Data protection and Server security challenges of PCI DSS2...Apr 27, 2013 · Joseph Lee . 9. th. Apr. 2013. Data protection and Server security challenges of PCI DSS2.0

Joseph Lee

9th Apr. 2013

Data protection and Server security challenges of PCI DSS2.0

Source: Trend Micro

Source: Trend Micro, openclipart.org

Zero-day / APT Advanced Persistence Threat

Source: Trend Micro

CLOUD

VIRTUAL / CLOUD New Architecture

Physical 》 Virtual 》 Cloud

Virtual Server 50% - 71% Virtual Desktop 40% - 64%

Private Cloud 39% - 57% Public Cloud 38% - 53%

Source: Trend Micro, Gartner

72 % Servers will all be virtualized at 2014.

2011 Data Breach

96% of victims NOT PCI DSS compliant

• PCI DSS 2.0

84% of victim had Log of breach evidence

• Data Protection

94% of victim data comprised with Servers • Server Security

Compliant ? High Cost

Today’s Challenges -

High Risks

• Separate Data • Keep Arming • One Policy Fits All

Source: Trend Micro, PCI

• PCI DSS 2.0

–96% of victims NOT PCI DSS compliant

• Data Protection

• Server Security

PCI DSS Data Security Standard

Source: PCI, iStockPhoto

PCI DSS Data Security Standard

My company

Affiliates

Service Providers

Outsourcers

High Risk!

Source: PCI, iStockPhoto

PCI DSS 2.0 Requirement

1. Build & Maintain Secure Network

1) Install and maintain a Firewall configuration to protect cardholder data

2) Do not use vendor-supplied Defaults for system passwords and other security parameters

2. Protect Cardholder Data

3) Protect Stored cardholder data 4) Encrypt Transmission of cardholder data across open,

public networks 3. Maintain

Vulnerability mgmt. Program

5) Use and regularly Update Anti-Virus software or Programs

6) Develop and maintain Secure systems and applications

4. Implement Strong Access Control Measures

7) Restrict Access to cardholder data by business need to know

8) Assign a Unique ID to each person with computer access 9) Restrict Physical Access to cardholder data

5. Regular Monitor & Test Networks

10) Track and Monitor all access to network resources and cardholder data

11) Regularly Test security systems and processes 6. Maintain Info.

Security Policy 12) Maintain a Policy that addresses information security for

All Personnel

Source: Requirements and Security Assessment Procedures

PCI DSS 2.0 Requiremen

t Requirements Data Protection

(Data Life-Cycle) Server Security

(Virtual/Cloud) 1. Build & Maintain Secure Network Firewall, No default password/setting

1.2*, 1.4, 2.2, 2.4 1.x, 2.2.1, 2.2.2, 2.4,A.1*

2. Protect Cardholder Data Protect storage, Encrypt transmission

3.1, 3.2, 3.4, 3.5, 3.6, 4.1, 4.2

3. Maintain Vulnerability Management Program Patching for Anti-virus, System, and Apps

5.1, 5.2, 6.1, 6.2, 6.3*, 6.5*, 6.6

5.1*, 5.2*, 6.1*, 6.2*, 6.5*, 6.6

4. Implement Strong Access Control Measures Restrict (physical) access, Unique ID

9.7*, 9.9*

5. Regular Monitor & Test Networks Audit trial, File integrity

11.2 10.2*, 10.3*, 10.5, 10.6*, 11.2*, 11.4, 11.5

6. Maintain Information Security Policy Policy control, Intrusion

12.6, 12.9 12.6, 12.9*

* compensating controls http://apac.trendmicro.com/apac/solutions/enterprise/security-solutions/server-security/payment-card/requirements/index.html

Trend Micro Enterprise Security

PCI DSS 2.0 Requiremen

t Requirements Data Protection

(Data Life-Cycle) Server Security

(Virtual/Cloud) 1. Build & Maintain Secure Network Firewall, No default password/setting

1.2*, 1.4, 2.2, 2.4 1.x, 2.2.1, 2.2.2, 2.4,A.1*

2. Protect Cardholder Data Protect storage, Encrypt transmission

3.1, 3.2, 3.4, 3.5, 3.6, 4.1, 4.2

3. Maintain Vulnerability Management Program Patching for Anti-virus, System, and Apps

5.1, 5.2, 6.1, 6.2, 6.3*, 6.5*, 6.6

5.1*, 5.2*, 6.1*, 6.2*, 6.5*, 6.6

4. Implement Strong Access Control Measures Restrict (physical) access, Unique ID

9.7*, 9.9*

5. Regular Monitor & Test Networks Audit trial, File integrity

11.2 10.2*, 10.3*, 10.5, 10.6*, 11.2*, 11.4, 11.5

6. Maintain Information Security Policy Policy control, Intrusion

12.6, 12.9 12.6, 12.9*

http://apac.trendmicro.com/apac/solutions/enterprise/security-solutions/server-security/payment-card/requirements/index.html

