Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

PCI DSS v3.0: How to Adapt Your Compliance Strategy

1,866

Published on

With version 3.0 of PCI DSS now available, it’s time to review your compliance strategy and make a plan for adapting to the revised requirements. While the 12 main requirements remain the same, there …

With version 3.0 of PCI DSS now available, it’s time to review your compliance strategy and make a plan for adapting to the revised requirements. While the 12 main requirements remain the same, there are significant changes related to malware defenses, vulnerability assessments and penetration testing. During this 1-hour session, you’ll learn:

*What’s new in PCI DSS version 3.0
*Key considerations for adapting your compliance strategy
*Technology recommendations for addressing new compliance requirements
*How other companies have simplified PCI DSS compliance

To View a Recording of this presentation and interactive Q&A visit. https://www.alienvault.com/resource-center/webcasts/pci-dss-v3-how-to-adapt-your-compliance-strategy?utm_medium=Social&utm_source=SlideShare

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,866
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
174
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Need to add their photos
  • Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • Need to add their photos
  • AlienVault training page – from Terra Verde websiteEd to send me the URL to add here as a CTA
  • Transcript

    • 1. PCI DSS 3.0: HOW TO ADAPT YOUR COMPLIANCE STRATEGY
    • 2. INTRODUCTIONS Meet today’s presenters Carlos Villalba Director of Security Services Terra Verde Services Sandy Hawke VP, Product Marketing AlienVault Patrick Bass Director of Security Solutions Terra Verde Services 2
    • 3. AGENDA • • • • • What’s New in PCI DSS 3.0 Key considerations for adapting your compliance strategy Technology recommendations for addressing new requirements How our clients have simplified PCI DSS compliance Q&A
    • 4. PCI DSS PRIMER WHAT’S CHANGED FROM V2 TO V3 Carlos A. Villalba Director, Security Services
    • 5. IT’S FINALLY HERE! Nov 7 2013 Jan 1 2014 Dec 31 2014 • PCI DSS v3 was published • PCI DSS v3 becomes effective • PCI DSS v2 expires
    • 6. PCI DSS VERSION 3 3-Year Cycle for New Versions
    • 7. WHAT DID THEY WANT TO FIX  Divergent interpretations of the    standard Weak or default passwords Slow detection of compromise Security problems introduced by 3rd parties and various areas
    • 8. HIGHLIGHTS       The twelve domains remain Some sub-requirements added Descriptions of tests are more precise   Aligned language of requirement and test Clarified what to do to verify compliance More rigor in determining scope of assessment More guidance on log reviews More rigorous penetration testing
    • 9. GUIDANCE FOR EACH REQUIREMENT
    • 10. A PENETRATION TEST METHODOLOGY  Based on industry-accepted approaches,  e.g. NIST SP800-115 A new clause 11.3  Test entire perimeter of CDE & all critical systems  Validate all scope-reduction controls—segmentation  Test from inside and from outside of the network  Test network-function components and OSs  As a minimum, perform application tests for the vulnerabilities listed in Requirement 6.5
    • 11. SECURE SDLC   Programmers of internally-developed and bespoke applications must be trained to avoid known vulnerabilities List expanded to include new requirements for   Coding practices to protect against broken authentication and session management Coding practices to document how PAN and SAD are handled in memory  Combating memory scraping is a good idea for PA-  DSS This was a bit contentious for PCI-DSS
    • 12. AUTHENTICATION   Requirement text recognizes methods other than password/passphrases, e.g. certificates  Minimum password length is still 7 characters    Authentication credentials ―Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.‖ A service provider must use a different password for each of its clients. Educate users
    • 13. CHANGE MANAGEMENT  Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files  Configure the software to perform critical file comparisons at least weekly.  New requirement, 11.5.1, mandates the implementation of a process to respond to any alerts generated by that mechanism.
    • 14. MANAGED SERVICE PROVIDERS  New requirement, 12.8.5, mandates the documentation  of which DSS requirements are managed by the 3rd party. New requirement, 12.9, mandates that 3rd parties must acknowledge in writing that they will comply with the DSS to protect CHD entrusted to them or, if managing some aspect of the CDE, state they will comply with the DSS in performing that management.
