • PCI-DSS Introduction – PCI-DSS is … – PCI-DSS Role Players – Requirement – Validation Challenges – Integration of efforts • SecNet Sol#1 (Qualys) • SecNet Sol#2 (Tenable) • Deliverables • Benefits & ROI 13 April 2014 2Mostafa Moraad - SecNet L.L C.
  • 3. Setup & Discovery Network Devices Planning Prioritize Assets & check Policy Vulnerability Assessment Report Remediate Verify Summary Report Monitor 13 April 2014 Mostafa Moraad - SecNet L.L C. 3 Vulnerability Management Lifecycle
  • 4. Definitions • Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that may result in a security breach or a violation of the system's security policy. • Threat: The potential for a specific vulnerability to be exercised either intentionally or accidentally • Control: Measures taken to prevent, detect, minimize, or eliminate risk to protect the Integrity, Confidentiality, and Availability of information. • Vulnerability Assessment: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. 13 April 2014 Mostafa Moraad - SecNet L.L C. 4
  • 5. Concepts • Vulnerabilities come from many things including i. Flaws in software ii. Faulty configuration iii. Weak passwords iv. Human error • Inappropriately assigned permission levels • System inappropriately placed in infrastructure/environment • Vulnerability Assessment is the most important subset of Vulnerability Management • Attackers have a natural advantage over the defenders. they are smart, dedicated and persistent thus No single security approach can be sufficient to stop them • New Vulnerabilities come out everyday and they don’t go away by themselves 13 April 2014 Mostafa Moraad - SecNet L.L C. 5
  • 6. Sample Security Report (Cisco 2014) 13 April 2014 Mostafa Moraad - SecNet L.L C. 6
  • 7. Best Practice • Proactive VS. Reactive • Vulnerability Management is a repetitive process • Create official purpose and procedures • Decide on schedule • Think in terms of risk • Document everything • Know your environment • Always be prepared 13 April 2014 Mostafa Moraad - SecNet L.L C. 7
  • 8. PCI-DSS INTRODUCTION (Payment Card Industry Data Security Standard) 13 April 2014 Mostafa Moraad - SecNet L.L C. 8 How to Apply this in Financial organizations?
  • 9. PCI-DSS is… • A security standard that includes requirements for security management (Vulnerability management), policies, procedures, network architecture, software design and other critical protective measures to help organizations proactively protect customer account data. • Primarily concerned with the Processing, Storage and Transmission of the Primary Account Number (PAN) on the front of every Debit and Credit Card, and its protection • A joint effort of (VISA International, MasterCard Worldwide, American Express, Discover Financial Services, JCB) • Meant for Systems (H/W, S/W), Merchants, Service Providers and any organization that Stores, Transmits or Processes cardholder data in any kind of transaction 13 April 2014 Mostafa Moraad - SecNet L.L C. 9
  • 10. PCI-DSS Role Players 13 April 2014 Mostafa Moraad - SecNet L.L C. 10
  • 11. Requirements (1) 12 Requirements divided into 6 Categories Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored data. 4. Encrypt transmission of cardholder data and sensitive information across public networks. Maintain a Vulnerability Management Program 5. Use and regularly update antivirus software. 6. Develop and maintain secure systems and applications 13 April 2014 Mostafa Moraad - SecNet L.L C. 11
  • 12. Requirements (2) Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Routinely test security systems and processes. Maintain an Information Security Policy. 12. Establish high-level security principles and procedures. 13 April 2014 Mostafa Moraad - SecNet L.L C. 12
  • 13. Validation Challenges • Annual Assessment Questionnaire • Security Vulnerability Scan – Quarterly • Fully understand and document the processes and payment environment • Tracking and monitoring of access to payments card systems and data • Controlling logical access to systems containing payment card data • Security event monitoring across a various environment • Limited security capabilities (authentication, monitoring etc…) of legacy systems • Remediation of controls across large (legacy) distributed environments • Encryption of payment card data • Putting PCI language in place for third party service providers 13 April 2014 Mostafa Moraad - SecNet L.L C. 13