Trend Micro Enterprise Security

Trend Micro 27%

Worldwide Corporate Endpoint Server Security Revenue Share by Vendor, 2011 Source: IDC,

2012

PCI Compliant Low Cost

Our Mission -

Low Risks

• Separate Data • Keep Arming • One Policy Fits All

X X

Source: Trend Micro, PCI

PCI DSS 2.0

• Data Protection

–84% of victim had Log of breach evidence

• Server Security

PCI DSS 2.0 Requirement Challenge - Keep Arming


1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security parameters


3) Protect stored cardholder data 4) Encrypt transmission of cardholder data across open, public networks

3. Maintain Vulnerability mgmt. Program

5) Use and regularly update anti-virus software

or programs 6) Develop and maintain secure systems & applications


7) Restrict access to cardholder data by business need to know 8) Assign a unique ID to each person with computer access 9) Restrict physical access to cardholder data


10) Track and monitor all access to network resources and cardholder data

11) Regularly test security systems and processes

6. Maintain Info. Security Policy

12) Maintain a policy that addresses information security for all personnel


http://apac.trendmicro.com/apac/about/news/pr/

Data Protection on Cloud

Trend Micro Great 2012 win!

77M users

800M users

10M users

94M users

Customers 》 Their Customers

Global Threat Intelligence

• Smart Protection Network™

• Web Security Service

• Mobile App Reputation

Data Encryption

• SecureCloud™

• SafeSync™

Trend Micro Smart Protection Network™

http://cloudsecurity.trendmicro.com/us/technology-innovation/our-technology/smart-protection-network/index.html http://www.trendmicro.com/cloud-content/us/pdfs/business/case-studies/cs_dubex_officescan-mobile-security-dlp.pdf

Cloud Security 》

6 TB / day threat data analyzed

16 B / day URL, Email, & File queries correlated

200 M / day threats blocked


http://cloudsecurity.trendmicro.com/us/technology-innovation/our-technology/smart-protection-network/index.html http://www.trendmicro.com/cloud-content/us/pdfs/business/case-studies/cs_dubex_officescan-mobile-security-dlp.pdf

New patterns Previous: 24 hrs Now: 20 min


•40% Management Cost Saved (by Osterman Research, Inc.)

• Self-Learning

http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_tmes_cc_impact.pdf http://cloudsecurity.trendmicro.com/us/technology-innovation/our-technology/smart-protection-network/index.html

http://www.trendmicro.com/cloud-content/us/pdfs/business/case-studies/cs_dubex_officescan-mobile-security-dlp.pdf

PCI DSS 2.0 Requirement Challenge - Separate Data


1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security

parameters


3) Protect stored cardholder data

4) Encrypt transmission of cardholder data across open, public networks


5) Use and regularly update anti-virus software or programs 6) Develop and maintain secure systems and applications


7) Restrict access to cardholder data by business need to know

8) Assign a unique ID to each person with computer access

9) Restrict physical access to cardholder data





12) Maintain a policy that addresses information security for all personnel


Separate Data?

http://cloud.trendmicro.com/building-a-truly-secure-cloud-with-dell-and-trend-micro/

Dell Cloud Service

http://cloud.trendmicro.com/building-a-truly-secure-cloud-with-dell-and-trend-micro/

AES 256 Encryption

Secure Key Exchange

Offsite Key Storage

Encrypted Data

Customer Support +

SecureCloud

Dell Cloud Service

Trend Micro SecureCloud

Separate Cardholder Data

Source: Trend Micro

vCloud®

Enterprise Key

Cloud Service Provider

Trend Micro SecureCloud

Console

Shared Storage

VM Corporate

App VM VM VM

Hypervisor

My Data

ESX, vSphere

Trend Micro SecureCloud Security Policies

1. Access Management

2. Device for Encryption

3. Running Instances

4. Policies & Rules: for Access & Protection

Source: Trend Micro

PCI DSS 2.0 Requirement Challenge - One Policy Fits All



parameters


3) Protect stored cardholder data

4) Encrypt transmission of cardholder data across open, public networks


5) Use and regularly update anti-virus software or programs

6) Develop and maintain secure systems and applications


7) Restrict access to cardholder data by business need to know 8) Assign a unique ID to each person with computer access

9) Restrict physical access to cardholder data





12) Maintain a policy that addresses information security

for all personnel Source: Requirements and Security Assessment Procedures

Data Life-Cycle

Data Protection on Cloud

Encryption Device Control DLP

Source: Trend Micro

Gateway & Server DLP

Gateway Encryption

• DLP Network Monitor • Interscan Messaging Security

• ScanMail for Exchange/Lotus Domino • Threat Management Services

• Worry-Free Business Security Adv*

• Email Encryption Gateway • Interscan Messaging Security

• Hosted Email Encryption

Source: Trend Micro

Transmit Data

Life-Cycle of Data Protection

Secure Cloud


Gateway Encryption






• Deep Security – Deep Packet Inspection

• Vulnerability Management Services

Data Discovery

Web Site Protection

DLP

Integrity Monitoring

DLP Endpoint PortalProtect

Deep Security – Integrity Monitoring

SecureCloud™ SafeSync™

Source: Trend Micro

Transmit Data Store Data

Store Data


Secure Cloud


Gateway Encryption






• DLP Endpoint • OfficeScan


Media Encryption (File/Folder, Disk, Email,

Removable Media)

