PCI DSS v3.0: How to Adapt Your Compliance Strategy

PCI DSS 3.0: HOW TO ADAPT YOUR COMPLIANCE STRATEGY

2

Meet today’s presenters

INTRODUCTIONS

Sandy HawkeVP, Product Marketing

AlienVault

Patrick BassDirector of Security Solutions

Terra Verde Services

Carlos VillalbaDirector of Security Services

Terra Verde Services

AGENDA

• What’s New in PCI DSS 3.0

• Key considerations for adapting your compliance strategy

• Technology recommendations for addressing new requirements

• How our clients have simplified PCI DSS compliance

• Q&A

PCI DSS PRIMERWHAT’S CHANGED FROM V2 TO V3

Carlos A. VillalbaDirector, Security Services

Nov 7 201

3

• PCI DSS v3 was published

Jan 1

2014

• PCI DSS v3 becomes effective

Dec

31 201

4

• PCI DSS v2 expires

IT’S FINALLY HERE!

PCI DSS VERSION 33-Year Cycle for New Versions

WHAT DID THEY WANT TO FIX

Divergent interpretations of the standard

Weak or default passwords Slow detection of compromise Security problems introduced by

3rd parties and various areas

HIGHLIGHTS

The twelve domains remain Some sub-requirements added Descriptions of tests are more precise

Aligned language of requirement and test Clarified what to do to verify compliance

More rigor in determining scope of assessment

More guidance on log reviews More rigorous penetration testing

GUIDANCE FOR EACH REQUIREMENT

A PENETRATION TEST METHODOLOGY

Based on industry-accepted approaches,e.g. NIST SP800-115

A new clause 11.3 Test entire perimeter of CDE & all critical systems Validate all scope-reduction controls—segmentation Test from inside and from outside of the network Test network-function components and OSs As a minimum, perform application tests for the

vulnerabilities listed in Requirement 6.5

SECURE SDLC Programmers of internally-developed and

bespoke applications must be trained to avoid known vulnerabilities

List expanded to include new requirements for Coding practices to protect against broken

authentication and session management Coding practices to document how PAN and

SAD are handled in memory Combating memory scraping is a good idea

for PA-DSS This was a bit contentious for PCI-DSS

AUTHENTICATION Requirement text recognizes methods

other than password/passphrases, e.g. certificates Authentication credentials

Minimum password length is still 7 characters “Alternatively, the passwords/phrases must

have complexity and strength at least equivalent to the parameters specified above.”

A service provider must use a different password for each of its clients.

Educate users

CHANGE MANAGEMENT

Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files Configure the software to perform critical file

comparisons at least weekly.

New requirement, 11.5.1, mandates the implementation of a process to respond to any alerts generated by that mechanism.

MANAGED SERVICE PROVIDERS

New requirement, 12.8.5, mandates the documentation of which DSS requirements are managed by the 3rd party.

New requirement, 12.9, mandates that 3rd parties must acknowledge in writing that they will comply with the DSS to protect CHD entrusted to them or, if managing some aspect of the CDE, state they will comply with the DSS in performing that management.

ADAPTING YOUR COMPLIANCE STRATEGY

Assess gaps between v2 and v3 requirements  What process changes are required? What technology improvements are required? How long will these take? Do you have the necessary expertise and technology

in place? Document migration plans to v3 Consider a unified approach to PCI security monitoring

A UNIFIED APPROACH TO PCI DSS COMPLIANCE:

USM OVERVIEW

Sandy HawkeVP, Product MarketingAlienVault

KEY QUESTIONS FOR PCI DSS

Pre-audit checklist:

Where do your PCI-relevant assets live, how are they configured, and how are

they segmented from the rest of your network?

Who accesses these resources (and the other W’s… when, where, what can

they do, why and how)?

What are the vulnerabilities that are in your PCI-defined network – app, OS,

etc? Are there any known attackers targeting these?

What constitutes your network baseline? What is considered

“normal/acceptable”?

