Sandy Hawke, CISSP
VP, Product Marketing
@sandybeachSF
QUICK AND DIRTY DOZEN: PCI
COMPLIANCE SIMPLIFIED
AGENDA
2
Pre-audit checklist
Core capabilities for PCI
Automation & consolidation
Product Demo
Key Take-aways
Q & A
Setting the stage…
Pre-audit checklist & more
3
QUESTIONS TO ASK YOURSELF…
SOONER RATHER THAN LATER.
Pre-audit checklist:
Where do your PCI-relevant assets live, how are ...
FRENEMIES: SECURITY AND COMPLIANCE
55
So… what DO I need for PCI-DSS?
6
Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
Identify ways the
...
Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
Identify ways the
...
Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
What do
we need
fo...
Piece it all
together
Look for strange
activity which could
indicate a threat What do
we need
for PCI-
DSS?
10
Asset
Disco...
Piece it all
together
What do
we need
for PCI-
DSS?
11
Asset
Discovery
Asset Discovery
• Active Network Scanning
• Passive...
What do
we need
for PCI-
DSS?
12
Asset
Discovery
Asset Discovery
• Active Network Scanning
• Passive Network Scanning
• As...
13
Asset
Discovery
Asset Discovery
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Sof...
READING IN BETWEEN THE LINES…
D YN A M IC TH R E A T IN TE L L IGE N C E U P D A TE S
TH E TH R E A TS C H A N GE , S O S ...
QUICK & DIRTY CLEAN = AUTOMATED & CONSOLIDATED
All-in-one functionality
Easy management
Multiple functions without multipl...
LET’S HEAR FROM YOU!
ALIENVAULT POLL QUESTION
What is your biggest pain point when it comes to PCI compliance?
• Uncertain...
Let’s see it in action.
AlienVault USM Demo – Simplified PCI DSS Compliance
17
WHAT’S COMING IN PCI DSS V3*?
Increased clarity
Intention and application
Scoping and reporting
Eliminate redundancy, cons...
KEY TAKE-AWAYS
Use the “force” of compliance
to bolster your security
monitoring / incident
response program.
PCI Complian...
NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Tr...
Upcoming SlideShare
Loading in...5
×

Quick & Dirty Dozen: PCI Compliance Simplified

2,690

Published on

Maintaining, verifying, and demonstrating compliance with the PCI-DSS standard is far from a trivial exercise. Find out how AlienVault USM can help you meet PCI compliance requirements.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,690
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • We all know… Security doesn’t equal compliance and compliance doesn’t equal security…But… you can usecompliance to getyour security projects funded.Use the “force” of compliance to improve your security.Remember… compliance is about more than reporting!
  • Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • Create “PCI in scope” host group – define the report so it’s focused on that group
  • The updated versions of PCI DSS and PA-DSS will: Provide stronger focus on some of the greater risk areas in the threat environment Provide increased clarity on PCI DSS & PA-DSS requirements Build greater understanding on the intent of the requirements and how to apply them Improve flexibility for all entities implementing, assessing, and building to the Standards  Drive more consistency among assessors Help manage evolving risks / threats Align with changes in industry best practices Clarify scoping and reporting Eliminate redundant sub-requirements and consolidate documentation While not stated in the August document, it’s anticipated that the new standard will address issues of what falls within the scope of the standard, as well as network segmentation, and defense fortification to ward off specific threats that have been identified since the 2010 release. In addition, the new requirements are likely to address card data handling in mobile, cloud and e-commerce environments in the wake of previous guidance issued by the council.
  • Use the “force” of compliance to bolster your security monitoring / incident response program.PCI Compliance is more than just reporting – it’s about basic security hygiene – don’t focus JUST on reporting, although that is importantAutomate and consolidate as much as possible – reduces cost, complexity, and accelerates remediation.If mgmt wants to do this w/home grown or manual processes or tools (can’t get budget for more software), try open source, specifically OSSIM.
  • Quick & Dirty Dozen: PCI Compliance Simplified

