Maintaining, verifying, and demonstrating compliance with the PCI-DSS standard is far from a trivial exercise. Find out how AlienVault USM can help you meet PCI compliance requirements.
4. QUESTIONS TO ASK YOURSELFā¦
SOONER RATHER THAN LATER.
Pre-audit checklist:
Where do your PCI-relevant assets live, how are theyāre
configured, and how are they segmented from the rest of your
network?
Who accesses these resources (and the other Wāsā¦
when, where, what can they do, why and how)?
What are the vulnerabilities that are in your PCI-defined network ā
app, etc?
What constitutes your network baseline? What is considered
ānormal/acceptableā?
Ask your teamā¦ What do we NEVER want to happen in our PCI
environment? How do we capture those events when they do happen?
4
7. Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
Identify ways the
target could be
compromised
What do
we need
for PCI-
DSS?
Figure out what
is valuable
7
8. Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
Identify ways the
target could be
compromised
What do
we need
for PCI-
DSS?
8
Asset
Discovery
Asset Discovery
ā¢ Active Network Scanning
ā¢ Passive Network Scanning
ā¢ Asset Inventory
ā¢ Host-based Software
Inventory
9. Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
What do
we need
for PCI-
DSS?
9
Asset
Discovery
Asset Discovery
ā¢ Active Network Scanning
ā¢ Passive Network Scanning
ā¢ Asset Inventory
ā¢ Host-based Software
Inventory
Vulnerability
Assessment
Vulnerability Assessment
ā¢ Network Vulnerability Testing
10. Piece it all
together
Look for strange
activity which could
indicate a threat What do
we need
for PCI-
DSS?
10
Asset
Discovery
Asset Discovery
ā¢ Active Network Scanning
ā¢ Passive Network Scanning
ā¢ Asset Inventory
ā¢ Host-based Software
Inventory
Vulnerability
Assessment
Vulnerability Assessment
ā¢ Network Vulnerability Testing
Threat Detection
ā¢ Network IDS
ā¢ Host IDS
ā¢ Wireless IDS
ā¢ File Integrity Monitoring
Threat
Detection
11. Piece it all
together
What do
we need
for PCI-
DSS?
11
Asset
Discovery
Asset Discovery
ā¢ Active Network Scanning
ā¢ Passive Network Scanning
ā¢ Asset Inventory
ā¢ Host-based Software
Inventory
Vulnerability
Assessment
Vulnerability Assessment
ā¢ Network Vulnerability Testing
Threat Detection
ā¢ Network IDS
ā¢ Host IDS
ā¢ Wireless IDS
ā¢ File Integrity Monitoring
Threat
Detection
Behavioral Monitoring
ā¢ Log Collection
ā¢ Netflow Analysis
ā¢ Service Availability Monitoring
Behavioral
Monitoring
13. 13
Asset
Discovery
Asset Discovery
ā¢ Active Network Scanning
ā¢ Passive Network Scanning
ā¢ Asset Inventory
ā¢ Host-based Software
Inventory
Vulnerability
Assessment
Vulnerability Assessment
ā¢ Network Vulnerability Testing
Threat Detection
ā¢ Network IDS
ā¢ Host IDS
ā¢ Wireless IDS
ā¢ File Integrity Monitoring
Threat
Detection
Behavioral Monitoring
ā¢ Log Collection
ā¢ Netflow Analysis
ā¢ Service Availability Monitoring
Behavioral
Monitoring
Security Intelligence
ā¢ SIEM Correlation
ā¢ Incident Response
Security
Intelligence
Unified
Security
Management
BTWā¦ this is just the technologiesā¦ process is a whole ānother topic.
14. READING IN BETWEEN THE LINESā¦
D YN A M IC TH R E A T IN TE L L IGE N C E U P D A TE S
TH E TH R E A TS C H A N GE , S O S H OU L D YOU R E V E N T C OR R E L A TION R U L E S , IP R E P U TA TI ON D A TA , E TC .
FL E X IB L E U S E C A S E S U P P OR T
ITā S I M P OS S I B LE TO P R E D IC T A L L B A D OU TC OM E S S O H A V E A S OL U TI ON TH A T GR OW S W ITH YOU
WHATāS NOT IN THE FINE
PRINT BUT SHOULD BEā¦
Dynamic threat intelligence updates
THE THREATS CHANGE, SO
SHOULD YOUR EVENT
CORRELATION RULES, IP
REPUTATION DATA, ETC.
Flexible use case support
ITāS IMPOSSIBLE TO PREDICT
ALL BAD OUTCOMES SO HAVE A
SOLUTION THAT GROWS WITH
YOU
14
15. QUICK & DIRTY CLEAN = AUTOMATED & CONSOLIDATED
All-in-one functionality
Easy management
Multiple functions without multiple consoles
Automate what and where you can*
āBaked inā guidance when you canāt
Flexible reporting & queriesā¦ as detailed as you
want it.
15
*Disclaimer: Despite the hype, you canāt automate EVERYTHING nor
would you want to. This is cyber security weāre talking about, not pizza
delivery.
16. LETāS HEAR FROM YOU!
ALIENVAULT POLL QUESTION
What is your biggest pain point when it comes to PCI compliance?
