Do you know about the upcoming PCI-DSS 3.2.1 standard and what it means for your operation? Are you ready to be audited?
Presented by renowned industry expert, Professor Avishai Wool, this technical webinar imparts best practices and reveals specific techniques to help you make sure that your compliance posture stands up to any audit.
In this webinar, Professor Wool shows you how to:
Know if your network is compliant with the new PCI 3.2.1 standard
Identify the latest vulnerabilities and assess risk
Prepare for the next audit
Generate audit-ready reports to reduce the scope of your audit
Assure continuous compliance
Network Security Audit? Passing Your Next One with Flying Colors
1. Reaching PCI Nirvana:
Ensure a Successful
Audit and Maintain
Continuous Compliance
Prof. Avishai Wool
CTO & Co-founder
2. Welcome
Have a question? Submit it via the chat
This webinar is being recorded!
Slides and recording will be sent to you after the
webinar
2
marketing@algosec.com
3. 3
Background on
PCI DSS 3.2
What you need
to know about
the PCI-DSS
v3.2.1 update
PCI and the
cloud
Identify latest
vulnerabilities
and assess
risks before the
auditor
How to ensure
network
compliance
now and
continuously
How to reduce
the scope of
your audit and
instantly
generate audit-
ready reports
PCI & Compliance –
the Agenda
4. POLL #1: Are you familiar with pci-dss?
• Yes, I am familiar
• I am only familiar with PCI-DSS 3.1
• I am only familiar with PCI 3.2
• No, this is new to me
Please vote using the “Votes from Audience” tab in your
BrightTALK panel
4
5. SSL and Early TLS
• The cryptography behind https://server.name.here
• 2014, 2015: run of attacks against SSL 2.0, 3.0.
and TLS 1.0
• “Heartbleed”, “FREAK”, “POODLE”, “Logjam” …
5
Industry consensus:
SSL (all versions), TLS 1.0 “broken beyond
repair”
6. 6
PCI-DSS 3.1 (April 2015):
SSL and early TLS are not
considered strong cryptography”…
“cannot be used as a security control
after June 30, 2016
PCI RESPONSE
7. Switch to TLS 1.2 ?
• As of 2016 all browsers supported TLS 1.2
for several years:
• All modern libraries and web-server platforms
supported TLS 1.2 for several years too
7
……So switching to TLS 1.2 should have been easy, right?
Chrome - v30
Firefox - v27
Internet Explorer - v11
Microsoft Edge - v12
Opera - v17
Safari - v5 on iOS, v7 on OS X
9. Bottom line: The switch to TLS 1.2 requires testing &
time
check the middleware
• TLS is not only used by browsers and web servers
• Machine-to-machine web-service API communication (SOAP / REST / etc…)
• Web-page “scraping” utilities
• Automatic testing platforms
• E-Mail servers and E-mail clients
• Embedded web-servers inside devices
• May need to be upgraded to a TLS 1.2-compatible version
9
10. PCI RESPONSE
PCI-DSS 3.2 (April 2016):
• New requirements: “best
practices” until 1 February 2018
• Extended migration [to TLS 1.2]
date to 30 June 2018
10
PCI RESPONSE
11. WHAT’S IN PCI 3.2.1
Minor Update (May 2018)
• PCI DSS 3.2 valid until end of 2018
• PCI DSS 3.2.1 is definitive from 1 Jan 2019
• No new requirements were added in PCI DSS 3.2.1
• PCI DSS 3.2.1 makes TLS 1.2 mandatory
11
12. POLL #2:
How ready is your organization with the
switch to TLS 1.2?
• We haven’t started yet
• 33% completed
• 67% completed
• We are ready!
Please vote using the “Votes from Audience” tab in your
BrightTALK panel
12
13. <1 week; 0.26; 26%
1-2 weeks; 0.29; 29%
2-4 weeks; 0.27; 27%
1-2 months; 0.12; 12%
2+ months; 0.06; 6%
Time Devoted to Firewall Audits Each Year
Common PCI-DSS Compliance Challenge
Manual Audits
Slow Down
Business and
are Error-
Prone
13 Source: AlgoSec survey
14. Compliance Must be Continuous
Decommission
redundant firewall rules
and application
connectivity
Decommission
Automatically migrate firewall
rules
Zero-touch change
management
Automated policy push
Smart validation
M
igrate
&
Deploy
Maintain
Policy monitoring
Enforce security posture
Out-of-the box auditing and
compliance reports
Link firewall rules to
applications
Policy clean up and
optimization
Firewall rule recertification
Translate application
connectivity into firewall
rules
Assess risk and
compliance
Tie cyber attacks and
vulnerabilities to business
processes
Plan&
Assess
Auto-discover and map
application connectivity and
security infrastructure
Enable developers to define
connectivity programmaticallyDiscover or
Define
14
38. PCI Compliance for Cloud
Credit-card-processing systems
• Same requirements
• But different technologies
ALGOSEC PROVIDES ITS
CAPABILITIES ACROSS
• Multi-cloud
• Hybrid
• Public cloud
• Private cloud
• Legacy environments
38
39. POLL #3:
WHAT IS YOUR GREATEST concerns with
compliance in the cloud?
• Visibility into cloud native controls (Security groups, Access lists)
• 3rd party virtualized traditional controls (Checkpoint, CloudGuard, Palo Alto,
etc… )
• Non-network controls (F3 buckets, IAM settings, …)
• All of the above
Please vote using the “Votes from Audience” tab in your
BrightTALK panel
39
41. summary
• PCI 3.2.1 makes TLS 1.2 mandatory starting
Jan/2019
• Continuous compliance to instantly generate
audit-ready reports
• Connectivity and vulnerability reporting per
business application
• “What-if” risk assessment as part of the change
workflow
• PCI and the cloud
41
42. WHITE PAPERS
• AlgoSec for GDPR
• AlgoSec for MAS-TRM
42
https://www.algosec.com/resources
PROF. WOOL
COURSE
WEBINAR SLIDES
Prof. Wool Video Courses
PPT Slides
Datasheets
• Compliance
• Auditing
• PCI
• And more!
Blog Posts
44. 44
Join our community
Follow us for the latest on security policy management trends, tips & tricks, best
practices, thought leadership, fun stuff, prizes and much more!
Subscribe to our YouTube channel for a
wide range of educational videos presented
by Professor Wool
youtube.com/user/AlgoSe
c
linkedin.com/company/AlgoSec
facebook.com/AlgoSec
twitter.com/AlgoSec
www.AlgoSec.com/blog