AlienVault, profile picture
Uploaded byAlienVault
PPTX, PDF5,299 views

PCI DSS Simplified: What You Need to Know

The document outlines key strategies for achieving PCI DSS compliance, emphasizing the importance of asset discovery, vulnerability assessment, and threat detection. It highlights essential practices such as maintaining effective security configurations, employing threat intelligence, and automating compliance processes. Additionally, it introduces AlienVault's Unified Security Management as a comprehensive solution for managing compliance and security needs in a streamlined manner.

Embed presentation

Downloaded 264 times
PCI DSS SIMPLIFIED: WHAT YOU NEED TO KNOW Sandy Hawke, CISSP VP, Product Marketing @sandybeachSF Tom D’Aquino Technical Lead
AGENDA 2 Common challenges Pre-audit checklist Core capabilities for PCI Automation & consolidation Product Demo Key Takeaways Q & A
SETTING THE STAGE… Pre-audit checklist & more
QUESTIONS TO ASK YOURSELF… SOONER RATHER THAN LATER. Pre-audit checklist: Where do your PCI-relevant assets live, how are they’re configured, and how are they segmented from the rest of your network? Who accesses these resources (and the other W’s… when, where, what can they do, why and how)? What are the vulnerabilities that are in your PCI-defined network – app, etc? What constitutes your network baseline? What is considered “normal/acceptable”? Ask your team… What do we NEVER want to happen in our PCI environment? How do we capture those events when they do happen? 7
FRENEMIES: SECURITY AND COMPLIANCE 88
SO…. WHAT DO I NEED FOR PCI-DSS?
Piece it all together Look for strange activity which could indicate a threat Start looking for threats Identify ways the target could be compromised What do we need for PCI- DSS? Figure out what is valuable 10
Piece it all together Look for strange activity which could indicate a threat Start looking for threats Identify ways the target could be compromised What do we need for PCI- DSS? 11 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory
Piece it all together Look for strange activity which could indicate a threat Start looking for threats What do we need for PCI- DSS? 12 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing
Piece it all together Look for strange activity which could indicate a threat What do we need for PCI- DSS? 13 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection
Piece it all together What do we need for PCI- DSS? 14 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring
What do we need for PCI- DSS? 15 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring Security Intelligence • SIEM Correlation • Incident Response Security Intelligence
16 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring Security Intelligence • SIEM Correlation • Incident Response Security Intelligence Unified Security Management BTW… this is just the technologies… process is a whole ‘nother topic.
READING IN BETWEEN THE LINES… D YN A M IC TH R E A T IN TE L L IGE N C E U P D A TE S TH E TH R E A TS C H A N GE , S O S H OU L D YOU R E V E N T C OR R E L A TION R U L E S , IP R E P U TA TI ON D A TA , E TC . FL E X IB L E U S E C A S E S U P P OR T IT’ S I M P OS S I B LE TO P R E D IC T A L L B A D OU TC OM E S S O H A V E A S OL U TI ON TH A T GR OW S W ITH YOU WHAT’S NOT IN THE FINE PRINT BUT SHOULD BE… Dynamic threat intelligence updates THE THREATS CHANGE, SO SHOULD YOUR EVENT CORRELATION RULES, IP REPUTATION DATA, ETC. Flexible use case support IT’S IMPOSSIBLE TO PREDICT ALL BAD OUTCOMES SO HAVE A SOLUTION THAT GROWS WITH YOU 17
LET’S HEAR FROM YOU! ALIENVAULT POLL QUESTION What is your biggest pain point when it comes to PCI compliance? • Uncertainty about what’s on my network • Vulnerability assessment and remediation • Concerns about threat detection • Compliance reporting • None of the above – I’m a PCI Ninja!
WHY ALIENVAULT FOR PCI DSS COMPLIANCE? All-in-one functionality • Easy management • Multiple functions without multiple consoles Automate what and where you can* • “Baked in” guidance when you can’t Flexible reporting & queries… as detailed as you want it. Threat intelligence from AlienVault Labs 19 *Disclaimer: Despite the hype, you can’t automate EVERYTHING nor would you want to. This is cyber security we’re talking about!
ALIENVAULT USM: AUTOMATION & CONSOLIDATION ① Install and Maintain a Firewall Configuration to Protect Data ② No Use of Vendor-Supplied Parameter Defaults ③ Protects Stored Cardholder Data ④ Encrypt Cardholder Data Transmission Across Open Public Networks ⑤ Use and Update Antivirus Software ⑥ Develop and Maintain Secure Systems and Applications ⑦ Restrict Cardholder Data Access to Need to Know ⑧ Assign Unique IDs to Everyone with Computer Access ① Track and Monitor Access to All Network Resources and Cardholder Data ② Regularly Test Security Systems and Processes http://www.alienvault.com/products-solutions/compliance- management/pci-dss-compliance
LET’S SEE IT IN ACTION. AlienVault USM Demo – PCI DSS Compliance Simplified
WHAT’S COMING IN PCI DSS V3*? Increased clarity • Intention and application • Scoping and reporting • Eliminate redundancy, consolidate documentation Stronger focus on “greater risk areas” in the threat environment Consistency among assessors Key Goals *https://www.pcisecuritystandards.org/security_standards/documents.php Key Themes Education and Awareness Increased flexibility Security as a shared responsibility Nov 7 2013 • PCI DSS v3 is published Jan 1 2014 • PCI DSS v3 becomes effective Dec 31 2014 • PCI DSS v2 expires Key Dates
KEY TAKE-AWAYS Use the “force” of compliance to bolster your security monitoring / incident response program. PCI Compliance is more than just reporting. Automate and consolidate as much as possible. And… throw away that cover page for your TPS reports. ….But keep the red stapler. 23
NOW FOR SOME Q&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join our LIVE Demo on Thursday! http://www.alienvault.com/marketing/alienvault-usm-live- demo Sales@alienvault.com

