Josh Corman, Research Director, Enterprise Security Practice, is often known for his deep insights into and candid discussions about the state of enterprise security and the variables and trends that impact it. Listen as Josh discusses how and why PCI compliance has affected the state of security-specifically, the impact of approaching PCI as a checklist. He also gives ideas for what we need to do, and the types of solutions we need to have to not only satisfy the PCI audit, but to also provide real system security. Josh discusses this in an informal back and forth format with Gene Kim, Tripwire co-Founder and CTO. In this webcast, you'll learn: How compliance introduced cost complexity by causing a divergence between what we need to do to pass an audit versus avert threats. The fallacy that being PCI compliance means you're secure. Controls that both help you pass your PCI audit while also deterring advanced threats. How Tripwire VIA solutions provide that rare combination of controls that address both compliance and security.

1. The Perils that PCI
Brings to Security

2. The Perils that PCI brings to Security

3. Today’s Speakers

4. The [Possible] Perils PCI Brings to Security
Joshua Corman
Research Director, Enterprise Security
The 451 Group

5. Who am I?
Research Director for Enterprise Security, The 451 Group
Joined The 451 Group on Oct 2009
►12 years in Networking and Security
– Former Principal Security Strategist [IBM ISS]
– Sold stealth start-up vCIS to ISS in 2002
►Industry Leadership
– Expert Faculty - The Institute for Applied Network Security (IANS)
– 2009 NetworkWorld Top 10 Tech People to Know
– Co-Founder: “Rugged” www.ruggedsoftware.org
►Things I’ve been researching:
− Compliance vs Security
− Virtualization and Cloud Computing
− The Economics of Security
− Politically Motivated Cyber (APT/APA/SMT) 5
− Comprehensive Data Security

6. Constant Change
EVOLVING
THREAT
EVOLVING EVOLVING
COMPLIANCE TECHNOLOGY
COST
COMPLEXITY
RISK
EVOLVING EVOLVING
ECONOMICS BUSINESS
6

7. Our Ecosystem
7

8. Our Ecosystem
►Vendors: Infrastructure
►Vendors: Security Incumbents
►Vendors: Innovative Start-Ups
►The Investment Community
►The Carriers / Service Providers
►The Regulators
►The Adversaries
►The End-User Community
►Others... 8

9. Our Ecosystem v0.1
Adversaries
Big Vendors
9

10. Our Ecosystem v0.1
Adversaries
Big Vendors
10

11. Our Ecosystem v0.1
Adversaries
Big Vendors
11

12. Our Ecosystem v0.1
Adversaries
Big Vendors
12

13. Our Ecosystem v0.1
Adversaries
Big Vendors
13

14. Our Ecosystem v0.1
Adversaries
Regulatory
Big Vendors
14

15. Our Ecosystem v0.1
Adversaries
Regulatory
Big Vendors
15

16. Our Ecosystem v0.1
Adversaries
Regulatory
Big Vendors
16

17. Information Asymmetry
Direct -> Trust Me
17

18. Information Asymmetry
Trust Abused
18

19. Information Asymmetry
Blindspots
19

20. Information Asymmetry
Compliance
20
Free Report:
Security derivatives: the downward spiral caused by information asymmetry
http://www.the451group.com/intake/securityderivatives/

21. Sophistication
21

22. More Likely
22

23. Moving Forward…
23

24. Beyond Compliance
Adversaries
Regulatory
24

25. PCI’s Target
PCI is not meant to protect *you*…
…that is your job
Intellectual Property
Card Data / Productivity
Systems Corporate Secrets
Competitive Differentiation
25

26. The Chosen Few…
If we apply a “purchase and deploy” lens to PCI DSS 1.2, we can infer which
security product categories are sure to get spending.
The Winners: “Nine” security technologies specifically buoyed by PCI DSS
1. Firewall (FW)
2. Intrusion Detection Systems (IDS) – not even IPS. This can be NIDS or HIDS
3. Anti-Virus (AV)
4. Multi-Factor Auth
5. Encryption (Non-OS Native)
6. File Integrity Monitoring (FIM) – “like Tripwire”
7. Vulnerability Assessment/Management
8. *Log Management – not SIM or ESIM (*technically don’t need a product)
9. OPTIONAL: Web Application Firewall (WAF) or an SDLC
1. PCI Service: External scans by a certified ASV (Application Scanning Vendor) –
Quarterly scans by a certified 3rd party (or after “major” changes)
2. PCI Service: The QSA Audit itself (annually ranging from $10,000 - $25,000) 26
3. If breached (which never happens) required to use a certified QIRA for Incident
Response

27. A mismatch…
CLICK PLAY
►PCI Rocks YouTube Video:
– http://www.youtube.com/watch?v=xpfCr4By71U
27
►Is PCI the No Child Left Behind Act for Information Security?

