Matt Dean– Product ManagementMatt Hines – Product Marketing

August 12, 2014

Automating PCI 1.1.7 with FireMon Policy Optimizer

Agenda

Welcome

PCI DSS Compliance Challenges

PCI DSS Requirement 1.1.7

Automating using Policy Optimizer

FireMon and PCI – Other Areas

Demo – Policy Optimizer

Q&A

PCI DSS Compliance Challenges

Today’s Hurdles:

“Continuous” Compliance

Controls must be constantly validated

Complexity and Change

Business demands, threats, infrastructure

Oversight and Overhead

Audit prep and resource allocation

PCI DSS Requirement 1.1.7

Rules Recertification

Cleanup rules – Specifically unnecessary, outdated or incorrect rules, ensuring that all rules allow only authorized

services and ports that match documented business justifications. Organizations with a high volume of changes

to rules may wish to consider performing reviews more frequently, to ensure that the rule sets continue to

meet the needs of the business.

PCI DSS 1.1.7 Challenges

Existing Pain Points:

Changing Access Demands

Evolving business and landscape

Access/Rules Recertification

What’s necessary? Who owns it?

Fixed Internal Resources

Leveraging staff to do more

New Product – Policy Optimizer

Policy Optimizer - Bridging Silos

New, Automated Workflow:

Integrated policy review cycle

Optimize posture for operational, security & compliance requirements

Automated rule recertification

Business process implementation ensuring organizational adoption

Refined, documented access

Consistent review and closed-loop process for management

Network Ops, Security Mgmt,Audit/Compliance, Risk Mgmt

Policy Optimizer

Product Features: Rule Review

Rule Optimization:

Data for Review & Certification

Access, usage, documentation

Intelligent Policy/Rule Review

Smart policy/rules routing

Automated Review Process

Business process for review

Product Features: Edit Control

Policy Improvement:

Dynamic configuration search

Find all similar rules/controls

FireMon SIQL technology

Proprietary query language

Evaluate, review and test

Detailed intelligence and reports

Benefit – Integrated Workflow

Process Automation:

Fills gap in security& risk mgmt

Automated policy optimization

Significant compliance benefit

Continuous rules re-certification

Business-security communication

Bridging silos with workflow automation

Case Study – Global Financial

Real-World Demand:

Significant pain & expense

Manually recertify rules (PCI DSS)

15 full time staff worldwide

Using Policy Optimizer

Enable staff with data, workflow

Replaced rival shelf ware

Immediate benefits

Closed-loop process for PCI review

Rapidly addressed existing problems

FireMon Solutions: PCI Overview

Solutions Applicability:

Security Manager Platform

Firewall rules and policy assessment

Policy Planner Module

Policy analysis and change mgmt

Risk Analyzer Module

Prioritized vulnerability mitigation

FireMon Solutions: 7-of-12 Addressed

DSS-Wide Applicability:

PCI 1 Firewall rules and policy assessment

PCI 2 Policy analysis and change mgmt

PCI 6 Prioritized vulnerability mitigation

PCI 7 Control network access

PCI 10 Network logging and monitoring

PCI 11 Security system testing

PCI 12 Maintain policy effectiveness

FireMon Solutions: PCI Applicability

Requirements Addressed: PCI 1

Firewall rules and policy assessment

1.1 - Establish and implement firewall and router configuration standards.

1.2 - Build firewall and router configurations that restrict connections between untrusted networks.

1.3 - Prohibit direct public access between the Internet and card data.

1.5 - Ensure that security policies and operational procedures for managing firewalls are documented.

FireMon Solutions: PCI Applicability

Requirements Addressed: PCI 2

Policy analysis and change mgmt

2.2 - Develop configuration standards for all system components.

2.3 - Encrypt all non-console administrative access using strong cryptography.

2.4 - Maintain an inventory of system components that are in scope for PCI DSS.

2.5 - Ensure that security policies and operational procedures for managing vendor defaults and security parameters are

documented and validated.

FireMon Solutions: PCI Applicability

Requirements Addressed: PCI 6

Prioritized vulnerability mitigation

6.1 - Establish a process to identify security vulnerabilities using outside sources for security vulnerability ranking.

6.4 - Follow change-control processes and procedures for all changes to system components.

Requirements Addressed: PCI 7

Control network access

7.1 - Limit access to system components and cardholder data.

7.2 - Establish an access control system for systems components that restricts access based on need-to-know set to “deny all” unless specifically allowed.

7.3 - Ensure that security policies and operational procedures for managing firewalls are documented.

FireMon Solutions: PCI Applicability

Requirements Addressed: PCI 10

Prioritized vulnerability mitigation

10.1 - Implement audit trails to link all access to system components to each individual user.

10.2 - Implement automated audit trails for all system components to reconstruct events.

10.3 - Record particular audit trail entries for all system components for specified events.

Requirements Addressed: PCI 11

Security system testing

11.2 - Run internal and external network vulnerability scans quarterly and after any significant change in the network .

11.3 - Implement a standards-based methodology for penetration testing.

FireMon Solutions: PCI Applicability

Requirements Addressed: PCI 11

Change Detection Alerting

11.5 - Deploy a change-detection mechanism to alert personnel to unauthorized change of critical system files, configuration files, or

content files.

Requirements Addressed: PCI 12

Maintain policy effectiveness

12.2 - Implement a risk-assessment process that is performed at least annually and upon significant changes to the environment.