How to Overcome the 3 Biggest PCI Compliance Challenges
32
HOW TO OVERCOME THE 3 BIGGEST PCI COMPLIANCE CHALLENGES 20 JANUARY 2011 RANDY ROSENBAUM / CPISM / ALERT LOGIC JOHNNY HATCH / PRODUCT MANAGER / VISI / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED. 1
-
Upload
visihosting -
Category
Documents
-
view
1.169 -
download
3
description
The cost of PCI compliance is out of control. Companies are forced to spend thousands and sometimes millions of dollars on technology like log management that is messy and difficult to deploy. This can be disheartening news for an organization whose compliance is not optional. According to the leading QSAs, requirements 10, 11.2, and 11.4 are the three biggest and most expensive PCI compliance challenges facing companies. How can your organization overcome these PCI compliance challenges with limited budget and resources? Cloud-based solutions are the answer. Watch a recorded webinar from VISI and Alert Logic on How to Overcome the 3 Biggest PCI Compliance Challenges. In this webinar, we will display how hosted solutions can provide:• Effective and sustainable log management, IDS, and vulnerability management• An affordable and easy to implement solution• A reduction in the amount of time your team spends on PCI compliance
Transcript of How to Overcome the 3 Biggest PCI Compliance Challenges
HOW TO OVERCOME THE 3 BIGGEST PCI COMPLIANCE CHALLENGES20 JANUARY 2011
RANDY ROSENBAUM / CPISM / ALERT LOGICJOHNNY HATCH / PRODUCT MANAGER / VISI
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.1
AGENDA
VISI INTRODUCTION
PCI DSS 2.0
PCI COMPLIANCE CHALLENGES
COSTLY PITFALLS OF PCI COMPLIANCE
3 BIGGEST PCI COMPLIANCE CHALLENGES
PCI COMPLIANCE IN THE CLOUD
QUESTIONS AND ANSWERS
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.2
3 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
COMPANY OVERVIEW
ABOUT VISI
FOUNDED IN 1994
MINNESOTA’S MARKET LEADER IN COLOCATION, MANAGED
SERVERS AND CLOUD SERVICES.
WHOLLY OWNED SUBSIDIARY OF TELEPHONE & DATA SYSTEMS.
TELEPHONE & DATA SYSTEMS IS A FORTUNE 500 COMPANY
WITH REVENUES IN EXCESS OF $5B.
PCI DSS 2.0
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.4
CHANGES TO PCI DSS
Requirement Change
1 Clarification on secure boundaries between the internet and card holder data environment
3.6 Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge
6.2 Update requirement to allow vulnerabilities to be ranked and prioritized according to risk
6.5 Merge 6.3.1 and 6.5 to eliminate redundancy
12.3.10 Update to allow business justification for copy, move, and storage of CHD during remote access
Various Provide guidance on virtualization
Scope Clarify that all locations and flows of cardholder data should be included in scope
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.5
PCI COMPLIANCE CHALLENGES
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.6
COSTLY PCI PITFALLS
1. ONLY CHECKING THE “I’M COMPLIANT” BOX
DEPLOYING AN EXPENSIVE HARDWARE OR SOFTWARE BASED LOG MANAGEMENT OR IDS SYSTEMS AND NOT REVIEWING THE DATA.
2. WASTING YOUR RESOURCES
USING YOUR RESOURCES TO UPDATE, PATCH, AND MAINTAIN HARDWARE OR SOFTWARE BASED SOLUTIONS.