    • 15. ADAPTING YOUR COMPLIANCE STRATEGY  Assess gaps between v2 and v3 requirements  What process changes are required?  What technology improvements are required?  How long will these take?  Do you have the necessary expertise and technology   in place? Document migration plans to v3 Consider a unified approach to PCI security monitoring
    • 16. A UNIFIED APPROACH TO PCI DSS COMPLIANCE: USM OVERVIEW Sandy Hawke VP, Product Marketing AlienVault
    • 17. KEY QUESTIONS FOR PCI DSS Pre-audit checklist:  Where do your PCI-relevant assets live, how are they configured, and how are they segmented from the rest of your network?  Who accesses these resources (and the other W’s… when, where, what can they do, why and how)?  What are the vulnerabilities that are in your PCI-defined network – app, OS, etc? Are there any known attackers targeting these?  What constitutes your network baseline? What is considered ―normal/acceptable‖? Ask your team… What do we NEVER want to happen in our PCI environment? How do we capture those events when they do happen?
    • 18. Security Piece it all Intelligence Asset Discovery • • • • together Look for strange Behavioral activity which could Monitoring indicate a threat Start looking Threat for threats Detection What do Unified we need Security for PCIManagement DSS? Figure out what Asset is valuable Discovery Identify ways the Vulnerability target could be Assessment compromised Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing Threat Detection • • • • Network IDS Host IDS Wireless IDS File Integrity Monitoring Behavioral Monitoring • • • Log Collection Netflow Analysis Service Availability Monitoring Security Intelligence • • SIEM Correlation Incident Response BTW… this is just the technologies… Terra Verde can help with process!
    • 19. ALIENVAULT LABS THREAT INTELLIGENCE: COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT        Network and host-based IDS signatures – detects the latest threats in your environment Asset discovery signatures – identifies the latest OS’es, applications, and device types Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems Correlation rules – translates raw events into actionable remediation tasks Reporting modules – provides new ways of viewing data about your environment Dynamic incident response templates – delivers customized guidance on how to respond to each alert Newly supported data source plug-ins – expands your monitoring footprint
    • 20. WHY ALIENVAULT FOR PCI DSS COMPLIANCE?     All-in-one functionality  Easy management  Multiple functions without multiple consoles Automate what and where you can*  ―Baked in‖ guidance when you can’t Flexible reporting & queries… as detailed as you want it. Threat intelligence from AlienVault Labs *Disclaimer: Despite the hype, you can’t automate EVERYTHING nor would you want to. This is cyber security we’re talking about! 20
    • 21. TECHNOLOGY RECOMMENDATIONS FOR PCI DSS 3.0 Patrick Bass Director, Security Solutions
    • 22. PCI COMPLIANCE STRUGGLES  You aren’t alone  96% of breach victims were not compliant (Verizon, 2012).  5 common failures  Testing security  Monitoring networks  Maintaining firewalls  Using vendor defaults  Maintaining a security policy
    • 23. TVS CLIENTS USM components that have helped our clients the most: Log aggregation, correlation, analysis Network intrusion detection Host intrusion detection Wireless intrusion detection Vulnerability scanning File integrity monitoring Key USM advantages: • • • • • Consolidated features Essential security capabilities Reduced cost & complexity Single pane-of-glass Easy to use & deploy
    • 24. REQUIREMENT 1: Install and maintain a firewall configuration to protect data PCI DSS Requirement USM Capabilities Benefits 1.1, 1.2, 1.3  NetFlow analysis  Unified and correlated NetFlow analysis and firewall logs delivers ―single pane of glass‖ visibility into access to cardholder-related data and resources  Built-in asset discovery provides a dynamic asset inventory and topology diagrams. Cardholder-related resources can be identified and monitored for unusual activity.  Accurate and automated asset inventory combined with relevant security events accelerate incident response efforts and analysis.  System availability monitoring  SIEM  Asset discovery
    • 25. REQUIREMENT 2: No use of vendor-supplied parameter defaults PCI DSS Requirement USM Capabilities Benefits 2.1, 2.2, 2.3  Network intrusion detection (IDS) • Built-in, automated vulnerability assessment identifies the use of weak and default passwords.  Vulnerability assessment • Built-in host-based intrusion detection and file integrity monitoring will signal when password files and other critical system files have been modified.  Host-based intrusion detection (HIDS)