  • 14. QUALYSGUARD Solution #1 13 April 2014 Mostafa Moraad - SecNet L.L C. 15 IT SECURITY & COMPLIANCE SUITE
  • 15. Qualys at a Glance • Founded in 1999 Build as a Software as a Service (SaaS) implementation from inception • Financials $65M in Funding - Last round of funding in Dec 2004 • Subscriber Base 4,000+ active subscribers (very diversified customer base) 42% Fortune 100, 22% Fortune 1000 and 15% Global Forbes Global 2000 Americas 70% - EMEA 25% - Asia Pacific 5% • Global Strategic Partnerships MSSPs: Symantec, IBM, BT, SecureWorks, Savvis, Verizon Business, Tata, NTT, Telus, Orange Business Systems Security Consulting Organizations: IBM, HP, Cisco, HCL, Wipro , Fishnet, Accuvant, Deloitte, PwC, Computacenter 13 April 2014 Mostafa Moraad - SecNet L.L C. 16
  • 16. QualysGuard IT Security & Compliance Suite 13 April 2014 Mostafa Moraad - SecNet L.L C. 17 • QualysGuard Vulnerability Management - Globally Deployable, Scalable Security Risk and Vulnerability Management • QualysGuard Policy Compliance - Define, Audit, and Document IT Security Compliance • QualysGuard PCI Compliance - Automated PCI Compliance Validation for Merchants and Acquiring Institutions • QualysGuard Web Application Scanning - Automated Web Application Security Assessment and Reporting that Scales with your Business • QualysGuard Malware Detection (New) - Free Malware Detection Service for Web Sites • Qualys GO SECURE (New) - Web Site Security Testing Service and Security Seal that Scans for Vulnerabilities, Malware and SSL Certificate Validation
  • 17. Software-as-a-Service (SaaS) 13 April 2014 Mostafa Moraad - SecNet L.L C. 18 • SaaS applications can easily be deployed globally • SaaS simplifies security • SaaS enables a shorter time from development to delivery of application enhancements • SaaS allows for easier integration between point solutions and transparent delivery for the user • SaaS business model has security built-in • SaaS Model allows short Sales Cycle with extremely quick PoC Turnaround time.
  • 18. QualysGuard Global Infrastructure 13 April 2014 Mostafa Moraad - SecNet L.L C. 19  Annual Volume of Scans: 200+ million IP audit scans (maps and scans) with 7,000 scanner appliances in over 85 countries with 6 Sigma scanning accuracy (less than 3.4 defects per million scans)  The world's largest VM enterprise deployment: at a Forbes Global 50 with 223 scanner appliances deployed in 52 countries scanning over 750,000 IPs
  • 19. 13 April 2014 Mostafa Moraad - SecNet L.L C. 20 IT Security + Compliance Posture Actionable Reporting for all Stakeholders SECURITYAUDITORS MANAGEMENT OPERATIONS
  • 20. QualysGuard Vulnerability Management 13 April 2014 Mostafa Moraad - SecNet L.L C. 21 Reduce Security Risks to the Business by Operationalizing the Management of Network Vulnerabilities –Discover and prioritize all network assets with no software to install or maintain –Identify security vulnerabilities –Distribute and audit remediation –Integrate with 3rd party and customer applications
  • 21. QualysGuard Policy Compliance 13 April 2014 Mostafa Moraad - SecNet L.L C. 22 Provides a Comprehensive Compliance Posture of the Global IT Infrastructure – Distributes and Audits Remediation –Identify policy violations remotely across all network assets –Supports multiple regulatory initiatives and mandates –Controls Library mapped directly to frameworks such as COBIT, ISO, HIPAA, Basel II, etc. –Detailed reporting tailored to the unique needs of auditors, IT security and compliance users
  • 22. QualysGuard® Policy Compliance(Audit Results & Reports) 13 April 2014 Mostafa Moraad - SecNet L.L C. 23 • Automated Compliance Reporting – Report Templates – Compliance to Policy by Asset Group or by Host – Trend of remediation efforts – Effectiveness of compliance programs – Identify areas that need to be addressed quickly • Built-in Exception Management – Create and manage exceptions – Track remediation SLA
  • 23. QualysGuard® PCI 13 April 2014 Mostafa Moraad - SecNet L.L C. 24 SaaS Platform for ASVs and QSAs to perform PCI DSS Certification and for Acquiring Banks to audit their merchants –Complete annual PCI DSS “Self-Assessment Questionnaire” –Pass network security scans every 90 days by an approved scanning vendor –Document and submit proof of compliance to acquiring banks –Meet requirement 6.6 by performing automated Web Application Scanning