ā¢ Uncertainty about whatās on my network
ā¢ Vulnerability assessment and remediation
ā¢ Concerns about threat detection
ā¢ Compliance reporting
ā¢ None of the above ā Iām a PCI Ninja!
17. Letās see it in action.
AlienVault USM Demo ā Simplified PCI DSS Compliance
17
18. WHATāS COMING IN PCI DSS V3*?
Increased clarity
Intention and application
Scoping and reporting
Eliminate redundancy, consolidate
documentation
Stronger focus on āgreater risk areasā
in the threat environment
Consistency among assessors
Key Goals
*https://www.pcisecuritystandards.org/security_standards/documents.php
Key Themes
Education and Awareness
Increased flexibility
Security as a shared responsibility
Nov 7
2013
ā¢ PCI DSS v3 is published
Jan 1
2014
ā¢ PCI DSS v3 becomes
effective
Dec 31
2014
ā¢ PCI DSS v2 expires
Key Dates
19. KEY TAKE-AWAYS
Use the āforceā of compliance
to bolster your security
monitoring / incident
response program.
PCI Compliance is more than
just reporting.
Automate and consolidate as
much as possible.
Andā¦ throw away that cover
page for your TPS reports.
ā¦.But keep the red stapler.
19
20. NOW FOR SOME Q&Aā¦
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo
http://www.alienvault.com/live-demo-site
Request a Personalized Demo
http://www.alienvault.com/schedule-demo
Sales@alienvault.com
Editor's Notes
We all knowā¦ Security doesnāt equal compliance and compliance doesnāt equal securityā¦Butā¦ you can usecompliance to getyour security projects funded.Use the āforceā of compliance to improve your security.Rememberā¦ compliance is about more than reporting!
Before we go into the nitty gritty of the requirements (and letās face it, thatās the really boring stuff), at a high ālevel what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the āinterestingā stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability ā if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity ā especially those with superpowersSecurity IntelligenceEvent Correlation (hereās where āBig Dataā comes in, but yawn who cares, thatās just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and letās face it, thatās the really boring stuff), at a high ālevel what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the āinterestingā stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability ā if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity ā especially those with superpowersSecurity IntelligenceEvent Correlation (hereās where āBig Dataā comes in, but yawn who cares, thatās just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and letās face it, thatās the really boring stuff), at a high ālevel what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the āinterestingā stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability ā if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity ā especially those with superpowersSecurity IntelligenceEvent Correlation (hereās where āBig Dataā comes in, but yawn who cares, thatās just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and letās face it, thatās the really boring stuff), at a high ālevel what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the āinterestingā stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability ā if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity ā especially those with superpowersSecurity IntelligenceEvent Correlation (hereās where āBig Dataā comes in, but yawn who cares, thatās just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and letās face it, thatās the really boring stuff), at a high ālevel what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the āinterestingā stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability ā if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity ā especially those with superpowersSecurity IntelligenceEvent Correlation (hereās where āBig Dataā comes in, but yawn who cares, thatās just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and letās face it, thatās the really boring stuff), at a high ālevel what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the āinterestingā stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability ā if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity ā especially those with superpowersSecurity IntelligenceEvent Correlation (hereās where āBig Dataā comes in, but yawn who cares, thatās just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and letās face it, thatās the really boring stuff), at a high ālevel what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the āinterestingā stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability ā if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity ā especially those with superpowersSecurity IntelligenceEvent Correlation (hereās where āBig Dataā comes in, but yawn who cares, thatās just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and letās face it, thatās the really boring stuff), at a high ālevel what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the āinterestingā stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability ā if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity ā especially those with superpowersSecurity IntelligenceEvent Correlation (hereās where āBig Dataā comes in, but yawn who cares, thatās just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Create āPCI in scopeā host group ā define the report so itās focused on that group
The updated versions of PCI DSS and PA-DSS will:ļ§ Provide stronger focus on some of the greater risk areas in the threat environmentļ§ Provide increased clarity on PCI DSS & PA-DSS requirementsļ§ Build greater understanding on the intent of the requirements and how to apply themļ§ Improve flexibility for all entities implementing, assessing, and building to the Standards ļ§ Drive more consistency among assessorsļ§ Help manage evolving risks / threatsļ§ Align with changes in industry best practicesļ§ Clarify scoping and reportingļ§ Eliminate redundant sub-requirements and consolidate documentation While not stated in the August document, itās anticipated that the new standard will address issues of what falls within the scope of the standard, as well as network segmentation, and defense fortification to ward off specific threats that have been identified since the 2010 release. In addition, the new requirements are likely to address card data handling in mobile, cloud and e-commerce environments in the wake of previous guidance issued by the council.
Use the āforceā of compliance to bolster your security monitoring / incident response program.PCI Compliance is more than just reporting ā itās about basic security hygiene ā donāt focus JUST on reporting, although that is importantAutomate and consolidate as much as possible ā reduces cost, complexity, and accelerates remediation.If mgmt wants to do this w/home grown or manual processes or tools (canāt get budget for more software), try open source, specifically OSSIM.