More Related Content

PPTX
PCI DSS v3.0: How to Adapt Your Compliance Strategy
byAlienVault
 
PDF
Pci dss-for-it-providers
byCalyptix Security
 
PDF
PCI-DSS_Overview
bysameh Abulfotooh
 
PDF
1. PCI Compliance Overview
byokrantz
 
PPTX
PCI DSS v3 - Protecting Cardholder data
byInMobi Technology
 
PPTX
PCI DSS 3.0 – What You Need to Know
byTerra Verde
 
KEY
PA-DSS
byChristian Heinrich
 
PDF
PCI DSS Essential Guide
byKim Jensen
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
byAlienVault
 
Pci dss-for-it-providers
byCalyptix Security
 
PCI-DSS_Overview
bysameh Abulfotooh
 
1. PCI Compliance Overview
byokrantz
 
PCI DSS v3 - Protecting Cardholder data
byInMobi Technology
 
PCI DSS 3.0 – What You Need to Know
byTerra Verde
 
PA-DSS
byChristian Heinrich
 
PCI DSS Essential Guide
byKim Jensen
 

What's hot

PPTX
PCI DSS Compliance
bySaumya Vishnoi
 
PPTX
Introduction to PCI DSS
bySaumya Vishnoi
 
PPT
PCI DSS
byDuy Do Phan
 
PPTX
A practical guides to PCI compliance
byJisc
 
PPTX
Spirit of PCI DSS by Dr. Anton Chuvakin
byAnton Chuvakin
 
PDF
Pci standards, from participation to implementation and review
byisc2-hellenic
 
PPTX
PCI DSS and PA DSS
byKimberly Simon MBA
 
PPTX
PCI DSS 3.2 - Business as Usual
byKimberly Simon MBA
 
PPTX
SFISSA - PCI DSS 3.0 - A QSA Perspective
byMark Akins
 
PPTX
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
byAnton Chuvakin
 
PPTX
PCI DSS 2.0 Detailed Introduction
byControlCase
 
PDF
Pci ssc quick reference guide
byMohammad Makchudul Alam (Arif)
 
PPTX
PCI DSS 3.2
byKimberly Simon MBA
 
PPTX
PCI DSS and PA DSS
byKimberly Simon MBA
 
PPTX
Card Data Discovery and PCI DSS
byKimberly Simon MBA
 
DOCX
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
byhimalya sharma
 
DOCX
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
byhimalya sharma
 
PPT
Application security and pa dss certification
byAlexander Polyakov
 
PDF
PCIDSS compliance made easier through a collaboration between NC State and UN...
byJohn Baines
 