Ask your team… What do we NEVER want to happen in our PCI environment? How do we capture those events when they do happen?

Piece it all together

Look for strange activity which could

indicate a threat

Start looking for threats

Identify ways the target could be compromised

What do we need for PCI-DSS?

AssetDiscovery

VulnerabilityAssessment

ThreatDetection

BehavioralMonitoring

SecurityIntelligence

Figure out what is valuable

Unified Security

Management

Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software

Inventory

Vulnerability Assessment• Network Vulnerability Testing

Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring

Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring

Security Intelligence• SIEM Correlation• Incident Response

BTW… this is just the technologies… Terra Verde can help with process!

ALIENVAULT LABS THREAT INTELLIGENCE:COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT

Network and host-based IDS signatures – detects the latest threats in your environment

Asset discovery signatures – identifies the latest OS’es, applications, and device types

Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems

Correlation rules – translates raw events into actionable remediation tasks

Reporting modules – provides new ways of viewing data about your environment

Dynamic incident response templates – delivers customized guidance on how to respond to each alert

Newly supported data source plug-ins – expands your monitoring footprint

WHY ALIENVAULT FOR PCI DSS COMPLIANCE?

All-in-one functionality Easy management Multiple functions without multiple

consoles Automate what and where you can*

“Baked in” guidance when you can’t Flexible reporting & queries… as detailed as

you want it. Threat intelligence from AlienVault Labs

20

*Disclaimer: Despite the hype, you can’t automate EVERYTHING nor would you want to. This is cyber security we’re talking about!

TECHNOLOGY RECOMMENDATIONS FOR PCI DSS 3.0

Patrick BassDirector, Security Solutions

PCI COMPLIANCE STRUGGLES

You aren’t alone 96% of breach victims were not compliant (Verizon,

2012). 5 common failures

Testing security Monitoring networks Maintaining firewalls Using vendor defaults Maintaining a security policy

TVS CLIENTS

USM components that have helped our clients the most:

Log aggregation, correlation, analysis

Network intrusion detection

Host intrusion detection

Wireless intrusion detection

Vulnerability scanning

File integrity monitoring

Key USM advantages:• Consolidated features• Essential security

capabilities• Reduced cost &

complexity• Single pane-of-glass• Easy to use & deploy

REQUIREMENT 1:Install and maintain a firewall configuration to protect data

PCI DSS Requirement

USM Capabilities Benefits

1.1, 1.2, 1.3 NetFlow analysis

System availability monitoring

SIEM

Asset discovery

Unified and correlated NetFlow analysis and firewall logs delivers “single pane of glass” visibility into access to cardholder-related data and resources

Built-in asset discovery provides a dynamic asset inventory and topology diagrams. Cardholder-related resources can be identified and monitored for unusual activity.

Accurate and automated asset inventory combined with relevant security events accelerate incident response efforts and analysis.

REQUIREMENT 2:No use of vendor-supplied parameter defaults

PCI DSS Requirement

USM Capabilities Benefits

2.1, 2.2, 2.3 Network intrusion detection (IDS)

Vulnerability assessment

Host-based intrusion detection (HIDS)

• Built-in, automated vulnerability assessment identifies the use of weak and default passwords.

• Built-in host-based intrusion detection and file integrity monitoring will signal when password files and other critical system files have been modified.

PCI DSS Requirement

USM Capabilities Benefits

3.6.7 Log management

Host-based intrusion detection (HIDS)

File integrity monitoring

NetFlow analysis

SIEM

• Unified log review and analysis, with triggered alerts for high risk systems (containing credit cardholder data).

• Built-in host-based intrusion detection and file integrity monitoring detect and alarm on changes to cryptographic keys.

• Unified NetFlow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from cardholder-related resources.

REQUIREMENT 3:Protects stored cardholder data

PCI DSS Requirement

USM Capabilities Benefits

4.1 NetFlow analysis

Behavioral monitoring

Wireless IDS

SIEM

• Unified NetFlow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from cardholder-related resources.

