This document provides an overview of a presentation on adapting compliance strategies for PCI DSS 3.0. The presentation covers the key changes in PCI DSS 3.0 including more rigorous penetration testing and log review requirements. It then discusses how a unified security management platform can help address the new requirements through integrated asset discovery, vulnerability assessment, network and host intrusion detection, log management and security intelligence. Specific capabilities that can help meet each requirement are outlined. The presentation concludes with contacting information for further discussion.

1. PCI DSS 3.0: HOW TO ADAPT YOUR
COMPLIANCE STRATEGY

2. INTRODUCTIONS
Meet today’s presenters
Carlos Villalba
Director of Security Services
Terra Verde Services
Sandy Hawke
VP, Product Marketing
AlienVault
Patrick Bass
Director of Security Solutions
Terra Verde Services
2

3. AGENDA
•
•
•
•
•
What’s New in PCI DSS 3.0
Key considerations for adapting
your compliance strategy
Technology recommendations
for addressing new requirements
How our clients have
simplified PCI DSS compliance
Q&A

4. PCI DSS PRIMER
WHAT’S CHANGED FROM V2 TO V3
Carlos A. Villalba
Director, Security Services

5. IT’S FINALLY HERE!
Nov 7
2013
Jan 1
2014
Dec 31
2014
• PCI DSS v3 was published
• PCI DSS v3 becomes effective
• PCI DSS v2 expires

6. PCI DSS VERSION 3
3-Year Cycle for New Versions

7. WHAT DID THEY WANT TO FIX
 Divergent interpretations of the



standard
Weak or default passwords
Slow detection of compromise
Security problems introduced by
3rd parties and various areas

8. HIGHLIGHTS






The twelve domains remain
Some sub-requirements added
Descriptions of tests are more precise


Aligned language of requirement and test
Clarified what to do to verify compliance
More rigor in determining scope of
assessment
More guidance on log reviews
More rigorous penetration testing

9. GUIDANCE FOR EACH REQUIREMENT

10. A PENETRATION TEST METHODOLOGY
 Based on industry-accepted approaches,

e.g. NIST SP800-115
A new clause 11.3
 Test entire perimeter of CDE & all critical systems
 Validate all scope-reduction controls—segmentation
 Test from inside and from outside of the network
 Test network-function components and OSs
 As a minimum, perform application tests for the vulnerabilities listed
in Requirement 6.5

11. SECURE SDLC


Programmers of internally-developed and
bespoke applications must be trained to avoid
known vulnerabilities
List expanded to include new requirements for


Coding practices to protect against broken
authentication and session management
Coding practices to document how PAN and SAD
are handled in memory
 Combating memory scraping is a good idea for PA-

DSS
This was a bit contentious for PCI-DSS

12. AUTHENTICATION


Requirement text recognizes methods other
than password/passphrases, e.g. certificates

Minimum password length is still
7 characters



Authentication credentials
―Alternatively, the passwords/phrases must
have complexity and strength at least
equivalent
to the parameters specified above.‖
A service provider must use a different
password for each of its clients.
Educate users

13. CHANGE MANAGEMENT
 Deploy a change-detection mechanism to alert
personnel to unauthorized modification of critical
system files, configuration files, or content files
 Configure the software to perform critical file comparisons at
least weekly.
 New requirement, 11.5.1, mandates the
implementation of a process to respond to any alerts
generated by that mechanism.

14. MANAGED SERVICE PROVIDERS
 New requirement, 12.8.5, mandates the documentation

of which DSS requirements are managed by the 3rd
party.
New requirement, 12.9, mandates that 3rd parties must
acknowledge in writing that they will comply with the
DSS to protect CHD entrusted to them or, if managing
some aspect of the CDE, state they will comply with the
DSS in performing that management.

15. ADAPTING YOUR COMPLIANCE STRATEGY
 Assess gaps between v2 and v3 requirements
 What process changes are required?
 What technology improvements are required?
 How long will these take?
 Do you have the necessary expertise and technology


in place?
Document migration plans to v3
Consider a unified approach to PCI security monitoring

16. A UNIFIED APPROACH TO PCI DSS COMPLIANCE:
USM OVERVIEW
Sandy Hawke
VP, Product Marketing
AlienVault

17. KEY QUESTIONS FOR PCI DSS
Pre-audit checklist:
 Where do your PCI-relevant assets live, how are they configured, and
how are they segmented from the rest of your network?
 Who accesses these resources (and the other W’s… when, where,
what can they do, why and how)?
 What are the vulnerabilities that are in your PCI-defined network – app,
OS, etc? Are there any known attackers targeting these?
 What constitutes your network baseline? What is considered
―normal/acceptable‖?
Ask your team… What do we NEVER want to happen in our PCI environment?
How do we capture those events when they do happen?

