HOW TO OVERCOME THE 3 BIGGEST                                         PCI COMPLIANCE CHALLENGES                           ...
AGENDA     VISI INTRODUCTION     PCI DSS 2.0     PCI COMPLIANCE CHALLENGES           COSTLY PITFALLS OF PCI COMPLIANCE...
ABOUT VISI COMPANY OVERVIEW  FOUNDED IN 1994  MINNESOTA’S MARKET LEADER IN COLOCATION, MANAGED     SERVERS AND CLOUD SER...
PCI DSS 2.04 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
CHANGES TO PCI DSSRequirement                 Change1                           Clarification on secure boundaries between...
PCI COMPLIANCE CHALLENGES6 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
COSTLY PCI PITFALLS1. ONLY CHECKING THE “I’M COMPLIANT” BOX       DEPLOYING AN EXPENSIVE HARDWARE OR SOFTWARE BASED LOG  ...
THE 3 BIGGEST PCI CHALLENGES     EFFECTIVE AND SUSTAINABLE LOG MANAGEMENT           REQUIREMENT 10           MANUALLY R...
PCI COMPLIANCE IN THE CLOUD9 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
 FOUNDED: 2002          We allow you to:           Improve security                                                     ...
INTEGRATED SAAS & MANAGED SERVICESTHREAT MANAGER                              Identify and escalate true security inciden...
CLOUD-POWERED DELIVERY MODEL12 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
ADDRESSING PCI DSS MANDATES                                                                 PCI DSS                       ...
CHALLENGE 1: LOG MANAGEMENT – EFFECTIVE AND SUSTAINABLE14 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS...
WHY LOG MANAGEMENT IS OFTEN INEFFECTIVE             Management doesnt "get it"  Procedures are too flexible to enforce    ...
LOG MANAGER + LOGREVIEW COLLECT LOG DATA FROM HETEROGENEOUS ENVIRONMENTS  WITHOUT DEPLOYING AGENTS                       ...
10.2.1 ALL INDIVIDUAL ACCESS TO CARD HOLDER DATA 17 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESER...
PCI LOG CORRELATION POLICIES 18 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
LOG MESSAGES REVIEWED DAILY                                                         Alert Logic LogReviewUnix Failed Login...
CHALLENGE 2: VULNERABILITY ASSESSMENT – SELECTING THE RIGHT SOLUTION20 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATE...
VULNERABILITY ASSESSMENT CHALLENGES       QUARTERLY VULNERABILITY SCANS SHOULD BE THE MINIMUM.       RUNNING SCANS IS EA...
VULNERABILITY ASSESSMENT       SCHEDULE ONGOING        INTERNAL AND        EXTERNAL        VULNERABILITY SCANS       PER...
11.2 RUN PCI APPROVED VULNERABILITY SCANSQUARTERLY 23 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RES...
COMPLIANCE DASHBOARD24 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
CHALLENGE 3: INTRUSION DETCTION ADAPTING TECHNOLOGY TO SECURITY POLICIES25 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPO...
INTRUSION DETECTION CHALLENGES      INTRUSION DETECTION IS OFTEN DISMISSED BY COMPANIES DUE TO       THE REPUTATION FOR F...
THREAT MANAGER + ACTIVEWATCH      IDENTIFY THREATS WITH LEADING INTRUSION DETECTION &                          Patented T...
11.4 USE IDS TO MONITOR NETWORK TRAFFIC28 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
11.4 USE IDS TO MONITOR NETWORK TRAFFIC29 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
THE 3 BIGGEST PCI CHALLENGES       EFFECTIVE AND SUSTAINABLE LOG MANAGEMENT             REQUIREMENT 10             MANU...
MEETING THE CHALLENGES HEAD ON     MOVE FROM MANUAL TO AUTOMATED LOG MANAGEMENT           KEYS TO SUCCESS: EFFECTIVE AND...
CONTACT VISI         VISI HEADQUARTERS                               VISI ST. PAUL DATA CENTER    PHONE 612.395.9090      ...
Upcoming SlideShare
Loading in …5
×

How to Overcome the 3 Biggest PCI Compliance Challenges

991
-1

Published on

The cost of PCI compliance is out of control. Companies are forced to spend thousands and sometimes millions of dollars on technology like log management that is messy and difficult to deploy. This can be disheartening news for an organization whose compliance is not optional. According to the leading QSAs, requirements 10, 11.2, and 11.4 are the three biggest and most expensive PCI compliance challenges facing companies. How can your organization overcome these PCI compliance challenges with limited budget and resources? Cloud-based solutions are the answer.

