How to Overcome the 3 Biggest PCI Compliance Challenges

HOW TO OVERCOME THE 3 BIGGEST
PCI COMPLIANCE CHALLENGES
20 JANUARY 2011

RANDY ROSENBAUM / CPISM / ALERT LOGIC
JOHNNY HATCH / PRODUCT MANAGER / VISI

1 / VISI.COM / 612.395.9090 / © 2011 VISI INCORPORATED. ALL RIGHTS RESERVED.

AGENDA

 VISI INTRODUCTION

 PCI DSS 2.0

 PCI COMPLIANCE CHALLENGES

 COSTLY PITFALLS OF PCI COMPLIANCE

 3 BIGGEST PCI COMPLIANCE CHALLENGES

 PCI COMPLIANCE IN THE CLOUD

 QUESTIONS AND ANSWERS


ABOUT VISI

COMPANY OVERVIEW
 FOUNDED IN 1994

 MINNESOTA’S MARKET LEADER IN COLOCATION, MANAGED
SERVERS AND CLOUD SERVICES.

 WHOLLY OWNED SUBSIDIARY OF TELEPHONE & DATA SYSTEMS.
TELEPHONE & DATA SYSTEMS IS A FORTUNE 500 COMPANY
WITH REVENUES IN EXCESS OF $5B.


PCI DSS 2.0


CHANGES TO PCI DSS

Requirement Change

1 Clarification on secure boundaries between the internet and card holder data environment

3.6 Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys,
and use of split control and dual knowledge
6.2 Update requirement to allow vulnerabilities to be ranked and prioritized according to risk

6.5 Merge 6.3.1 and 6.5 to eliminate redundancy

12.3.10 Update to allow business justification for copy, move, and storage of CHD during remote access

Various Provide guidance on virtualization

Scope Clarify that all locations and flows of cardholder data should be included in scope


PCI COMPLIANCE CHALLENGES


COSTLY PCI PITFALLS

1. ONLY CHECKING THE “I’M COMPLIANT” BOX
 DEPLOYING AN EXPENSIVE HARDWARE OR SOFTWARE BASED LOG
MANAGEMENT OR IDS SYSTEMS AND NOT REVIEWING THE DATA.

2. WASTING YOUR RESOURCES
 USING YOUR RESOURCES TO UPDATE, PATCH, AND MAINTAIN HARDWARE OR
SOFTWARE BASED SOLUTIONS.


THE 3 BIGGEST PCI CHALLENGES
 EFFECTIVE AND SUSTAINABLE LOG MANAGEMENT
 REQUIREMENT 10
 MANUALLY REVIEWING AND MANAGING LOG DATA

 VULNERABILITY ASSESSMENT
 REQUIREMENT 11.2
 SELECTING THE RIGHT SOLUTION THAT SCALES TO MATCH YOUR NETWORK SECURITY NEEDS

 INTRUSION PROTECTION
 CONFIGURING, IMPLEMENTING, USING, AND SUPPORTING TECHNOLOGY THAT ADAPTS TO YOUR
NETWORK SECURITY POLICIES


PCI COMPLIANCE IN THE CLOUD


 FOUNDED: 2002
We allow you to:
Improve security  LOCATIONS:
Comply with regulations
 HQ: HOUSTON, TX

By delivering:  DATA CENTERS:
Patented SaaS products HOUSTON & ATLANTA
Integrated managed services  EMPLOYEES: 90+
Continuous automation
 CUSTOMERS: 1,200+


INTEGRATED SAAS & MANAGED SERVICES

THREAT MANAGER  Identify and escalate true security incidents by expert analysis of threat and
vulnerability data
 PCI Approved Scan Vendor for DSS requirements
 ActiveWatch service provides 24x7 response from certified analysts
ACTIVEWATCH

LOG  Agent-less collection, correlation, storage, search and reporting of disparate log
MANAGER data
 Cloud-based grid architecture enable unprecedented scale without local storage
 LogReview service provides daily review and sign-off of over 20 critical reports for
LOGREVIEW
security and compliance