PDF
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
byAriel Ben-Harosh
 
PCI DSS Compliance
bySaumya Vishnoi
 
Introduction to PCI DSS
bySaumya Vishnoi
 
PCI DSS
byDuy Do Phan
 
A practical guides to PCI compliance
byJisc
 
Spirit of PCI DSS by Dr. Anton Chuvakin
byAnton Chuvakin
 
Pci standards, from participation to implementation and review
byisc2-hellenic
 
PCI DSS and PA DSS
byKimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
byKimberly Simon MBA
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
byMark Akins
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
byAnton Chuvakin
 
PCI DSS 2.0 Detailed Introduction
byControlCase
 
Pci ssc quick reference guide
byMohammad Makchudul Alam (Arif)
 
PCI DSS 3.2
byKimberly Simon MBA
 
PCI DSS and PA DSS
byKimberly Simon MBA
 
Card Data Discovery and PCI DSS
byKimberly Simon MBA
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
byhimalya sharma
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
byhimalya sharma
 
Application security and pa dss certification
byAlexander Polyakov
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
byJohn Baines
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
byAriel Ben-Harosh
 

Similar to PCI DSS Simplified: What You Need to Know

PPTX
Quick & Dirty Dozen: PCI Compliance Simplified
byAlienVault
 
PPTX
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
PPTX
An Introduction to PCI Compliance on IBM Power Systems
byHelpSystems
 
PPT
PCI DSS Myths 2009: Myths and Reality
byAnton Chuvakin
 
PDF
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
PPTX
PCI DSS Business as Usual
byControlCase
 
PPTX
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
byAlienVault
 
PDF
PCI DSS Business as Usual
byControlCase
 
PDF
PCI DSS: What it is, and why you should care
bySean D. Goodwin
 
PPTX
How to Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
PPTX
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
byAnton Chuvakin
 
PPTX
Solutions For PCI Compliance
byJohn Bedrick
 
PPTX
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
byAnton Chuvakin
 
PDF
PCI DSS and PA DSS Version 3.0 Changes
byControlCase
 
PPTX
Making Compliance Business as Usual
byControlCase
 
PPTX
PCI DSS Business as Usual
byKimberly Simon MBA
 
PDF
PCI Certification and remediation services
byTariq Juneja
 
PPTX
Making PCI V3.0 Business as Usual (BAU)
byControlCase
 
DOC
"Compliance First" or "Security First"
byAnton Chuvakin
 
PPTX
PCI DSS 3.0: Don’t Shortchange Your PCI Readiness
byTripwire
 
Quick & Dirty Dozen: PCI Compliance Simplified
byAlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
An Introduction to PCI Compliance on IBM Power Systems
byHelpSystems
 
PCI DSS Myths 2009: Myths and Reality
byAnton Chuvakin
 
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
PCI DSS Business as Usual
byControlCase
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
byAlienVault
 
PCI DSS Business as Usual
byControlCase
 
PCI DSS: What it is, and why you should care
bySean D. Goodwin
 
How to Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
byAnton Chuvakin
 
Solutions For PCI Compliance
byJohn Bedrick
 
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
byAnton Chuvakin
 
PCI DSS and PA DSS Version 3.0 Changes
byControlCase
 
Making Compliance Business as Usual
byControlCase
 
PCI DSS Business as Usual
byKimberly Simon MBA
 
PCI Certification and remediation services
byTariq Juneja
 
Making PCI V3.0 Business as Usual (BAU)
byControlCase
 
"Compliance First" or "Security First"
byAnton Chuvakin
 
PCI DSS 3.0: Don’t Shortchange Your PCI Readiness
byTripwire
 

More from AlienVault

PPTX
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
PPTX
Best Practices for Configuring Your OSSIM Installation
byAlienVault
 
PPTX
Improve Situational Awareness for Federal Government with AlienVault USM
byAlienVault
 
PDF
Security operations center 5 security controls
byAlienVault
 
PPTX
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
byAlienVault
 
PPTX
Alienvault threat alerts in spiceworks
byAlienVault
 
PPTX
Improve Threat Detection with OSSEC and AlienVault USM
byAlienVault
 
PPTX
How Malware Works
byAlienVault
 
PDF
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
PDF
Insider Threat Detection Recommendations
byAlienVault
 
PPTX
Improve threat detection with hids and alien vault usm
byAlienVault
 
PPTX
Malware detection how to spot infections early with alien vault usm
byAlienVault
 