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.7
THE 3 BIGGEST PCI CHALLENGES
EFFECTIVE AND SUSTAINABLE LOG MANAGEMENT
REQUIREMENT 10
MANUALLY REVIEWING AND MANAGING LOG DATA
VULNERABILITY ASSESSMENT
REQUIREMENT 11.2
SELECTING THE RIGHT SOLUTION THAT SCALES TO MATCH YOUR NETWORK SECURITY NEEDS
INTRUSION PROTECTION
REQUIREMENT 11.4
CONFIGURING, IMPLEMENTING, USING, AND SUPPORTING TECHNOLOGY THAT ADAPTS TO YOUR NETWORK SECURITY POLICIES
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.8
PCI COMPLIANCE IN THE CLOUD
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.9
FOUNDED: 2002
LOCATIONS:
HQ: HOUSTON, TX
DATA CENTERS: HOUSTON & ATLANTA
EMPLOYEES: 90+
CUSTOMERS: 1,200+
We allow you to:Improve security
Comply with regulations
By delivering:Patented SaaS products
Integrated managed servicesContinuous automation
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.10
ACTIVEWATCH
INTEGRATED SAAS & MANAGED SERVICES
THREAT MANAGER
LOGREVIEW
LOG MANAGER
Identify and escalate true security incidents by expert analysis of threat and vulnerability data
PCI Approved Scan Vendor for DSS requirements ActiveWatch service provides 24x7 response from certified analysts
Agent-less collection, correlation, storage, search and reporting of disparate log data
Cloud-based grid architecture enable unprecedented scale without local storage LogReview service provides daily review and sign-off of over 20 critical reports for
security and compliance
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.11
CLOUD-POWERED DELIVERY MODEL
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.12
PCI DSSPenalties: fines, loss of credit card processing, and level 1 merchant requirements
VULNERABILITY ASSESSMENT
6.2 Identify newly discovered security vulnerabilities
11.2 Perform network vulnerability scans quarterly by an ASV
INTRUSION DETECTION5.1.1 Monitor zero day attacks not covered by Anti-Virus
11.4 Maintain IDS/IPS to monitor & alert personnel, keep engines up to date
LOG MANAGEMENT
10.2 Automated audit trails
10.3 Capture audit trails
10.5 Secure logs
10.6 Review logs at least daily
10.7 Maintain logs online for 3 months
10.7 Retain audit trail for at least 1 year
ADDRESSING PCI DSS MANDATESTH
RE
AT
MA
NA
GE
R
AC
TIV
EW
ATC
HLO
G M
AN
AG
ER
LO
GR
EV
IEW
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.13
CHALLENGE 1: LOG MANAGEMENT – EFFECTIVE AND SUSTAINABLE
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.14
WHY LOG MANAGEMENT IS OFTEN INEFFECTIVE
0% 10% 20% 30% 40% 50% 60%
Criteria for breach are unclear
Too much time to resolve incidents
Log data is not normalized
Procedures are too flexible to enforce
Management doesn't "get it"
= Most notableSource: PCI Knowledge Base, March 2009
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.15
LOG MANAGER + LOGREVIEW
COLLECT LOG DATA FROM HETEROGENEOUS ENVIRONMENTS WITHOUT DEPLOYING AGENTS
SECURELY STORE LOG DATA IN REDUNDANT OFFSITE DATA CENTERS ELIMINATING THE NEED FOR LOCAL SAN
SEARCH AND REPORT ON DATA INSTANTLY FOR FORENSIC ANALYSIS
MAINTAIN SECURITY & COMPLIANCE WITH OUT-OF-THE-BOX REPORTS AND ALERTING
OFFLOAD MONOTONOUS DAILY REVIEW OF LOG DATA (E.G., FOR PCI COMPLIANCE) WITH LOGREVIEW MANAGED SERVICE
Deploy this…
Instead of all this.
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.16
10.2.1 ALL INDIVIDUAL ACCESS TO CARD HOLDER DATA
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.17
PCI LOG CORRELATION POLICIES
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.18
LOG MESSAGES REVIEWED DAILY
Alert Logic LogReviewUnix Failed Logins Network Device Failed Logins
Unix Sudo Access Network Device Policy Change
Windows and Unix FTP/Telnet Failed Logins Unix Switch User Command Success
Unix SSH Failed Logins Excessive Windows Account Lockouts
Database Failed Logins Windows User Account Created
Excessive Windows Failed Logins Windows User Group Created
Windows User Group Modified Excessive Windows Failed Logins by an Admin
Active Directory Global Catalog Change Failed Unix Switch User Command
Active Directory Global Catalog Demotion Excessive Windows Account Lockouts by an Admin
Unix Group Created
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.19
CHALLENGE 2: VULNERABILITY ASSESSMENT –SELECTING THE RIGHT SOLUTION
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.20
VULNERABILITY ASSESSMENT CHALLENGES
QUARTERLY VULNERABILITY SCANS SHOULD BE THE MINIMUM.
RUNNING SCANS IS EASY; TRACKING DOWN VULNERABILITIES IS HARD.