CLOUD-POWERED DELIVERY MODEL


ADDRESSING PCI DSS MANDATES

PCI DSS
Penalties: fines, loss of credit card processing, and level 1 merchant requirements

VULNERABILITY 6.2 Identify newly discovered security vulnerabilities
THREAT MANAGER
ACTIVEWATCH

ASSESSMENT 11.2 Perform network vulnerability scans quarterly by an ASV

5.1.1 Monitor zero day attacks not covered by Anti-Virus
INTRUSION DETECTION 11.4 Maintain IDS/IPS to monitor & alert personnel, keep engines up to
date

10.2 Automated audit trails
LOG MANAGER

10.3 Capture audit trails
LOGREVIEW

10.5 Secure logs
LOG MANAGEMENT
10.6 Review logs at least daily
10.7 Maintain logs online for 3 months
10.7 Retain audit trail for at least 1 year


CHALLENGE 1:
LOG MANAGEMENT – EFFECTIVE AND SUSTAINABLE


WHY LOG MANAGEMENT IS OFTEN INEFFECTIVE

Management doesn't "get it"

Procedures are too flexible to enforce

Log data is not normalized

Too much time to resolve incidents

Criteria for breach are unclear

0% 10% 20% 30% 40% 50% 60%
= Most notable
Source: PCI Knowledge Base, March 2009


LOG MANAGER + LOGREVIEW
 COLLECT LOG DATA FROM HETEROGENEOUS ENVIRONMENTS
WITHOUT DEPLOYING AGENTS Deploy this…

 SECURELY STORE LOG DATA IN REDUNDANT OFFSITE DATA
CENTERS ELIMINATING THE NEED FOR LOCAL SAN
Instead of all this.
 SEARCH AND REPORT ON DATA INSTANTLY FOR FORENSIC
ANALYSIS

 MAINTAIN SECURITY & COMPLIANCE WITH OUT-OF-THE-BOX
REPORTS AND ALERTING

 OFFLOAD MONOTONOUS DAILY REVIEW OF LOG DATA (E.G., FOR
PCI COMPLIANCE) WITH LOGREVIEW MANAGED SERVICE


10.2.1 ALL INDIVIDUAL ACCESS TO CARD HOLDER DATA


PCI LOG CORRELATION POLICIES


LOG MESSAGES REVIEWED DAILY

Alert Logic LogReview
Unix Failed Logins Network Device Failed Logins
Unix Sudo Access Network Device Policy Change
Windows and Unix FTP/Telnet Failed Logins Unix Switch User Command Success
Unix SSH Failed Logins Excessive Windows Account Lockouts
Database Failed Logins Windows User Account Created
Excessive Windows Failed Logins Windows User Group Created
Windows User Group Modified Excessive Windows Failed Logins by an Admin
Active Directory Global Catalog Change Failed Unix Switch User Command
Active Directory Global Catalog Demotion Excessive Windows Account Lockouts by an Admin
Unix Group Created


CHALLENGE 2:
VULNERABILITY ASSESSMENT –
SELECTING THE RIGHT SOLUTION


VULNERABILITY ASSESSMENT CHALLENGES

 QUARTERLY VULNERABILITY SCANS SHOULD BE THE MINIMUM.
 RUNNING SCANS IS EASY; TRACKING DOWN VULNERABILITIES IS HARD.
 SOME COMPANIES LOOK FOR THE EASIEST WAY TO GET A “CLEAN” SCAN
 “TWEAKING” NETWORK CONFIGURATIONS
 REMOVING IP ADDRESSES FROM SCOPE
 IT SECURITY TEAM FINDS IT DIFFICULT TO EXPLAIN OR JUSTIFY SCAN
RESULTS TO MANAGEMENT


VULNERABILITY ASSESSMENT

 SCHEDULE ONGOING
INTERNAL AND
EXTERNAL
VULNERABILITY SCANS
 PERFORM QUARTERLY
PCI CERTIFICATION
SCANS
 RESULTS INTEGRATE
WITH INTRUSION
PROTECTION FOR
OPTIMUM ACCURACY