  • 24. QualysGuard in the Market 13 April 2014 Mostafa Moraad - SecNet L.L C. 25 Financial Services ChemicalInsurance Portals/Internet Retail Technology Consulting Financial Services
  • 25. TENABLE SECURITY CENTER Solution #2 13 April 2014 Mostafa Moraad - SecNet L.L C. 26
  • 26. About Tenable (Nessus) 13 April 2014 Mostafa Moraad - SecNet L.L C. 27 Growth Capital Tenable receives $50M in growth capital from Accel Partners to accelerate company growth. ACAS Tenable receives the ACAS award from DISA to become the standard for active and passive monitoring across the DOD and Intelligence Community Seamless Solution Tenable is the only vendor to deliver real-time vulnerability, threat and compliance management for mobile, cloud and virtual infrastructure by combining active scanning, patented passive monitoring. PCI Approved Scanning Vendor (PCI ASV) Tenable becomes a PCI ASV, allowing Nessus Perimeter Service customers to scan their perimeter networks and submit PCI scans for quarterly validation. • Founded in 2002 • Creator of Nessus®, de facto standard for vulnerability management – Over 15,000 customers – Over 2 million Nessus users • Highest Gartner rating • Profitable with 19 consecutive quarters of growth 4 years 552% Annual Revenue Growth
  • 27. Security Center 13 April 2014 Mostafa Moraad - SecNet L.L C. 28 Enterprise Level Vulnerability Scanning and Configuration Auditing > Vulnerability and Patch Auditing > Web Application auditing > Configuration Auditing > Botnet detection
  • 28. SC Continuous View 13 April 2014 Mostafa Moraad - SecNet L.L C. 29 System Analysis > Continuous Asset Discovery > Server Vulnerabilities > Client Side Vulnerabilities > SSL Certificate Auditing > File Share Listings > Social Network Application > Trust Relationships > Mobile Device Identification Create New Logs That Don’t Exist > Log administration sessions for SSH, VNC and Windows Remote Desktop > Log all SSL sessions > Log all files transferred via HTTP, SMB, NFS, FTP and SMTP > Log all DNS queries and web requests > Convert SQL queries to log statements > Identify new hosts and new ports in real-time > Identify interactive and encrypted network sessions Events Sources > System Logs > Firewalls > NIDS > File Integrity > Mainframes > Netflow > Anti Virus > Web Logs > Logins > Honeypots > Email Logs Correlations > Threatlist connections > Intrusion Events that target Vulnerabilities > Tracking all events by User ID > Statistical increases in events > First time seen events > Continuous event stream Active System Analysis > Asset Discovery > Vulnerability Auditing > Web Application Testing > Patch Auditing > Configuration Auditing > Sensitive Data At Rest > Botnet Identification > Software Enumeration > User Enumeration > Anti Virus Agent Auditing
  • 29. Reports Samples 13 April 2014 Mostafa Moraad - SecNet L.L C. 30
  • 30. PCI Compliance Report 13 April 2014 Mostafa Moraad - SecNet L.L C. 31
  • 31. 3D Network Visualization 13 April 2014 Mostafa Moraad - SecNet L.L C. 32
  • 32. Benefits & ROI • Protect customers’ personal data • Boost customer confidence through a higher level of data security • Lower exposure to financial losses and remediation costs • Maintain customer trust and safeguard the reputation of the brand • Provide a complete “health check” for any business that stores or transmit customer information 13 April 2014 Mostafa Moraad - SecNet L.L C. 33

Notas del editor

  1. Challenge is to provide actionable reports to all stakeholder:Management needs to see high-level reports that show progress of remediation and state of complianceIT Admins or security teams needs to see technical reports with details information about vulnerabilities and level of riskOperations speaks in patch is wants to see reports that help them expedite and track patchingAuditors need to be able to collect compliance data and use it in compliance documentation
  2. If you are 90% compliant what if you were 98% last week In large networks say 100k assets this means a drop of 8% of assets is 8k hosts. If this changes over a few days that’s a major concern