PCI DSS SIMPLIFIED: WHAT YOU NEED TO KNOW
Sandy Hawke, CISSPVP, Product Marketing
@sandybeachSF
Tom D’Aquino Technical Lead
AGENDA
2
Common challenges
Pre-audit checklist
Core capabilities for PCI
Automation & consolidation
Product Demo
Key Takeaways
Q & A
SETTING THE STAGE…Pre-audit checklist & more
QUESTIONS TO ASK YOURSELF… SOONER RATHER THAN LATER .
Pre-audit checklist:
Where do your PCI-relevant assets live, how are they’re configured, and how are they segmented from the rest of your network?
Who accesses these resources (and the other W’s… when, where, what can they do, why and how)?
What are the vulnerabilities that are in your PCI-defined network – app, etc?
What constitutes your network baseline? What is considered “normal/acceptable”?
Ask your team… What do we NEVER want to happen in our PCI environment? How do we capture those events when they do happen?
7
FRENEMIES: SECURITY AND COMPLIANCE
88
SO…. WHAT DO I NEED FOR PCI-DSS?
Piece it all together
Look for strange activity which could
indicate a threat
Start looking for threats
Identify ways the target could be compromised
What do we need for PCI-DSS?
Figure out what is valuable
10
Piece it all together
Look for strange activity which could
indicate a threat
Start looking for threats
Identify ways the target could be compromised
What do we need for PCI-DSS?
11
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
Piece it all together
Look for strange activity which could
indicate a threat
Start looking for threats
What do we need for PCI-DSS?
12
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VulnerabilityAssessment
Vulnerability Assessment• Network Vulnerability Testing
Piece it all together
Look for strange activity which could
indicate a threat What do we need for PCI-DSS?
13
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VulnerabilityAssessment
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
ThreatDetection
Piece it all together
What do we need for PCI-DSS?
14
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VulnerabilityAssessment
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
ThreatDetection
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring
BehavioralMonitoring
What do we need for PCI-DSS?
15
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VulnerabilityAssessment
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
ThreatDetection
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring
BehavioralMonitoring
Security Intelligence• SIEM Correlation• Incident Response
SecurityIntelligence
16
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VulnerabilityAssessment
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
ThreatDetection
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring
BehavioralMonitoring
Security Intelligence• SIEM Correlation• Incident Response
SecurityIntelligence
Unified Security
Management
BTW… this is just the technologies… process is a whole ‘nother topic.
READING IN BETWEEN THE LINES…
DYNAMIC THREAT INTELLIGENCE UPDATES
THE THREATS CHANGE, SO SHOULD YOUR EVENT CORRELATION RULES, IP REPUTATION DATA, ETC.
FLEXIBLE USE CASE SUPPORT
IT’S IMPOSSIBLE TO PREDICT ALL BAD OUTCOMES SO HAVE A SOLUTION THAT GROWS WITH YOU
WHAT’S NOT IN THE FINE PRINT BUT SHOULD BE…
Dynamic threat intelligence updates
THE THREATS CHANGE, SO SHOULD YOUR EVENT CORRELATION RULES, IP REPUTATION DATA, ETC.
Flexible use case supportIT’S IMPOSSIBLE TO PREDICT ALL BAD OUTCOMES SO HAVE A SOLUTION THAT GROWS WITH YOU
17
LET’S HEAR FROM YOU!ALIENVAULT POLL QUESTION
What is your biggest pain point when it comes to PCI compliance?
• Uncertainty about what’s on my network
• Vulnerability assessment and remediation
• Concerns about threat detection
• Compliance reporting
• None of the above – I’m a PCI Ninja!
WHY ALIENVAULT FOR PCI DSS COMPLIANCE?
All-in-one functionality
• Easy management
• Multiple functions without multiple consoles
Automate what and where you can*
• “Baked in” guidance when you can’t
Flexible reporting & queries… as detailed as you want it.Threat intelligence from AlienVault Labs
19
*Disclaimer: Despite the hype, you can’t automate EVERYTHING nor would you want to. This is cyber security we’re talking about!
ALIENVAULT USM: AUTOMATION & CONSOLIDATION
① Install and Maintain a Firewall Configuration to Protect Data
② No Use of Vendor-Supplied Parameter Defaults
③ Protects Stored Cardholder Data
④ Encrypt Cardholder Data Transmission Across Open Public Networks
⑤ Use and Update Antivirus Software
⑥ Develop and Maintain Secure Systems and Applications
⑦ Restrict Cardholder Data Access to Need to Know
⑧ Assign Unique IDs to Everyone with Computer Access
⑨ Track and Monitor Access to All Network Resources and Cardholder Data
⑩ Regularly Test Security Systems and Processes
http://www.alienvault.com/products-solutions/compliance-management/pci-dss-compliance
LET’S SEE IT IN ACTION.AlienVault USM Demo – PCI DSS Compliance Simplified
WHAT’S COMING IN PCI DSS V3*?
Increased clarity
• Intention and application
• Scoping and reporting
• Eliminate redundancy, consolidate documentation
Stronger focus on “greater risk areas” in the threat environmentConsistency among assessors
Key Goals
*https://www.pcisecuritystandards.org/security_standards/documents.php
Key ThemesEducation and AwarenessIncreased flexibilitySecurity as a shared responsibility
Nov 7
2013
• PCI DSS v3 is published
Jan 12014
• PCI DSS v3 becomes effective
Dec
31 2014
• PCI DSS v2 expires
Key Dates
KEY TAKE-AWAYS
Use the “force” of compliance to bolster your security monitoring / incident response program.PCI Compliance is more than just reporting.Automate and consolidate as much as possible.And… throw away that cover page for your TPS reports.
….But keep the red stapler.23
NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join our LIVE Demo on Thursday!
http
://www.alienvault.com/marketing/alienvault-usm-
live-
demo