• Built-in wireless IDS monitors encryption strength and identifies unauthorized access attempts to critical infrastructure.

REQUIREMENT 4:Encrypt cardholder data transmission across open public networks

PCI DSS Requirement

USM Capabilities Benefits

5.1, 5.2 Host-based intrusion detection (HIDS)

Network intrusion detection (IDS)

Log management

• Built-in host-based intrusion detection provides an extra layer of defense against zero day threats (before an anti- virus update can be issued).

• Unified log management provides an audit trail of anti- virus software use by collecting log data from anti-virus software.

• Built-in network intrusion detection identifies and alerts on malware infections in the credit cardholder data environment.

REQUIREMENT 5:Use and update anti-virus software

PCI DSS Requirement

USM Capabilities Benefits

6.1, 6.2, 6.3, 6.3.2, 6.4, 6.5

Asset discovery

Vulnerability assessment

Network intrusion detection (IDS)

SIEM

• Built-in and consolidated asset inventory, vulnerability assessment, threat detection and event correlation provides a unified view of an organization’s security posture and critical system configuration.

• Built-in vulnerability assessment checks for a variety of well-known security exploits (i.e., SQL injection).

REQUIREMENT 6:Develop and maintain secure systems and applications

PCI DSS Requirement

USM Capabilities Benefits

7.1, 7.2 SIEM • Automated event correlation identifies unauthorized access to systems with credit cardholder data.

REQUIREMENT 7:Restrict cardholder data access to need to know

PCI DSS Requirement

USM Capabilities Benefits

8.1, 8.2, 8.4, 8.5

Log Management • Built-in log management captures all user account creation activities and can also identify unencrypted passwords on critical systems.

REQUIREMENT 8:Assign unique IDs to everyone with computer access

PCI DSS Requirement

USM Capabilities Benefits

10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7

Host-based intrusion detection (HIDS)

Network intrusion detection (IDS)

Behavioral monitoring

Log management

SIEM

Built-in threat detection, behavioral monitoring and event correlation signals attacks in progress—for example, unauthorized access followed by additional security exposures such as cardholder data exfiltration.

Built-in log management enables the collection and correlation of valid and invalid authentication attempts on critical devices.

Centralized, role-based access control for audit trails and event logs preserves “chain of custody” for investigations.

REQUIREMENT 10:Track and monitor access to all network resources and cardholder data

PCI DSS Requirement

USM Capabilities Benefits

11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 11.7

Vulnerability assessment

Wireless IDS

Host-based intrusion detection (HIDS)

File integrity monitoring

SIEM

Built-in vulnerability assessment streamlines the scanning and remediation process – one console to manage it all.

Built-in wireless IDS detects and alerts on rogue wireless access points, and weak encryption configurations.

Built-in host-based intrusion detection identifies the attachment of USB devices including WLAN cards.

Unified vulnerability assessment, threat detection, and event correlation provides full situational awareness in order to reliably test security systems and processes.

Built-in file integrity monitoring alerts on unauthorized modification of system files, configuration files, or content.

REQUIREMENT 11:Regularly test security systems and processes

CONTACT US

Sandy HawkeVP, Product Marketing

[email protected]

Patrick BassDirector, Security Solutions

Terra Verde [email protected]

877-707-7997 (x 16)

Carlos VillalbaDirector, Security Services

Terra Verde [email protected] (x 21)

NOW FOR SOME Q&A…

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Site

http://www.alienvault.com/live-demo-site

Join us for a LIVE Demo!

http

://www.alienvault.com/marketing/alienvault-u

sm-live-

demo

Already a customer? TVS provides training:

http://www.terraverdeservices.com/

alienvault-training.html

Questions? [email protected]

VIEW WEBCAST ON-DEMAND…

A recorded version of this webcast is available On-Demand, and can be viewed Here.