Do you know about the upcoming PCI-DSS 3.2.1 standard and what it means for your operation? Are you ready to be audited? Presented by renowned industry expert, Professor Avishai Wool, this technical webinar imparts best practices and reveals specific techniques to help you make sure that your compliance posture stands up to any audit. In this webinar, Professor Wool shows you how to: Know if your network is compliant with the new PCI 3.2.1 standard Identify the latest vulnerabilities and assess risk Prepare for the next audit Generate audit-ready reports to reduce the scope of your audit Assure continuous compliance

1. Reaching PCI Nirvana:
Ensure a Successful
Audit and Maintain
Continuous Compliance
Prof. Avishai Wool
CTO & Co-founder

2. Welcome
Have a question? Submit it via the chat
This webinar is being recorded!
Slides and recording will be sent to you after the
webinar
2
marketing@algosec.com

3. 3
Background on
PCI DSS 3.2
What you need
to know about
the PCI-DSS
v3.2.1 update
PCI and the
cloud
Identify latest
vulnerabilities
and assess
risks before the
auditor
How to ensure
network
compliance
now and
continuously
How to reduce
the scope of
your audit and
instantly
generate audit-
ready reports
PCI & Compliance –
the Agenda

4. POLL #1: Are you familiar with pci-dss?
• Yes, I am familiar
• I am only familiar with PCI-DSS 3.1
• I am only familiar with PCI 3.2
• No, this is new to me
Please vote using the “Votes from Audience” tab in your
BrightTALK panel
4

5. SSL and Early TLS
• The cryptography behind https://server.name.here
• 2014, 2015: run of attacks against SSL 2.0, 3.0.
and TLS 1.0
• “Heartbleed”, “FREAK”, “POODLE”, “Logjam” …
5
 Industry consensus:
SSL (all versions), TLS 1.0 “broken beyond
repair”

6. 6
PCI-DSS 3.1 (April 2015):
SSL and early TLS are not
considered strong cryptography”…
“cannot be used as a security control
after June 30, 2016
PCI RESPONSE

7. Switch to TLS 1.2 ?
• As of 2016 all browsers supported TLS 1.2
for several years:
• All modern libraries and web-server platforms
supported TLS 1.2 for several years too
7
……So switching to TLS 1.2 should have been easy, right?
 Chrome - v30
 Firefox - v27
 Internet Explorer - v11
 Microsoft Edge - v12
 Opera - v17
 Safari - v5 on iOS, v7 on OS X

8. Examples (2018)
Chrome 67 Firefox 61
Chrome: menu > more tools > Developer tools (or CTRL SHIFT i) > Security tab
8

9.  Bottom line: The switch to TLS 1.2 requires testing &
time
check the middleware
• TLS is not only used by browsers and web servers
• Machine-to-machine web-service API communication (SOAP / REST / etc…)
• Web-page “scraping” utilities
• Automatic testing platforms
• E-Mail servers and E-mail clients
• Embedded web-servers inside devices
• May need to be upgraded to a TLS 1.2-compatible version
9

10. PCI RESPONSE
PCI-DSS 3.2 (April 2016):
• New requirements: “best
practices” until 1 February 2018
• Extended migration [to TLS 1.2]
date to 30 June 2018
10
PCI RESPONSE

11. WHAT’S IN PCI 3.2.1
Minor Update (May 2018)
• PCI DSS 3.2 valid until end of 2018
• PCI DSS 3.2.1 is definitive from 1 Jan 2019
• No new requirements were added in PCI DSS 3.2.1
• PCI DSS 3.2.1 makes TLS 1.2 mandatory
11

12. POLL #2:
How ready is your organization with the
switch to TLS 1.2?
• We haven’t started yet
• 33% completed
• 67% completed
• We are ready!
Please vote using the “Votes from Audience” tab in your
BrightTALK panel
12

13. <1 week; 0.26; 26%
1-2 weeks; 0.29; 29%
2-4 weeks; 0.27; 27%
1-2 months; 0.12; 12%
2+ months; 0.06; 6%
Time Devoted to Firewall Audits Each Year
Common PCI-DSS Compliance Challenge
Manual Audits
Slow Down
Business and
are Error-
Prone
13 Source: AlgoSec survey