18. Security
Piece it all
Intelligence
Asset Discovery
•
•
•
•
together
Look for strange
Behavioral
activity which could
Monitoring
indicate a threat
Start looking
Threat
for threats
Detection
What do
Unified
we need
Security
for PCIManagement
DSS?
Figure out what
Asset
is valuable
Discovery
Identify ways the
Vulnerability
target could be
Assessment
compromised
Active Network Scanning
Passive Network Scanning
Asset Inventory
Host-based Software
Inventory
Vulnerability Assessment
•
Network Vulnerability Testing
Threat Detection
•
•
•
•
Network IDS
Host IDS
Wireless IDS
File Integrity Monitoring
Behavioral Monitoring
•
•
•
Log Collection
Netflow Analysis
Service Availability Monitoring
Security Intelligence
•
•
SIEM Correlation
Incident Response
BTW… this is just the technologies… Terra Verde can help with process!

19. ALIENVAULT LABS THREAT INTELLIGENCE:
COMPLETE COVERAGE TO STAY AHEAD OF THE
THREAT







Network and host-based IDS signatures – detects the
latest threats in your environment
Asset discovery signatures – identifies the latest OS’es,
applications, and device types
Vulnerability assessment signatures – dual database
coverage to find the latest vulnerabilities on all your
systems
Correlation rules – translates raw events into
actionable remediation tasks
Reporting modules – provides new ways of viewing data
about your environment
Dynamic incident response templates – delivers
customized guidance on how to respond to each alert
Newly supported data source plug-ins – expands your
monitoring footprint

20. WHY ALIENVAULT FOR PCI DSS COMPLIANCE?




All-in-one functionality
 Easy management
 Multiple functions without multiple
consoles
Automate what and where you can*
 ―Baked in‖ guidance when you can’t
Flexible reporting & queries… as detailed as
you want it.
Threat intelligence from AlienVault Labs
*Disclaimer: Despite the hype, you can’t automate EVERYTHING nor
would you want to. This is cyber security we’re talking about!
20

21. TECHNOLOGY RECOMMENDATIONS FOR
PCI DSS 3.0
Patrick Bass
Director, Security Solutions

22. PCI COMPLIANCE STRUGGLES
 You aren’t alone
 96% of breach victims were not compliant (Verizon, 2012).
 5 common failures
 Testing security
 Monitoring networks
 Maintaining firewalls
 Using vendor defaults
 Maintaining a security policy

23. TVS CLIENTS
USM components that have helped
our clients the most:
Log aggregation, correlation, analysis
Network intrusion detection
Host intrusion detection
Wireless intrusion detection
Vulnerability scanning
File integrity monitoring
Key USM advantages:
•
•
•
•
•
Consolidated features
Essential security
capabilities
Reduced cost &
complexity
Single pane-of-glass
Easy to use & deploy

24. REQUIREMENT 1:
Install and maintain a firewall configuration to protect data
PCI DSS
Requirement
USM Capabilities
Benefits
1.1, 1.2, 1.3
 NetFlow analysis

Unified and correlated NetFlow analysis and
firewall logs delivers ―single pane of glass‖
visibility into access to cardholder-related data
and resources

Built-in asset discovery provides a dynamic
asset inventory and topology diagrams.
Cardholder-related resources can be identified
and monitored for unusual activity.

Accurate and automated asset inventory
combined with relevant security events
accelerate incident response efforts and
analysis.
 System availability monitoring
 SIEM
 Asset discovery

25. REQUIREMENT 2:
No use of vendor-supplied parameter defaults
PCI DSS
Requirement
USM Capabilities
Benefits
2.1, 2.2, 2.3
 Network intrusion detection
(IDS)
• Built-in, automated vulnerability assessment
identifies the use of weak and default
passwords.
 Vulnerability assessment
• Built-in host-based intrusion detection and file
integrity monitoring will signal when password
files and other critical system files have been
modified.
 Host-based intrusion detection
(HIDS)

26. REQUIREMENT 3:
Protects stored cardholder data
PCI DSS
Requirement
USM Capabilities
Benefits
3.6.7
 Log management
• Unified log review and analysis, with triggered
alerts for high risk systems (containing credit
cardholder data).
 Host-based intrusion
detection (HIDS)
 File integrity monitoring
 NetFlow analysis
 SIEM
• Built-in host-based intrusion detection and file
integrity monitoring detect and alarm on changes
to cryptographic keys.
• Unified NetFlow analysis and event correlation
monitors traffic and issues alerts on unencrypted
traffic to/from cardholder-related resources.