PPTX
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
byAlienVault
 
PDF
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
byAlienVault
 
PPTX
Improve Security Visibility with AlienVault USM Correlation Directives
byAlienVault
 
PPTX
Incident response live demo slides final
byAlienVault
 
PPTX
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
byAlienVault
 
PPTX
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 
PDF
The State of Incident Response - INFOGRAPHIC
byAlienVault
 
PDF
Malware Invaders - Is Your OS at Risk?
byAlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
Best Practices for Configuring Your OSSIM Installation
byAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
byAlienVault
 
Security operations center 5 security controls
byAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
byAlienVault
 
Alienvault threat alerts in spiceworks
byAlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
byAlienVault
 
How Malware Works
byAlienVault
 
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
Insider Threat Detection Recommendations
byAlienVault
 
Improve threat detection with hids and alien vault usm
byAlienVault
 
Malware detection how to spot infections early with alien vault usm
byAlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
byAlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
byAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
byAlienVault
 
Incident response live demo slides final
byAlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
byAlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 
The State of Incident Response - INFOGRAPHIC
byAlienVault
 
Malware Invaders - Is Your OS at Risk?
byAlienVault
 

Recently uploaded

PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PPTX
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
PDF
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
PDF
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 

PCI DSS Simplified: What You Need to Know

  • 1.
    PCI DSS SIMPLIFIED: WHATYOU NEED TO KNOW Sandy Hawke, CISSP VP, Product Marketing @sandybeachSF Tom D’Aquino Technical Lead
  • 2.
    AGENDA 2 Common challenges Pre-audit checklist Corecapabilities for PCI Automation & consolidation Product Demo Key Takeaways Q & A
  • 3.
  • 7.
    QUESTIONS TO ASKYOURSELF… SOONER RATHER THAN LATER. Pre-audit checklist: Where do your PCI-relevant assets live, how are they’re configured, and how are they segmented from the rest of your network? Who accesses these resources (and the other W’s… when, where, what can they do, why and how)? What are the vulnerabilities that are in your PCI-defined network – app, etc? What constitutes your network baseline? What is considered “normal/acceptable”? Ask your team… What do we NEVER want to happen in our PCI environment? How do we capture those events when they do happen? 7
  • 8.
  • 9.
    SO…. WHAT DO INEED FOR PCI-DSS?
  • 10.
    Piece it all together Lookfor strange activity which could indicate a threat Start looking for threats Identify ways the target could be compromised What do we need for PCI- DSS? Figure out what is valuable 10
  • 11.
    Piece it all together Lookfor strange activity which could indicate a threat Start looking for threats Identify ways the target could be compromised What do we need for PCI- DSS? 11 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory
  • 12.
    Piece it all together Lookfor strange activity which could indicate a threat Start looking for threats What do we need for PCI- DSS? 12 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing
  • 13.
    Piece it all together Lookfor strange activity which could indicate a threat What do we need for PCI- DSS? 13 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection
  • 14.
    Piece it all together Whatdo we need for PCI- DSS? 14 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring
  • 15.
    What do we need forPCI- DSS? 15 Asset Discovery Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring Security Intelligence • SIEM Correlation • Incident Response Security Intelligence
  • 16.
    16 Asset Discovery Asset Discovery • ActiveNetwork Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment Vulnerability Assessment • Network Vulnerability Testing Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Threat Detection Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Behavioral Monitoring Security Intelligence • SIEM Correlation • Incident Response Security Intelligence Unified Security Management BTW… this is just the technologies… process is a whole ‘nother topic.
  • 17.
    READING IN BETWEENTHE LINES… D YN A M IC TH R E A T IN TE L L IGE N C E U P D A TE S TH E TH R E A TS C H A N GE , S O S H OU L D YOU R E V E N T C OR R E L A TION R U L E S , IP R E P U TA TI ON D A TA , E TC . FL E X IB L E U S E C A S E S U P P OR T IT’ S I M P OS S I B LE TO P R E D IC T A L L B A D OU TC OM E S S O H A V E A S OL U TI ON TH A T GR OW S W ITH YOU WHAT’S NOT IN THE FINE PRINT BUT SHOULD BE… Dynamic threat intelligence updates THE THREATS CHANGE, SO SHOULD YOUR EVENT CORRELATION RULES, IP REPUTATION DATA, ETC. Flexible use case support IT’S IMPOSSIBLE TO PREDICT ALL BAD OUTCOMES SO HAVE A SOLUTION THAT GROWS WITH YOU 17
  • 18.
    LET’S HEAR FROMYOU! ALIENVAULT POLL QUESTION What is your biggest pain point when it comes to PCI compliance? • Uncertainty about what’s on my network • Vulnerability assessment and remediation • Concerns about threat detection • Compliance reporting • None of the above – I’m a PCI Ninja!
  • 19.
    WHY ALIENVAULT FORPCI DSS COMPLIANCE? All-in-one functionality • Easy management • Multiple functions without multiple consoles Automate what and where you can* • “Baked in” guidance when you can’t Flexible reporting & queries… as detailed as you want it. Threat intelligence from AlienVault Labs 19 *Disclaimer: Despite the hype, you can’t automate EVERYTHING nor would you want to. This is cyber security we’re talking about!
  • 20.
    ALIENVAULT USM: AUTOMATION &CONSOLIDATION ① Install and Maintain a Firewall Configuration to Protect Data ② No Use of Vendor-Supplied Parameter Defaults ③ Protects Stored Cardholder Data ④ Encrypt Cardholder Data Transmission Across Open Public Networks ⑤ Use and Update Antivirus Software ⑥ Develop and Maintain Secure Systems and Applications ⑦ Restrict Cardholder Data Access to Need to Know ⑧ Assign Unique IDs to Everyone with Computer Access ① Track and Monitor Access to All Network Resources and Cardholder Data ② Regularly Test Security Systems and Processes http://www.alienvault.com/products-solutions/compliance- management/pci-dss-compliance
  • 21.
    LET’S SEE ITIN ACTION. AlienVault USM Demo – PCI DSS Compliance Simplified
  • 22.
    WHAT’S COMING INPCI DSS V3*? Increased clarity • Intention and application • Scoping and reporting • Eliminate redundancy, consolidate documentation Stronger focus on “greater risk areas” in the threat environment Consistency among assessors Key Goals *https://www.pcisecuritystandards.org/security_standards/documents.php Key Themes Education and Awareness Increased flexibility Security as a shared responsibility Nov 7 2013 • PCI DSS v3 is published Jan 1 2014 • PCI DSS v3 becomes effective Dec 31 2014 • PCI DSS v2 expires Key Dates
  • 23.
    KEY TAKE-AWAYS Use the“force” of compliance to bolster your security monitoring / incident response program. PCI Compliance is more than just reporting. Automate and consolidate as much as possible. And… throw away that cover page for your TPS reports. ….But keep the red stapler. 23
  • 24.
    NOW FOR SOMEQ&A… Three Ways to Test Drive AlienVault Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join our LIVE Demo on Thursday! http://www.alienvault.com/marketing/alienvault-usm-live- demo Sales@alienvault.com

