Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Network Security Audit? Passing Your Next One with Flying Colors

373 views

Published on

Do you know about the upcoming PCI-DSS 3.2.1 standard and what it means for your operation? Are you ready to be audited?

Presented by renowned industry expert, Professor Avishai Wool, this technical webinar imparts best practices and reveals specific techniques to help you make sure that your compliance posture stands up to any audit.

In this webinar, Professor Wool shows you how to:

Know if your network is compliant with the new PCI 3.2.1 standard
Identify the latest vulnerabilities and assess risk
Prepare for the next audit
Generate audit-ready reports to reduce the scope of your audit
Assure continuous compliance

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Network Security Audit? Passing Your Next One with Flying Colors

  1. 1. Reaching PCI Nirvana: Ensure a Successful Audit and Maintain Continuous Compliance Prof. Avishai Wool CTO & Co-founder
  2. 2. Welcome Have a question? Submit it via the chat This webinar is being recorded! Slides and recording will be sent to you after the webinar 2 marketing@algosec.com
  3. 3. 3 Background on PCI DSS 3.2 What you need to know about the PCI-DSS v3.2.1 update PCI and the cloud Identify latest vulnerabilities and assess risks before the auditor How to ensure network compliance now and continuously How to reduce the scope of your audit and instantly generate audit- ready reports PCI & Compliance – the Agenda
  4. 4. POLL #1: Are you familiar with pci-dss? • Yes, I am familiar • I am only familiar with PCI-DSS 3.1 • I am only familiar with PCI 3.2 • No, this is new to me Please vote using the “Votes from Audience” tab in your BrightTALK panel 4
  5. 5. SSL and Early TLS • The cryptography behind https://server.name.here • 2014, 2015: run of attacks against SSL 2.0, 3.0. and TLS 1.0 • “Heartbleed”, “FREAK”, “POODLE”, “Logjam” … 5  Industry consensus: SSL (all versions), TLS 1.0 “broken beyond repair”
  6. 6. 6 PCI-DSS 3.1 (April 2015): SSL and early TLS are not considered strong cryptography”… “cannot be used as a security control after June 30, 2016 PCI RESPONSE
  7. 7. Switch to TLS 1.2 ? • As of 2016 all browsers supported TLS 1.2 for several years: • All modern libraries and web-server platforms supported TLS 1.2 for several years too 7 ……So switching to TLS 1.2 should have been easy, right?  Chrome - v30  Firefox - v27  Internet Explorer - v11  Microsoft Edge - v12  Opera - v17  Safari - v5 on iOS, v7 on OS X
  8. 8. Examples (2018) Chrome 67 Firefox 61 Chrome: menu > more tools > Developer tools (or CTRL SHIFT i) > Security tab 8
  9. 9.  Bottom line: The switch to TLS 1.2 requires testing & time check the middleware • TLS is not only used by browsers and web servers • Machine-to-machine web-service API communication (SOAP / REST / etc…) • Web-page “scraping” utilities • Automatic testing platforms • E-Mail servers and E-mail clients • Embedded web-servers inside devices • May need to be upgraded to a TLS 1.2-compatible version 9
  10. 10. PCI RESPONSE PCI-DSS 3.2 (April 2016): • New requirements: “best practices” until 1 February 2018 • Extended migration [to TLS 1.2] date to 30 June 2018 10 PCI RESPONSE
  11. 11. WHAT’S IN PCI 3.2.1 Minor Update (May 2018) • PCI DSS 3.2 valid until end of 2018 • PCI DSS 3.2.1 is definitive from 1 Jan 2019 • No new requirements were added in PCI DSS 3.2.1 • PCI DSS 3.2.1 makes TLS 1.2 mandatory 11
  12. 12. POLL #2: How ready is your organization with the switch to TLS 1.2? • We haven’t started yet • 33% completed • 67% completed • We are ready! Please vote using the “Votes from Audience” tab in your BrightTALK panel 12
  13. 13. <1 week; 0.26; 26% 1-2 weeks; 0.29; 29% 2-4 weeks; 0.27; 27% 1-2 months; 0.12; 12% 2+ months; 0.06; 6% Time Devoted to Firewall Audits Each Year Common PCI-DSS Compliance Challenge Manual Audits Slow Down Business and are Error- Prone 13 Source: AlgoSec survey