28. Change, Change, Change…
►Solve for all sources of change EVOLVING
THREAT
– Threat
– Technology
– Business
– Economics EVOLVING EVOLVING
COMPLIANCE TECHNOLOGY
– Compliance COST
COMPLEXITY
RISK
►Assume Information Asymmetry
– Seek new sources of Information
– Distrust Legacy Wisdom
EVOLVING EVOLVING
ECONOMICS BUSINESS
►Planning for Agility
– Think 3-5 years
– Look for extensibility and roadmap
28

29. How will you go beyond PCI?
29

30. Related Reading*
Security derivatives: the downward spiral caused by information
asymmetryhttp://www.the451group.com:80/report_view/report_view.php?entity_i
d=60884
The adversary: APTs and adaptive persistent
adversarieshttp://www.the451group.com:80/report_view/report_view.php?entity_
id=62643
Like spinning plates: five sources of cost, complexity and risk in IT security – Part 1
http://www.the451group.com:80/report_view/report_view.php?entity_id=62198
Security Quarterly: E-Crime and Advanced Persistent Threats: How Profit and
Politics Affect IT Security Strategies
http://www.the451group.com/security/security_detail.php?icid=1060
30
* We will happily provide trial access for participants of this Webinar

31. Joshua Corman
Research Director, Enterprise Security
The 451 Group
jcorman@the451group.com
twitter @joshcorman

32. Increased Security through Constant
Compliance

33. Agenda

34. Problem: Taking Too Long to Find Breaches/Risks
Breaches go undiscovered and uncontained
for weeks or months in 75 % of cases.
2009
Breach Average time between a breach and the detection of Discovery
it: 156 days [5.2 months]
Feb. 2010
“…breaches targeting stored data averaged 686 days
[of exposure]”
2010
“More than 75,000 computers … hacked” -- The attack
began late 2008 and discovered last month
Feb. 2010

35. Result: The Time Delay Of Discovery Is Costly!
Breach Discovery
“The average cost per breach in
2009 was $6.7 million…”
Ponemon Institute, Jan. 25, 2010

36. Result: The Time Delay Of Discovery Is Costly!
Breach Discovery
“Heartland Payment Systems
announced today that it will pay
“The average cost per breach in
Visa-branded credit and debit
2009 was $6.7 million…”
card issuers 25, 2010 $60 million…”
Ponemon Institute, Jan. up to
Bank Info Security, Jan. 8, 2010

37. Over Ten Years, We Benchmarked 1500+ IT Orgs

38. Higher Performing IT Organizations Are More
Stable, Nimble, Compliant And Secure

• Fewest
• One-third

• 5 times
• 5 times

• 14 times more
• One-half
• One-quarter
• 10x faster

• One-third
• 8 times more
• 6 times more
Source: IT Process Institute, May 2008

39. Visible Ops: Playbook of High Performers
•
•
•
www.ITPI.org

40. 2007: Three Controls Predict 60% Of Performance
• Standardized configuration strategy
• Process discipline
• Controlled access to production systems
Source: IT Process Institute, May 2006

41. Need: Close The Time Gap
Many Compromising Problems Are Difficult To Discover
Logging turned off FTP event to foreign IP
New user added
Login successful
FTP enabled
10 failed logins
DLL modified by new user

42. Just Detecting Change Is Not Enough…
Policy-Based Intelligence Is Required
Logging turned off
New user added
Typical FIM cannot make these types
alerts. Change intelligence is required. FTP enabled
DLL modified by new user

43. Just Detecting Log Events Is Not Enough…
Policy-Based Intelligence Is Required
FTP event to foreign IP
Login successful
Log management alone cannot alert
10 failed logins
on these events—SIEM is required.

44. Relating Change Events to Log Events…
Best Chance To Discover Compromising Problems Quickly
Logging turned off FTP event to foreign IP
Events New user added
of Login successful
Interest FTP enabled
10 failed logins
DLL modified by new user

45. Solution: Intelligent Threat Control
Tripwire VIATM
VISIBILITY  INTELLIGENCE  AUTOMATION
Security
File Integrity Monitoring
Event Manager
Compliance Policy
Log Manager
Manager
Tripwire Enterprise Tripwire Log Center

46. Answers For Your Questions