PCI DSS 3.0: HOW TO ADAPT YOUR COMPLIANCE STRATEGY
May 19, 2015
PCI DSS 3.0: HOW TO ADAPT YOUR COMPLIANCE STRATEGY
2
Meet today’s presenters
INTRODUCTIONS
Sandy HawkeVP, Product Marketing
AlienVault
Patrick BassDirector of Security Solutions
Terra Verde Services
Carlos VillalbaDirector of Security Services
Terra Verde Services
AGENDA
• What’s New in PCI DSS 3.0
• Key considerations for adapting your compliance strategy
• Technology recommendations for addressing new requirements
• How our clients have simplified PCI DSS compliance
• Q&A
PCI DSS PRIMERWHAT’S CHANGED FROM V2 TO V3
Carlos A. VillalbaDirector, Security Services
Nov 7 201
3
• PCI DSS v3 was published
Jan 1
2014
• PCI DSS v3 becomes effective
Dec
31 201
4
• PCI DSS v2 expires
IT’S FINALLY HERE!
PCI DSS VERSION 33-Year Cycle for New Versions
WHAT DID THEY WANT TO FIX
Divergent interpretations of the standard
Weak or default passwords Slow detection of compromise Security problems introduced by
3rd parties and various areas
HIGHLIGHTS
The twelve domains remain Some sub-requirements added Descriptions of tests are more precise
Aligned language of requirement and test Clarified what to do to verify compliance
More rigor in determining scope of assessment
More guidance on log reviews More rigorous penetration testing
GUIDANCE FOR EACH REQUIREMENT
A PENETRATION TEST METHODOLOGY
Based on industry-accepted approaches,e.g. NIST SP800-115
A new clause 11.3 Test entire perimeter of CDE & all critical systems Validate all scope-reduction controls—segmentation Test from inside and from outside of the network Test network-function components and OSs As a minimum, perform application tests for the
vulnerabilities listed in Requirement 6.5
SECURE SDLC Programmers of internally-developed and
bespoke applications must be trained to avoid known vulnerabilities
List expanded to include new requirements for Coding practices to protect against broken
authentication and session management Coding practices to document how PAN and
SAD are handled in memory Combating memory scraping is a good idea
for PA-DSS This was a bit contentious for PCI-DSS
AUTHENTICATION Requirement text recognizes methods
other than password/passphrases, e.g. certificates Authentication credentials
Minimum password length is still 7 characters “Alternatively, the passwords/phrases must
have complexity and strength at least equivalent to the parameters specified above.”
A service provider must use a different password for each of its clients.
Educate users
CHANGE MANAGEMENT
Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files Configure the software to perform critical file
comparisons at least weekly.
New requirement, 11.5.1, mandates the implementation of a process to respond to any alerts generated by that mechanism.
MANAGED SERVICE PROVIDERS
New requirement, 12.8.5, mandates the documentation of which DSS requirements are managed by the 3rd party.
New requirement, 12.9, mandates that 3rd parties must acknowledge in writing that they will comply with the DSS to protect CHD entrusted to them or, if managing some aspect of the CDE, state they will comply with the DSS in performing that management.
ADAPTING YOUR COMPLIANCE STRATEGY
Assess gaps between v2 and v3 requirements What process changes are required? What technology improvements are required? How long will these take? Do you have the necessary expertise and technology
in place? Document migration plans to v3 Consider a unified approach to PCI security monitoring
A UNIFIED APPROACH TO PCI DSS COMPLIANCE:
USM OVERVIEW
Sandy HawkeVP, Product MarketingAlienVault
KEY QUESTIONS FOR PCI DSS
Pre-audit checklist:
Where do your PCI-relevant assets live, how are they configured, and how are
they segmented from the rest of your network?
Who accesses these resources (and the other W’s… when, where, what can
they do, why and how)?
What are the vulnerabilities that are in your PCI-defined network – app, OS,
etc? Are there any known attackers targeting these?
What constitutes your network baseline? What is considered
“normal/acceptable”?
Ask your team… What do we NEVER want to happen in our PCI environment? How do we capture those events when they do happen?
Piece it all together
Look for strange activity which could
indicate a threat
Start looking for threats
Identify ways the target could be compromised
What do we need for PCI-DSS?
AssetDiscovery
VulnerabilityAssessment
ThreatDetection
BehavioralMonitoring
SecurityIntelligence
Figure out what is valuable
Unified Security
Management
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring
Security Intelligence• SIEM Correlation• Incident Response
BTW… this is just the technologies… Terra Verde can help with process!
ALIENVAULT LABS THREAT INTELLIGENCE:COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT
Network and host-based IDS signatures – detects the latest threats in your environment
Asset discovery signatures – identifies the latest OS’es, applications, and device types
Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems
Correlation rules – translates raw events into actionable remediation tasks
Reporting modules – provides new ways of viewing data about your environment
Dynamic incident response templates – delivers customized guidance on how to respond to each alert
Newly supported data source plug-ins – expands your monitoring footprint
WHY ALIENVAULT FOR PCI DSS COMPLIANCE?
All-in-one functionality Easy management Multiple functions without multiple
consoles Automate what and where you can*
“Baked in” guidance when you can’t Flexible reporting & queries… as detailed as
you want it. Threat intelligence from AlienVault Labs
20
*Disclaimer: Despite the hype, you can’t automate EVERYTHING nor would you want to. This is cyber security we’re talking about!