Watch a recorded webinar from VISI and Alert Logic on How to Overcome the 3 Biggest PCI Compliance Challenges. In this webinar, we will display how hosted solutions can provide:

• Effective and sustainable log management, IDS, and vulnerability management
• An affordable and easy to implement solution
• A reduction in the amount of time your team spends on PCI compliance

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
991
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How to Overcome the 3 Biggest PCI Compliance Challenges

  1. 1. HOW TO OVERCOME THE 3 BIGGEST PCI COMPLIANCE CHALLENGES 20 JANUARY 2011 RANDY ROSENBAUM / CPISM / ALERT LOGIC JOHNNY HATCH / PRODUCT MANAGER / VISI1 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  2. 2. AGENDA VISI INTRODUCTION PCI DSS 2.0 PCI COMPLIANCE CHALLENGES  COSTLY PITFALLS OF PCI COMPLIANCE  3 BIGGEST PCI COMPLIANCE CHALLENGES PCI COMPLIANCE IN THE CLOUD QUESTIONS AND ANSWERS2 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  3. 3. ABOUT VISI COMPANY OVERVIEW  FOUNDED IN 1994  MINNESOTA’S MARKET LEADER IN COLOCATION, MANAGED SERVERS AND CLOUD SERVICES.  WHOLLY OWNED SUBSIDIARY OF TELEPHONE & DATA SYSTEMS. TELEPHONE & DATA SYSTEMS IS A FORTUNE 500 COMPANY WITH REVENUES IN EXCESS OF $5B.3 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  4. 4. PCI DSS 2.04 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  5. 5. CHANGES TO PCI DSSRequirement Change1 Clarification on secure boundaries between the internet and card holder data environment3.6 Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge6.2 Update requirement to allow vulnerabilities to be ranked and prioritized according to risk6.5 Merge 6.3.1 and 6.5 to eliminate redundancy12.3.10 Update to allow business justification for copy, move, and storage of CHD during remote accessVarious Provide guidance on virtualizationScope Clarify that all locations and flows of cardholder data should be included in scope 5 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  6. 6. PCI COMPLIANCE CHALLENGES6 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  7. 7. COSTLY PCI PITFALLS1. ONLY CHECKING THE “I’M COMPLIANT” BOX  DEPLOYING AN EXPENSIVE HARDWARE OR SOFTWARE BASED LOG MANAGEMENT OR IDS SYSTEMS AND NOT REVIEWING THE DATA.2. WASTING YOUR RESOURCES  USING YOUR RESOURCES TO UPDATE, PATCH, AND MAINTAIN HARDWARE OR SOFTWARE BASED SOLUTIONS. 7 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  8. 8. THE 3 BIGGEST PCI CHALLENGES  EFFECTIVE AND SUSTAINABLE LOG MANAGEMENT  REQUIREMENT 10  MANUALLY REVIEWING AND MANAGING LOG DATA  VULNERABILITY ASSESSMENT  REQUIREMENT 11.2  SELECTING THE RIGHT SOLUTION THAT SCALES TO MATCH YOUR NETWORK SECURITY NEEDS  INTRUSION PROTECTION  REQUIREMENT 11.4  CONFIGURING, IMPLEMENTING, USING, AND SUPPORTING TECHNOLOGY THAT ADAPTS TO YOUR NETWORK SECURITY POLICIES 8 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  9. 9. PCI COMPLIANCE IN THE CLOUD9 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  10. 10.  FOUNDED: 2002 We allow you to: Improve security  LOCATIONS: Comply with regulations  HQ: HOUSTON, TX By delivering:  DATA CENTERS: Patented SaaS products HOUSTON & ATLANTA Integrated managed services  EMPLOYEES: 90+ Continuous automation  CUSTOMERS: 1,200+10 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  11. 