View
1
Download
0
Category
Preview:
Citation preview
Compliance Audit Readiness Bob Kral
Tenable Network Security
Agenda • State of the Market
• Drifting Out of Compliance
• Continuous Compliance
• Top 5 Hardest To Sustain PCI DSS Requirements
– Procedural support
– “Proof”
• Communicating Business Goals, Policies, Procedures, Evidence
State of the Market • Data breaches
• Lack of resources, abundance of reactionary cycles
• Point solution sprawl
• Difficulty communicating
• Don’t know what’s on our networks, changing IT landscape
“When organizations do not know the risks they face, serious threats are left unaddressed that could mushroom into enormous exposures.”
ISACA, A Global Look at IT Audit Best Practices
ISACA Survey • Four of the takeaways from a recent ISACA study:
– IT changes and security are top of mind
– significant concerns about finding qualified resources and skills
– IT audit risk assessments are an absolute must
– Know your audience to communicate effectively
ISACA, A Global Look at IT Audit Best Practices
Security Professionals
• Truly continuous and comprehensive monitoring
• Better “evidence”
• Efficiencies - Do more with less
• Communication vehicles - Better communications
Compliance a baseline
“But our viewpoint has always been that the PCI DSS is a baseline,
an industry-wide minimum acceptable standard, not the pinnacle of payment
card security.”
Verizon 2015 DBIR
PCI DSS
Compliance
Annual
Assessment
Drifting Out Of Compliance
PCI DSS
Compliance
80%
Interim
Assessment
Annual
Assessment
Verizon 2015 PCI Report
“Continuous” Rising Standard of Due Care
“Ongoing basis” “Ongoing awareness”
“continuous reporting”
“ongoing risk-based decisions”
“continuous monitoring”
“near real time information”
“continuously conduct risk assessments”
Continuous and efficient
“Automated processes, including the use of automated support tools
(e.g., vulnerability scanning tools, network scanning devices), can
make the process of continuous monitoring more cost-effective,
consistent, and efficient.”
NIST 800-137
Top 5 Hardest-To-Sustain PCI DSS Requirements
37% 48% 46%
49% 48%
Default passwords
“Many system administrators, let alone users, admit to writing down
and sharing privileged passwords — an unwanted but understandable
behavior given how many passwords are needed across the IT estate.
Unfortunately, passwords remain a critical and fundamental weak
spot.”
Verizon 2015 DBIR
Password Audits
“Where’s The Sensitive Data?”
Security Metrics
Sensitive Data Audit
Mobile Users MDM integration and passive
network traffic
On-Premises Users Scanning, sniffing and logging
of endpoint
On-Premises Apps Scanning, sniffing and logging
of servers
SaaS Applications Discovery through network and
log analysis
IaaS Applications API integration and traditional
auditing
Asset Discovery
Anti-virus audit • e)
Anti-Virus Agent Detection Ensure 100% of your desktops are
protected by malware defense
Audit Anti-Virus Signatures Ensure the latest malware signatures are
deployed to 100% of your systems
Email and Internet Defenses Ensure proxy, sandbox, IPS & next-gen
firewalls are deployed correctly
Malware Defenses
Firewall audit
Regulatory Compliance Instrument testing for PCI, FISMA, NIST
& more
Compliance Best Practice Implement new continuous monitoring
best practices
Audit Defenses Ensure firewalls, malware defenses &
monitoring are enabled
Audit Configurations
“Scan, patch, verify, . . .”
“a patch deployment strategy focusing on coverage and consistency is far more effective at preventing data breaches than “fire drills” attempting to patch particular systems as soon as patches are released.”
Verizon 2015 DBIR
Patching Audit
Measure Patch Windows Track how long vulnerabilities
live before mitigation
Compare Patch Rates Report patch rates for groups,
technologies & locations
Audit Accepted Risk Analyze which vulnerabilities
won’t be fixed
Find Recurring Vulnerabilities Software updates can
re-introduce fixed security issues
Track Patch Logs See in real-time when software
is installed
Vulnerability Life Cycle
Patch Window Track missing patches outside of
patch window
Compliance Standards Audit security policy against PCI,
NIST, HIPPA & more
Insider Threat Monitor authentication logs to
identify abuse
Incident Response Leverage system, network & logs
to hunt malware
Malware Defenses Identify systems without
malware defenses
Reporting & Analytics
Audit Readiness Business Goal
Policy Policy Policy Policy
Procedures Procedures Procedures
Evidence Evidence Evidence
Business Goals
Policies Support Goals
2. Greater than 75% of systems identified by passive asset
classification have also been evaluated by active device scanning.
Business Goal
Supporting
Policies
Conversation and Collaboration
• What’s realistic to expect?
• How many sensitive systems do we have?
• How many transient hosts do we have?
• How many of those hosts have we not seen before?
• Are some of these hosts candidates for agents?
Policy
Greater than 75% of systems identified by passive asset classification
have also been evaluated by active device scanning.
Patch Window Track missing patches outside of
patch window
Compliance Standards Audit security policy against PCI,
NIST, HIPPA & more
Insider Threat Monitor authentication logs to
identify abuse
Incident Response Leverage system, network & logs
to hunt malware
Malware Defenses Identify systems without
malware defenses
Reporting & Analytics
Tenable Customers Financial Service Retail/Consumer
Public Sector Communications
Media
Technology
Education Healthcare
Energy
Compliance Reporting
Audit Checks
Content Audits
Recommended