    • 26. REQUIREMENT 3: Protects stored cardholder data PCI DSS Requirement USM Capabilities Benefits 3.6.7  Log management • Unified log review and analysis, with triggered alerts for high risk systems (containing credit cardholder data).  Host-based intrusion detection (HIDS)  File integrity monitoring  NetFlow analysis  SIEM • Built-in host-based intrusion detection and file integrity monitoring detect and alarm on changes to cryptographic keys. • Unified NetFlow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from cardholder-related resources.
    • 27. REQUIREMENT 4: Encrypt cardholder data transmission across open public networks PCI DSS Requirement USM Capabilities Benefits 4.1  NetFlow analysis • Unified NetFlow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from cardholder-related resources.  Behavioral monitoring  Wireless IDS  SIEM • Built-in wireless IDS monitors encryption strength and identifies unauthorized access attempts to critical infrastructure.
    • 28. REQUIREMENT 5: Use and update anti-virus software PCI DSS Requirement USM Capabilities Benefits 5.1, 5.2  Host-based intrusion detection (HIDS) • Built-in host-based intrusion detection provides an extra layer of defense against zero day threats (before an anti- virus update can be issued).  Network intrusion detection (IDS)  Log management • Unified log management provides an audit trail of anti- virus software use by collecting log data from anti-virus software. • Built-in network intrusion detection identifies and alerts on malware infections in the credit cardholder data environment.
    • 29. REQUIREMENT 6: Develop and maintain secure systems and applications PCI DSS Requirement USM Capabilities Benefits 6.1, 6.2, 6.3, 6.3.2, 6.4, 6.5  Asset discovery • Built-in and consolidated asset inventory, vulnerability assessment, threat detection and event correlation provides a unified view of an organization’s security posture and critical system configuration.  Vulnerability assessment  Network intrusion detection (IDS)  SIEM • Built-in vulnerability assessment checks for a variety of well-known security exploits (i.e., SQL injection).
    • 30. REQUIREMENT 7: Restrict cardholder data access to need to know PCI DSS Requirement USM Capabilities Benefits 7.1, 7.2  SIEM • Automated event correlation identifies unauthorized access to systems with credit cardholder data.
    • 31. REQUIREMENT 8: Assign unique IDs to everyone with computer access PCI DSS Requirement USM Capabilities Benefits 8.1, 8.2, 8.4, 8.5  Log Management • Built-in log management captures all user account creation activities and can also identify unencrypted passwords on critical systems.
    • 32. REQUIREMENT 10: Track and monitor access to all network resources and cardholder data PCI DSS Requirement USM Capabilities Benefits 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7  Host-based intrusion detection (HIDS)  Built-in threat detection, behavioral monitoring and event correlation signals attacks in progress—for example, unauthorized access followed by additional security exposures such as cardholder data exfiltration.  Network intrusion detection (IDS)  Behavioral monitoring  Log management  SIEM  Built-in log management enables the collection and correlation of valid and invalid authentication attempts on critical devices.  Centralized, role-based access control for audit trails and event logs preserves ―chain of custody‖ for investigations.
    • 33. REQUIREMENT 11: Regularly test security systems and processes PCI DSS Requirement USM Capabilities 11.1, 11.2,  Vulnerability assessment 11.3, 11.4, 11.5, 11.6, 11.7  Wireless IDS  Host-based intrusion detection (HIDS)  File integrity monitoring  SIEM Benefits  Built-in vulnerability assessment streamlines the scanning and remediation process – one console to manage it all.  Built-in wireless IDS detects and alerts on rogue wireless access points, and weak encryption configurations.  Built-in host-based intrusion detection identifies the attachment of USB devices including WLAN cards.  Unified vulnerability assessment, threat detection, and event correlation provides full situational awareness in order to reliably test security systems and processes.  Built-in file integrity monitoring alerts on unauthorized modification of system files, configuration files, or content.
    • 34. CONTACT US Carlos Villalba Director, Security Services Terra Verde Services carlos.villalba@TerraVerdeServices.com 877-707-7997 (x 21) Sandy Hawke VP, Product Marketing AlienVault shawke@alienvault.com Patrick Bass Director, Security Solutions Terra Verde Services patrick.bass@TerraVerdeServices.com 877-707-7997 (x 16)
    • 35. NOW FOR SOME Q&A… Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Already a customer? TVS provides training: http://www.terraverdeservices.com/alienvaulttraining.html Questions? hello@alienvault.com
    • 36. VIEW WEBCAST ON-DEMAND… A recorded version of this webcast is available On-Demand, and can be viewed Here.

    ×