11. INTEGRATED SAAS & MANAGED SERVICESTHREAT MANAGER  Identify and escalate true security incidents by expert analysis of threat and vulnerability data  PCI Approved Scan Vendor for DSS requirements  ActiveWatch service provides 24x7 response from certified analysts ACTIVEWATCH LOG  Agent-less collection, correlation, storage, search and reporting of disparate log MANAGER data  Cloud-based grid architecture enable unprecedented scale without local storage  LogReview service provides daily review and sign-off of over 20 critical reports for LOGREVIEW security and compliance 11 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  12. 12. CLOUD-POWERED DELIVERY MODEL12 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  13. 13. ADDRESSING PCI DSS MANDATES PCI DSS Penalties: fines, loss of credit card processing, and level 1 merchant requirements VULNERABILITY 6.2 Identify newly discovered security vulnerabilitiesTHREAT MANAGER ACTIVEWATCH ASSESSMENT 11.2 Perform network vulnerability scans quarterly by an ASV 5.1.1 Monitor zero day attacks not covered by Anti-Virus INTRUSION DETECTION 11.4 Maintain IDS/IPS to monitor & alert personnel, keep engines up to date 10.2 Automated audit trailsLOG MANAGER 10.3 Capture audit trails LOGREVIEW 10.5 Secure logs LOG MANAGEMENT 10.6 Review logs at least daily 10.7 Maintain logs online for 3 months 10.7 Retain audit trail for at least 1 year 13 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  14. 14. CHALLENGE 1: LOG MANAGEMENT – EFFECTIVE AND SUSTAINABLE14 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  15. 15. WHY LOG MANAGEMENT IS OFTEN INEFFECTIVE Management doesnt "get it" Procedures are too flexible to enforce Log data is not normalized Too much time to resolve incidents Criteria for breach are unclear 0% 10% 20% 30% 40% 50% 60% = Most notable Source: PCI Knowledge Base, March 2009 15 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  16. 16. LOG MANAGER + LOGREVIEW COLLECT LOG DATA FROM HETEROGENEOUS ENVIRONMENTS WITHOUT DEPLOYING AGENTS Deploy this… SECURELY STORE LOG DATA IN REDUNDANT OFFSITE DATA CENTERS ELIMINATING THE NEED FOR LOCAL SAN Instead of all this. SEARCH AND REPORT ON DATA INSTANTLY FOR FORENSIC ANALYSIS MAINTAIN SECURITY & COMPLIANCE WITH OUT-OF-THE-BOX REPORTS AND ALERTING OFFLOAD MONOTONOUS DAILY REVIEW OF LOG DATA (E.G., FOR PCI COMPLIANCE) WITH LOGREVIEW MANAGED SERVICE 16 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  17. 17. 10.2.1 ALL INDIVIDUAL ACCESS TO CARD HOLDER DATA 17 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  18. 18. PCI LOG CORRELATION POLICIES 18 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  19. 19. LOG MESSAGES REVIEWED DAILY Alert Logic LogReviewUnix Failed Logins Network Device Failed LoginsUnix Sudo Access Network Device Policy ChangeWindows and Unix FTP/Telnet Failed Logins Unix Switch User Command SuccessUnix SSH Failed Logins Excessive Windows Account LockoutsDatabase Failed Logins Windows User Account CreatedExcessive Windows Failed Logins Windows User Group CreatedWindows User Group Modified Excessive Windows Failed Logins by an AdminActive Directory Global Catalog Change Failed Unix Switch User CommandActive Directory Global Catalog Demotion Excessive Windows Account Lockouts by an AdminUnix Group Created 19 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  20. 20. CHALLENGE 2: VULNERABILITY ASSESSMENT – SELECTING THE RIGHT SOLUTION20 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  21. 