14. Compliance Must be Continuous
Decommission
redundant firewall rules
and application
connectivity
Decommission
Automatically migrate firewall
rules
Zero-touch change
management
Automated policy push
Smart validation
M
igrate
&
Deploy
Maintain
Policy monitoring
Enforce security posture
Out-of-the box auditing and
compliance reports
Link firewall rules to
applications
Policy clean up and
optimization
Firewall rule recertification
Translate application
connectivity into firewall
rules
Assess risk and
compliance
Tie cyber attacks and
vulnerabilities to business
processes
Plan&
Assess
Auto-discover and map
application connectivity and
security infrastructure
Enable developers to define
connectivity programmaticallyDiscover or
Define
14

15. KEY AlgoSec CAPABILITIES
15
Secure Business Application
Connectivity
Security Policy Workflow Automation ​
Continuous Compliance and Auditing
Firewall Policy Optimization
Security Policy Risk Mitigation
NGFW, Application & Datacenter Migration
Hybrid Cloud Security

16. Demonstration
of PCI Compliance with
the AlgoSec Suite
16

17. Continuous Compliance
17

18. Continuous
Compliance
18
Out-of-the-box PCI-DSS
3.2.1
Exportabl
e
• Automatically created
• Scheduled or on demand
• Covers all AlgoSec-managed devices

19. Item-by-Item device collation
19

20. Password
Defaults
20

21. Vulnerabilities
in PCI
Applications
21

22. What are
“PCI
Applications”
?
22

23. Outdated
Software
Versions
23

24. Baseline
Complianc
e
24

25. Baseline
Complianc
e
25
• Use AlgoSec
Baselines
• Or customize your
own

26. Change
Process
26
AlgoSec provides an application-aware workflow system
for network security change management

27. 27

28. 28

29. 29

30. 30

31. 31

32. 32
• What-if risk check,
before changes are implemented
• AlgoSec Standard risks +
• User-defined risks +
• Connectivity spreadsheet violations

33. Creating
custom
risks
33

34. 34

35. 35
Color Codes indicate vulnerability score

36. 36
Vulnerabilities at Application Level

37. Complianc
e
Dashboard
37

38. PCI Compliance for Cloud
Credit-card-processing systems
• Same requirements
• But different technologies
ALGOSEC PROVIDES ITS
CAPABILITIES ACROSS
• Multi-cloud
• Hybrid
• Public cloud
• Private cloud
• Legacy environments
38

39. POLL #3:
WHAT IS YOUR GREATEST concerns with
compliance in the cloud?
• Visibility into cloud native controls (Security groups, Access lists)
• 3rd party virtualized traditional controls (Checkpoint, CloudGuard, Palo Alto,
etc… )
• Non-network controls (F3 buckets, IAM settings, …)
• All of the above
Please vote using the “Votes from Audience” tab in your
BrightTALK panel
39

40. Q & A

41. summary
• PCI 3.2.1 makes TLS 1.2 mandatory starting
Jan/2019
• Continuous compliance to instantly generate
audit-ready reports
• Connectivity and vulnerability reporting per
business application
• “What-if” risk assessment as part of the change
workflow
• PCI and the cloud
41

42. WHITE PAPERS
• AlgoSec for GDPR
• AlgoSec for MAS-TRM
42
https://www.algosec.com/resources
PROF. WOOL
COURSE
WEBINAR SLIDES
Prof. Wool Video Courses
PPT Slides
Datasheets
• Compliance
• Auditing
• PCI
• And more!
Blog Posts

43. UPCOMING EVENTS
43
SEPTEMBER WEBINARS
www.algosec.com/webinars
ALGOSUMMIT AMERICAS
The premier event for
AlgoSec customers and channel
partners
www.algosec.com/algosummit
Americas, October 15-
18

44. 44
Join our community
Follow us for the latest on security policy management trends, tips & tricks, best
practices, thought leadership, fun stuff, prizes and much more!
Subscribe to our YouTube channel for a
wide range of educational videos presented
by Professor Wool
youtube.com/user/AlgoSe
c
linkedin.com/company/AlgoSec
facebook.com/AlgoSec
twitter.com/AlgoSec
www.AlgoSec.com/blog

45. THANK YOU!
Questions can be emailed to
marketing@algosec.com