  14. 14. Compliance Must be Continuous Decommission redundant firewall rules and application connectivity Decommission Automatically migrate firewall rules Zero-touch change management Automated policy push Smart validation M igrate & Deploy Maintain Policy monitoring Enforce security posture Out-of-the box auditing and compliance reports Link firewall rules to applications Policy clean up and optimization Firewall rule recertification Translate application connectivity into firewall rules Assess risk and compliance Tie cyber attacks and vulnerabilities to business processes Plan& Assess Auto-discover and map application connectivity and security infrastructure Enable developers to define connectivity programmaticallyDiscover or Define 14
  15. 15. KEY AlgoSec CAPABILITIES 15 Secure Business Application Connectivity Security Policy Workflow Automation ​ Continuous Compliance and Auditing Firewall Policy Optimization Security Policy Risk Mitigation NGFW, Application & Datacenter Migration Hybrid Cloud Security  
  16. 16. Demonstration of PCI Compliance with the AlgoSec Suite 16
  17. 17. Continuous Compliance 17
  18. 18. Continuous Compliance 18 Out-of-the-box PCI-DSS 3.2.1 Exportabl e • Automatically created • Scheduled or on demand • Covers all AlgoSec-managed devices
  19. 19. Item-by-Item device collation 19
  20. 20. Password Defaults 20
  21. 21. Vulnerabilities in PCI Applications 21
  22. 22. What are “PCI Applications” ? 22
  23. 23. Outdated Software Versions 23
  24. 24. Baseline Complianc e 24
  25. 25. Baseline Complianc e 25 • Use AlgoSec Baselines • Or customize your own
  26. 26. Change Process 26 AlgoSec provides an application-aware workflow system for network security change management
  27. 27. 27
  28. 28. 28
  29. 29. 29
  30. 30. 30
  31. 31. 31
  32. 32. 32 • What-if risk check, before changes are implemented • AlgoSec Standard risks + • User-defined risks + • Connectivity spreadsheet violations
  33. 33. Creating custom risks 33
  34. 34. 34
  35. 35. 35 Color Codes indicate vulnerability score
  36. 36. 36 Vulnerabilities at Application Level
  37. 37. Complianc e Dashboard 37
  38. 38. PCI Compliance for Cloud Credit-card-processing systems • Same requirements • But different technologies ALGOSEC PROVIDES ITS CAPABILITIES ACROSS • Multi-cloud • Hybrid • Public cloud • Private cloud • Legacy environments 38
  39. 39. POLL #3: WHAT IS YOUR GREATEST concerns with compliance in the cloud? • Visibility into cloud native controls (Security groups, Access lists) • 3rd party virtualized traditional controls (Checkpoint, CloudGuard, Palo Alto, etc… ) • Non-network controls (F3 buckets, IAM settings, …) • All of the above Please vote using the “Votes from Audience” tab in your BrightTALK panel 39
  40. 40. Q & A
  41. 41. summary • PCI 3.2.1 makes TLS 1.2 mandatory starting Jan/2019 • Continuous compliance to instantly generate audit-ready reports • Connectivity and vulnerability reporting per business application • “What-if” risk assessment as part of the change workflow • PCI and the cloud 41
  42. 42. WHITE PAPERS • AlgoSec for GDPR • AlgoSec for MAS-TRM 42 https://www.algosec.com/resources PROF. WOOL COURSE WEBINAR SLIDES Prof. Wool Video Courses PPT Slides Datasheets • Compliance • Auditing • PCI • And more! Blog Posts
  43. 43. UPCOMING EVENTS 43 SEPTEMBER WEBINARS www.algosec.com/webinars ALGOSUMMIT AMERICAS The premier event for AlgoSec customers and channel partners www.algosec.com/algosummit Americas, October 15- 18
  44. 44. 44 Join our community Follow us for the latest on security policy management trends, tips & tricks, best practices, thought leadership, fun stuff, prizes and much more! Subscribe to our YouTube channel for a wide range of educational videos presented by Professor Wool youtube.com/user/AlgoSe c linkedin.com/company/AlgoSec facebook.com/AlgoSec twitter.com/AlgoSec www.AlgoSec.com/blog
  45. 45. THANK YOU! Questions can be emailed to marketing@algosec.com

×