TECHNOLOGY RECOMMENDATIONS FOR PCI DSS 3.0
Patrick BassDirector, Security Solutions
PCI COMPLIANCE STRUGGLES
You aren’t alone 96% of breach victims were not compliant (Verizon,
2012). 5 common failures
Testing security Monitoring networks Maintaining firewalls Using vendor defaults Maintaining a security policy
TVS CLIENTS
USM components that have helped our clients the most:
Log aggregation, correlation, analysis
Network intrusion detection
Host intrusion detection
Wireless intrusion detection
Vulnerability scanning
File integrity monitoring
Key USM advantages:• Consolidated features• Essential security
capabilities• Reduced cost &
complexity• Single pane-of-glass• Easy to use & deploy
REQUIREMENT 1:Install and maintain a firewall configuration to protect data
PCI DSS Requirement
USM Capabilities Benefits
1.1, 1.2, 1.3 NetFlow analysis
System availability monitoring
SIEM
Asset discovery
Unified and correlated NetFlow analysis and firewall logs delivers “single pane of glass” visibility into access to cardholder-related data and resources
Built-in asset discovery provides a dynamic asset inventory and topology diagrams. Cardholder-related resources can be identified and monitored for unusual activity.
Accurate and automated asset inventory combined with relevant security events accelerate incident response efforts and analysis.
REQUIREMENT 2:No use of vendor-supplied parameter defaults
PCI DSS Requirement
USM Capabilities Benefits
2.1, 2.2, 2.3 Network intrusion detection (IDS)
Vulnerability assessment
Host-based intrusion detection (HIDS)
• Built-in, automated vulnerability assessment identifies the use of weak and default passwords.
• Built-in host-based intrusion detection and file integrity monitoring will signal when password files and other critical system files have been modified.
PCI DSS Requirement
USM Capabilities Benefits
3.6.7 Log management
Host-based intrusion detection (HIDS)
File integrity monitoring
NetFlow analysis
SIEM
• Unified log review and analysis, with triggered alerts for high risk systems (containing credit cardholder data).
• Built-in host-based intrusion detection and file integrity monitoring detect and alarm on changes to cryptographic keys.
• Unified NetFlow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from cardholder-related resources.
REQUIREMENT 3:Protects stored cardholder data
PCI DSS Requirement
USM Capabilities Benefits
4.1 NetFlow analysis
Behavioral monitoring
Wireless IDS
SIEM
• Unified NetFlow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from cardholder-related resources.
• Built-in wireless IDS monitors encryption strength and identifies unauthorized access attempts to critical infrastructure.
REQUIREMENT 4:Encrypt cardholder data transmission across open public networks
PCI DSS Requirement
USM Capabilities Benefits
5.1, 5.2 Host-based intrusion detection (HIDS)
Network intrusion detection (IDS)
Log management
• Built-in host-based intrusion detection provides an extra layer of defense against zero day threats (before an anti- virus update can be issued).
• Unified log management provides an audit trail of anti- virus software use by collecting log data from anti-virus software.
• Built-in network intrusion detection identifies and alerts on malware infections in the credit cardholder data environment.
REQUIREMENT 5:Use and update anti-virus software
PCI DSS Requirement
USM Capabilities Benefits
6.1, 6.2, 6.3, 6.3.2, 6.4, 6.5
Asset discovery
Vulnerability assessment
Network intrusion detection (IDS)
SIEM
• Built-in and consolidated asset inventory, vulnerability assessment, threat detection and event correlation provides a unified view of an organization’s security posture and critical system configuration.
• Built-in vulnerability assessment checks for a variety of well-known security exploits (i.e., SQL injection).
REQUIREMENT 6:Develop and maintain secure systems and applications
PCI DSS Requirement
USM Capabilities Benefits
7.1, 7.2 SIEM • Automated event correlation identifies unauthorized access to systems with credit cardholder data.
REQUIREMENT 7:Restrict cardholder data access to need to know
PCI DSS Requirement
USM Capabilities Benefits
8.1, 8.2, 8.4, 8.5
Log Management • Built-in log management captures all user account creation activities and can also identify unencrypted passwords on critical systems.
REQUIREMENT 8:Assign unique IDs to everyone with computer access
PCI DSS Requirement
USM Capabilities Benefits
10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7
Host-based intrusion detection (HIDS)
Network intrusion detection (IDS)
Behavioral monitoring
Log management
SIEM
Built-in threat detection, behavioral monitoring and event correlation signals attacks in progress—for example, unauthorized access followed by additional security exposures such as cardholder data exfiltration.
Built-in log management enables the collection and correlation of valid and invalid authentication attempts on critical devices.
Centralized, role-based access control for audit trails and event logs preserves “chain of custody” for investigations.
REQUIREMENT 10:Track and monitor access to all network resources and cardholder data
PCI DSS Requirement
USM Capabilities Benefits
11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 11.7
Vulnerability assessment
Wireless IDS
Host-based intrusion detection (HIDS)
File integrity monitoring
SIEM
Built-in vulnerability assessment streamlines the scanning and remediation process – one console to manage it all.
Built-in wireless IDS detects and alerts on rogue wireless access points, and weak encryption configurations.
Built-in host-based intrusion detection identifies the attachment of USB devices including WLAN cards.
Unified vulnerability assessment, threat detection, and event correlation provides full situational awareness in order to reliably test security systems and processes.
Built-in file integrity monitoring alerts on unauthorized modification of system files, configuration files, or content.
REQUIREMENT 11:Regularly test security systems and processes
CONTACT US
Sandy HawkeVP, Product Marketing
Patrick BassDirector, Security Solutions
Terra Verde [email protected]
877-707-7997 (x 16)
Carlos VillalbaDirector, Security Services
Terra Verde [email protected] (x 21)
NOW FOR SOME Q&A…
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http
://www.alienvault.com/marketing/alienvault-u
sm-live-
demo
Already a customer? TVS provides training:
http://www.terraverdeservices.com/
alienvault-training.html
Questions? [email protected]
VIEW WEBCAST ON-DEMAND…
A recorded version of this webcast is available On-Demand, and can be viewed Here.