21. VULNERABILITY ASSESSMENT CHALLENGES  QUARTERLY VULNERABILITY SCANS SHOULD BE THE MINIMUM.  RUNNING SCANS IS EASY; TRACKING DOWN VULNERABILITIES IS HARD.  SOME COMPANIES LOOK FOR THE EASIEST WAY TO GET A “CLEAN” SCAN  “TWEAKING” NETWORK CONFIGURATIONS  REMOVING IP ADDRESSES FROM SCOPE  IT SECURITY TEAM FINDS IT DIFFICULT TO EXPLAIN OR JUSTIFY SCAN RESULTS TO MANAGEMENT 21 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  22. 22. VULNERABILITY ASSESSMENT  SCHEDULE ONGOING INTERNAL AND EXTERNAL VULNERABILITY SCANS  PERFORM QUARTERLY PCI CERTIFICATION SCANS  RESULTS INTEGRATE WITH INTRUSION PROTECTION FOR OPTIMUM ACCURACY22 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  23. 23. 11.2 RUN PCI APPROVED VULNERABILITY SCANSQUARTERLY 23 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  24. 24. COMPLIANCE DASHBOARD24 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  25. 25. CHALLENGE 3: INTRUSION DETCTION ADAPTING TECHNOLOGY TO SECURITY POLICIES25 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  26. 26. INTRUSION DETECTION CHALLENGES  INTRUSION DETECTION IS OFTEN DISMISSED BY COMPANIES DUE TO THE REPUTATION FOR FALSE  COMPANIES BUY THE TECHNOLOGY TO ACHIEVE COMPLIANCE – BUT THEY DON’T SPEND THE MONEY OR INVEST THE TIME NEEDED TO EFFECTIVELY USE THE TOOLS  LIMITED EXPERTISE IN IT DEPARTMENTS TO PROPERLY TAKE ACTION ON SECURITY INCIDENTS26 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  27. 27. THREAT MANAGER + ACTIVEWATCH IDENTIFY THREATS WITH LEADING INTRUSION DETECTION & Patented Threat Modeling Expert VULNERABILITY ASSESSMENT System DASHBOARDS AND REPORTS FOR END-USER SECURITY MANAGEMENT DEMONSTRATE DUE CARE FOR COMPLIANCE INITIATIVES WITH BUILT-IN WORKFLOW AND CASE MANAGEMENT PCI APPROVED SCANNING VENDOR (ASV) TO PROVE PCI COMPLIANCE COST EFFECTIVELY ADD 24X7 EXPERT RESPONSE WITH ACTIVEWATCH MANAGED SERVICE 27 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  28. 28. 11.4 USE IDS TO MONITOR NETWORK TRAFFIC28 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  29. 29. 11.4 USE IDS TO MONITOR NETWORK TRAFFIC29 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  30. 30. THE 3 BIGGEST PCI CHALLENGES  EFFECTIVE AND SUSTAINABLE LOG MANAGEMENT  REQUIREMENT 10  MANUALLY REVIEWING AND MANAGING LOG DATA  VULNERABILITY ASSESSMENT  REQUIREMENT 11.2  SELECTING THE RIGHT SOLUTION THAT SCALES TO MATCH YOUR NETWORK SECURITY NEEDS  INTRUSION DETECTION  REQUIREMENT 11.4  CONFIGURING, IMPLEMENTING, USING, AND SUPPORTING TECHNOLOGY THAT ADAPTS TO YOUR NETWORK SECURITY POLICIES 30 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  31. 31. MEETING THE CHALLENGES HEAD ON MOVE FROM MANUAL TO AUTOMATED LOG MANAGEMENT  KEYS TO SUCCESS: EFFECTIVE AND SUSTAINABLE LOG MANAGEMENT AND REVIEW CHOOSE A VULNERABILITY ASSESSMENT SOLUTION THAT ALIGNS WITH YOUR NETWORK  KEYS TO SUCCESS: CENTRALIZED VIEW AND REMEDIATION KNOWLEDGE SELECT AN INTRUSION PROTECTION SOLUTION THAT DOESN’T REQUIRE COSTLY IMPLEMENTATION, CONFIGURATION AND MANAGEMENT  KEYS TO SUCCESS: IMPLEMENT A SOLUTION THAT ADAPTS TO YOUR NETWORK SECURITY POLICIES AND MINIMIZES THE WORK LOAD OF YOUR RESOURCES 31 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  32. 32. CONTACT VISI VISI HEADQUARTERS VISI ST. PAUL DATA CENTER PHONE 612.395.9090 EDEN PRAIRIE DATA CENTER 180 East 5th St, Suite 525 EMAIL SALES@VISI.COM 10290 West 70th Street St. Paul, MN 55101 Eden Prairie, MN 5534432 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×