11.2 RUN PCI APPROVED VULNERABILITY SCANS
QUARTERLY


COMPLIANCE DASHBOARD


CHALLENGE 3: INTRUSION DETCTION
ADAPTING TECHNOLOGY TO SECURITY
POLICIES

INTRUSION DETECTION CHALLENGES

 INTRUSION DETECTION IS OFTEN DISMISSED BY COMPANIES DUE TO
THE REPUTATION FOR FALSE
 COMPANIES BUY THE TECHNOLOGY TO ACHIEVE COMPLIANCE – BUT
THEY DON’T SPEND THE MONEY OR INVEST THE TIME NEEDED TO
EFFECTIVELY USE THE TOOLS
 LIMITED EXPERTISE IN IT DEPARTMENTS TO PROPERLY TAKE
ACTION ON SECURITY INCIDENTS


THREAT MANAGER + ACTIVEWATCH
 IDENTIFY THREATS WITH LEADING INTRUSION DETECTION & Patented Threat Modeling Expert
VULNERABILITY ASSESSMENT
System

 DASHBOARDS AND REPORTS FOR END-USER SECURITY
MANAGEMENT

 DEMONSTRATE DUE CARE FOR COMPLIANCE INITIATIVES
WITH BUILT-IN WORKFLOW AND CASE MANAGEMENT

 PCI APPROVED SCANNING VENDOR (ASV) TO PROVE PCI
COMPLIANCE

 COST EFFECTIVELY ADD 24X7 EXPERT RESPONSE WITH
ACTIVEWATCH MANAGED SERVICE


11.4 USE IDS TO MONITOR NETWORK TRAFFIC


THE 3 BIGGEST PCI CHALLENGES
 EFFECTIVE AND SUSTAINABLE LOG MANAGEMENT
 REQUIREMENT 10
 MANUALLY REVIEWING AND MANAGING LOG DATA
 VULNERABILITY ASSESSMENT
 SELECTING THE RIGHT SOLUTION THAT SCALES TO MATCH YOUR NETWORK SECURITY
NEEDS
 INTRUSION DETECTION
 CONFIGURING, IMPLEMENTING, USING, AND SUPPORTING TECHNOLOGY THAT ADAPTS
TO YOUR NETWORK SECURITY POLICIES


MEETING THE CHALLENGES HEAD ON
 MOVE FROM MANUAL TO AUTOMATED LOG MANAGEMENT

 KEYS TO SUCCESS: EFFECTIVE AND SUSTAINABLE LOG MANAGEMENT AND REVIEW

 CHOOSE A VULNERABILITY ASSESSMENT SOLUTION THAT ALIGNS WITH YOUR NETWORK

 KEYS TO SUCCESS: CENTRALIZED VIEW AND REMEDIATION KNOWLEDGE

 SELECT AN INTRUSION PROTECTION SOLUTION THAT DOESN’T REQUIRE COSTLY
IMPLEMENTATION, CONFIGURATION AND MANAGEMENT

 KEYS TO SUCCESS: IMPLEMENT A SOLUTION THAT ADAPTS TO YOUR NETWORK
SECURITY POLICIES AND MINIMIZES THE WORK LOAD OF YOUR RESOURCES


CONTACT VISI

VISI HEADQUARTERS VISI ST. PAUL DATA CENTER PHONE 612.395.9090
EDEN PRAIRIE DATA CENTER 180 East 5th St, Suite 525
EMAIL SALES@VISI.COM
10290 West 70th Street St. Paul, MN 55101
Eden Prairie, MN 55344


How to Overcome the 3 Biggest PCI Compliance Challenges

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (18)

Semelhante a How to Overcome the 3 Biggest PCI Compliance Challenges

Semelhante a How to Overcome the 3 Biggest PCI Compliance Challenges (20)

How to Overcome the 3 Biggest PCI Compliance Challenges