27. REQUIREMENT 4:
Encrypt cardholder data transmission across open public networks
PCI DSS
Requirement
USM Capabilities
Benefits
4.1
 NetFlow analysis
• Unified NetFlow analysis and event correlation
monitors traffic and issues alerts on unencrypted
traffic to/from cardholder-related resources.
 Behavioral monitoring
 Wireless IDS
 SIEM
• Built-in wireless IDS monitors encryption
strength and identifies unauthorized access
attempts to critical infrastructure.

28. REQUIREMENT 5:
Use and update anti-virus software
PCI DSS
Requirement
USM Capabilities
Benefits
5.1, 5.2
 Host-based intrusion
detection (HIDS)
• Built-in host-based intrusion detection provides
an extra layer of defense against zero day
threats (before an anti- virus update can be
issued).
 Network intrusion detection
(IDS)
 Log management
• Unified log management provides an audit trail of
anti- virus software use by collecting log data
from anti-virus software.
• Built-in network intrusion detection identifies and
alerts on malware infections in the credit
cardholder data environment.

29. REQUIREMENT 6:
Develop and maintain secure systems and applications
PCI DSS
Requirement
USM Capabilities
Benefits
6.1, 6.2, 6.3,
6.3.2, 6.4, 6.5
 Asset discovery
• Built-in and consolidated asset inventory,
vulnerability assessment, threat detection and
event correlation provides a unified view of an
organization’s security posture and critical
system configuration.
 Vulnerability assessment
 Network intrusion detection
(IDS)
 SIEM
• Built-in vulnerability assessment checks for a
variety of well-known security exploits (i.e., SQL
injection).

30. REQUIREMENT 7:
Restrict cardholder data access to need to know
PCI DSS
Requirement
USM Capabilities
Benefits
7.1, 7.2
 SIEM
• Automated event correlation identifies
unauthorized access to systems with credit
cardholder data.

31. REQUIREMENT 8:
Assign unique IDs to everyone with computer access
PCI DSS
Requirement
USM Capabilities
Benefits
8.1, 8.2, 8.4,
8.5
 Log Management
• Built-in log management captures all user
account creation activities and can also identify
unencrypted passwords on critical systems.

32. REQUIREMENT 10:
Track and monitor access to all network resources and cardholder data
PCI DSS
Requirement
USM Capabilities
Benefits
10.1, 10.2,
10.3, 10.4,
10.5, 10.6,
10.7
 Host-based intrusion
detection (HIDS)
 Built-in threat detection, behavioral monitoring
and event correlation signals attacks in
progress—for example, unauthorized access
followed by additional security exposures such
as cardholder data exfiltration.
 Network intrusion detection
(IDS)
 Behavioral monitoring
 Log management
 SIEM
 Built-in log management enables the collection
and correlation of valid and invalid authentication
attempts on critical devices.
 Centralized, role-based access control for audit
trails and event logs preserves ―chain of custody‖
for investigations.

33. REQUIREMENT 11:
Regularly test security systems and processes
PCI DSS
Requirement
USM Capabilities
11.1, 11.2,
 Vulnerability assessment
11.3, 11.4,
11.5, 11.6, 11.7  Wireless IDS
 Host-based intrusion
detection (HIDS)
 File integrity monitoring
 SIEM
Benefits
 Built-in vulnerability assessment streamlines the
scanning and remediation process – one console
to manage it all.
 Built-in wireless IDS detects and alerts on rogue
wireless access points, and weak encryption
configurations.
 Built-in host-based intrusion detection identifies
the attachment of USB devices including WLAN
cards.
 Unified vulnerability assessment, threat
detection, and event correlation provides full
situational awareness in order to reliably test
security systems and processes.
 Built-in file integrity monitoring alerts on
unauthorized modification of system files,
configuration files, or content.

35. CONTACT US
Carlos Villalba
Director, Security Services
Terra Verde Services
carlos.villalba@TerraVerdeServices.com
877-707-7997 (x 21)
Sandy Hawke
VP, Product Marketing
AlienVault
shawke@alienvault.com
Patrick Bass
Director, Security Solutions
Terra Verde Services
patrick.bass@TerraVerdeServices.com
877-707-7997 (x 16)

36. NOW FOR SOME Q&A…
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http://www.alienvault.com/marketing/alienvault-usmlive-demo
Already a customer? TVS provides training:
http://www.terraverdeservices.com/alienvaulttraining.html
Questions? hello@alienvault.com

37. VIEW WEBCAST ON-DEMAND…
A recorded version of
this webcast is
available On-Demand,
and can be viewed
Here.