SOME COMPANIES LOOK FOR THE EASIEST WAY TO GET A “CLEAN” SCAN
“TWEAKING” NETWORK CONFIGURATIONS
REMOVING IP ADDRESSES FROM SCOPE
IT SECURITY TEAM FINDS IT DIFFICULT TO EXPLAIN OR JUSTIFY SCAN RESULTS TO MANAGEMENT
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.21
VULNERABILITY ASSESSMENT
SCHEDULE ONGOING INTERNAL AND EXTERNAL VULNERABILITY SCANS
PERFORM QUARTERLY PCI CERTIFICATION SCANS
RESULTS INTEGRATE WITH INTRUSION PROTECTION FOR OPTIMUM ACCURACY
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.22
11.2 RUN PCI APPROVED VULNERABILITY SCANS QUARTERLY
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.23
COMPLIANCE DASHBOARD
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.24
CHALLENGE 3: INTRUSION DETCTION ADAPTING TECHNOLOGY TO SECURITY POLICIES/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.25
INTRUSION DETECTION CHALLENGES
INTRUSION DETECTION IS OFTEN DISMISSED BY COMPANIES DUE TO THE REPUTATION FOR FALSE
COMPANIES BUY THE TECHNOLOGY TO ACHIEVE COMPLIANCE – BUT THEY DON’T SPEND THE MONEY OR INVEST THE TIME NEEDED TO EFFECTIVELY USE THE TOOLS
LIMITED EXPERTISE IN IT DEPARTMENTS TO PROPERLY TAKE ACTION ON SECURITY INCIDENTS
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.26
THREAT MANAGER + ACTIVEWATCH
Patented Threat Modeling Expert System
IDENTIFY THREATS WITH LEADING INTRUSION DETECTION & VULNERABILITY ASSESSMENT
DASHBOARDS AND REPORTS FOR END-USER SECURITY MANAGEMENT
DEMONSTRATE DUE CARE FOR COMPLIANCE INITIATIVES WITH BUILT-IN WORKFLOW AND CASE MANAGEMENT
PCI APPROVED SCANNING VENDOR (ASV) TO PROVE PCI COMPLIANCE
COST EFFECTIVELY ADD 24X7 EXPERT RESPONSE WITH ACTIVEWATCH MANAGED SERVICE
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.27
11.4 USE IDS TO MONITOR NETWORK TRAFFIC
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.28
11.4 USE IDS TO MONITOR NETWORK TRAFFIC
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.29
THE 3 BIGGEST PCI CHALLENGES
EFFECTIVE AND SUSTAINABLE LOG MANAGEMENT
REQUIREMENT 10
MANUALLY REVIEWING AND MANAGING LOG DATA
VULNERABILITY ASSESSMENT
REQUIREMENT 11.2
SELECTING THE RIGHT SOLUTION THAT SCALES TO MATCH YOUR NETWORK SECURITY NEEDS
INTRUSION DETECTION
REQUIREMENT 11.4
CONFIGURING, IMPLEMENTING, USING, AND SUPPORTING TECHNOLOGY THAT ADAPTS TO YOUR NETWORK SECURITY POLICIES
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.30
MEETING THE CHALLENGES HEAD ON
MOVE FROM MANUAL TO AUTOMATED LOG MANAGEMENT
KEYS TO SUCCESS: EFFECTIVE AND SUSTAINABLE LOG MANAGEMENT AND REVIEW
CHOOSE A VULNERABILITY ASSESSMENT SOLUTION THAT ALIGNS WITH YOUR NETWORK
KEYS TO SUCCESS: CENTRALIZED VIEW AND REMEDIATION KNOWLEDGE
SELECT AN INTRUSION PROTECTION SOLUTION THAT DOESN’T REQUIRE COSTLY IMPLEMENTATION, CONFIGURATION AND MANAGEMENT
KEYS TO SUCCESS: IMPLEMENT A SOLUTION THAT ADAPTS TO YOUR NETWORK SECURITY POLICIES AND MINIMIZES THE WORK LOAD OF YOUR RESOURCES
/ VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.31
32 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.
CONTACT VISI
VISI HEADQUARTERSEDEN PRAIRIE DATA CENTER10290 West 70th StreetEden Prairie, MN 55344
VISI ST. PAUL DATA CENTER180 East 5th St, Suite 525St. Paul, MN 55101
PHONE 612.395.9090
EMAIL [email protected]