Editor's Notes

  • #9 We all know… Security doesn’t equal compliance and compliance doesn’t equal security…But… you can usecompliance to getyour security projects funded.Use the “force” of compliance to improve your security.Remember… compliance is about more than reporting!
  • #11 Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • #12 Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • #13 Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • #14 Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • #15 Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • #16 Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • #17 Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  • #23 The updated versions of PCI DSS and PA-DSS will: Provide stronger focus on some of the greater risk areas in the threat environment Provide increased clarity on PCI DSS & PA-DSS requirements Build greater understanding on the intent of the requirements and how to apply them Improve flexibility for all entities implementing, assessing, and building to the Standards  Drive more consistency among assessors Help manage evolving risks / threats Align with changes in industry best practices Clarify scoping and reporting Eliminate redundant sub-requirements and consolidate documentation While not stated in the August document, it’s anticipated that the new standard will address issues of what falls within the scope of the standard, as well as network segmentation, and defense fortification to ward off specific threats that have been identified since the 2010 release. In addition, the new requirements are likely to address card data handling in mobile, cloud and e-commerce environments in the wake of previous guidance issued by the council.
  • #24 Use the “force” of compliance to bolster your security monitoring / incident response program.PCI Compliance is more than just reporting – it’s about basic security hygiene – don’t focus JUST on reporting, although that is importantAutomate and consolidate as much as possible – reduces cost, complexity, and accelerates remediation.If mgmt wants to do this w/home grown or manual processes or tools (can’t get budget for more software), try open source, specifically OSSIM.