    1. 1. Sandy Hawke, CISSP VP, Product Marketing @sandybeachSF QUICK AND DIRTY DOZEN: PCI COMPLIANCE SIMPLIFIED
    2. 2. AGENDA 2 Pre-audit checklist Core capabilities for PCI Automation & consolidation Product Demo Key Take-aways Q & A
    3. 3. Setting the stage… Pre-audit checklist & more 3
    4. 4. QUESTIONS TO ASK YOURSELF… SOONER RATHER THAN LATER. Pre-audit checklist: Where do your PCI-relevant assets live, how are they’re configured, and how are they segmented from the rest of your network? Who accesses these resources (and the other W’s… when, where, what can they do, why and how)? What are the vulnerabilities that are in your PCI-defined network – app, etc? What constitutes your network baseline? What is considered “normal/acceptable”? Ask your team… What do we NEVER want to happen in our PCI environment? How do we capture those events when they do happen? 4
    5. 5. FRENEMIES: SECURITY AND COMPLIANCE 55
    6. 6. So… what DO I need for PCI-DSS? 6
    7. 7. Piece it all together Look for strange activity which could indicate a threat Start looking for threats Identify ways the target could be compromised What do we need for PCI- DSS? Figure out what is valuable 7
    8. 8. Piece it all together Look for strange activity which could indicate a threat Start looking for threats Identify ways the target could be compromised What do we need for PCI- DSS? 8 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory
    9. 9. Piece it all together Look for strange activity which could indicate a threat Start looking for threats What do we need for PCI- DSS? 9 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing
    10. 10. Piece it all together Look for strange activity which could indicate a threat What do we need for PCI- DSS? 10 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection
    11. 11. Piece it all together What do we need for PCI- DSS? 11 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring
    12. 12. What do we need for PCI- DSS? 12 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring Security Intelligence • SIEM Correlation • Incident Response Security Intelligence
    13. 13. 13 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring Security Intelligence • SIEM Correlation • Incident Response Security Intelligence Unified Security Management BTW… this is just the technologies… process is a whole ‘nother topic.
    14. 14. READING IN BETWEEN THE LINES… D YN A M IC TH R E A T IN TE L L IGE N C E U P D A TE S TH E TH R E A TS C H A N GE , S O S H OU L D YOU R E V E N T C OR R E L A TION R U L E S , IP R E P U TA TI ON D A TA , E TC . FL E X IB L E U S E C A S E S U P P OR T IT’ S I M P OS S I B LE TO P R E D IC T A L L B A D OU TC OM E S S O H A V E A S OL U TI ON TH A T GR OW S W ITH YOU WHAT’S NOT IN THE FINE PRINT BUT SHOULD BE… Dynamic threat intelligence updates THE THREATS CHANGE, SO SHOULD YOUR EVENT CORRELATION RULES, IP REPUTATION DATA, ETC. Flexible use case support IT’S IMPOSSIBLE TO PREDICT ALL BAD OUTCOMES SO HAVE A SOLUTION THAT GROWS WITH YOU 14
    15. 15. QUICK & DIRTY CLEAN = AUTOMATED & CONSOLIDATED All-in-one functionality Easy management Multiple functions without multiple consoles Automate what and where you can* “Baked in” guidance when you can’t Flexible reporting & queries… as detailed as you want it. 15 *Disclaimer: Despite the hype, you can’t automate EVERYTHING nor would you want to. This is cyber security we’re talking about, not pizza delivery.
    16. 16. LET’S HEAR FROM YOU! ALIENVAULT POLL QUESTION What is your biggest pain point when it comes to PCI compliance? • Uncertainty about what’s on my network • Vulnerability assessment and remediation • Concerns about threat detection • Compliance reporting • None of the above – I’m a PCI Ninja!
    17. 17. Let’s see it in action. AlienVault USM Demo – Simplified PCI DSS Compliance 17
    18. 18. WHAT’S COMING IN PCI DSS V3*? Increased clarity Intention and application Scoping and reporting Eliminate redundancy, consolidate documentation Stronger focus on “greater risk areas” in the threat environment Consistency among assessors Key Goals *https://www.pcisecuritystandards.org/security_standards/documents.php Key Themes Education and Awareness Increased flexibility Security as a shared responsibility Nov 7 2013 • PCI DSS v3 is published Jan 1 2014 • PCI DSS v3 becomes effective Dec 31 2014 • PCI DSS v2 expires Key Dates
    19. 19. KEY TAKE-AWAYS Use the “force” of compliance to bolster your security monitoring / incident response program. PCI Compliance is more than just reporting. Automate and consolidate as much as possible. And… throw away that cover page for your TPS reports. ….But keep the red stapler. 19
    20. 20. NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo http://www.alienvault.com/live-demo-site Request a Personalized Demo http://www.alienvault.com/schedule-demo Sales@alienvault.com

    ×