DLP & Device Control

• Endpoint Encryption • Email Encryption Client



Data Discovery

Web Site Protection

DLP





Source: Trend Micro

Process Data (Endpoint) Transmit Data Store Data

Store Data


Secure Cloud

Process Data (Endpoint) Transmit Data


Gateway Encryption






Store Data

Store Data

• DLP Endpoint • OfficeScan


Media Encryption (File/Folder, Disk, Email,

Removable Media)

DLP & Device Control

• Endpoint Encryption • Email Encryption Client



Data Discovery

Web Site Protection

DLP




Threat Information, Policy Management

SIEM • SNMP • SYSLOG

Enterprise Security Manager


Source: Trend Micro


ROI of Data Protection

http://www.trendmicro.com/us/marketing/roi-calculator/virtual-appliance/roi-calculator/index.html http://go.trendmicro.com/tco-calculator/

http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_tmes_cc_impact.pdf http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_osterman-virtualization.pdf

Benefits of Data Protection

Low Cost Centralized Administration

Performance Savings by Cloud Integration

Low Risks Persistent Data Protection

Latest Updated

PCI Compliant Separate Data

Maintain a Policy for all

PCI DSS 2.0

• Data Protection

• Server Security

–94% of victim data comprised with Servers

PCI DSS 2.0 Virtualization Guidelines

Source: PCI

PCI DSS 2.0 Virtualization Guidelines

Area of Responsibility Type of Cloud Service

IaaS PaaS SaaS

Data

Software, User applications

O/S, Databases Virtual Infrastructure

(hypervisor, virtual appliances, VMs, virtual networks etc)

Computer and Network Hardware (processor, memory, storage, cabling, etc.)

Data Center (physical facility)

Example of how scope and responsibility may differ by type of cloud service:

Cloud Service Provider

Cloud Customer

Source: PCI

Amazon Web Services™ Customer Agreement

4.2 Other Security and Backup. You are responsible for properly configuring and using the Service Offerings and taking your own

steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to

protect Your Content from unauthorized access and routine archiving Your Content.

http://aws.amazon.com/agreement/#4 (30 March 2011)

The cloud Customer has responsibility for Security and needs to plan for Protection.

Source: Amazon

PCI DSS 2.0 Requirement Challenge - One Policy Fits All



parameters





6) Develop and maintain secure systems and applications








for all personnel


Physical + Virtual + Cloud

Trend Micro Deep Security

Deep Packet Inspection

IDS / IPS Web App. Protection

Application Control

Firewall Integrity Monitoring

Anti- malware

Log Inspection

Source: Trend Micro

7 PCI Regulations, 20+ Sub-Controls

(1.) Network Segmentation

(1.x) Firewall

(5.x) Anti-virus

(6.1) Virtual Patching*

(6.6) Web App. Protection

(10.5) Daily Log Review

(11.4) IDS / IPS

(11.5) File Integrity Monitoring * Compensating Control

Source: Trend Micro

Deep Security for PCI compliance High Security & Low Management Cost

Source: Trend Micro

PCI DSS 2.0 Requirement Challenge - Keep Arming


1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security parameters





6) Develop and maintain secure systems & applications




10) Track and monitor all access to network resources and cardholder data 11) Regularly test security systems and processes



for all personnel


09 AUG 2011… 7 important updates… 13.2MB… REBOOT REQUIRED

23 AUG 2011… 1 important update… 3.6MB… NO REBOOT

13 SEP 2011… 3 important updates… 65.4MB… NO REBOOT

11 OCT 2011… 4 important updates… 34.6MB… REBOOT REQUIRED

25 OCT 2011… 1 important update… 36K… NO REBOOT

08 NOV 2011… 2 important updates… 2.4MB… REBOOT REQUIRED

13 DEC 2011… 5 important updates… 26.1MB… REBOOT REQUIRED

29 DEC 2011… 3 important updates… 14.3MB… NO REBOOT

10 JAN 2012… 5 important updates… 19.1MB… REBOOT REQUIRED

Virtual Patching

DPI Rules

Addressing 7 PCI Regulations and 20+ Sub-Controls Including:

(1.) Network Segmentation

(1.x) Firewall

(5.x) Anti-virus

(6.1) Virtual Patching*

* Compensating Control

Source: Trend Micro, IT-Harvest, IDC, http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/virtual-patching-roi-calculator/index.html http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/virtual-patching-roi-calculator/index.html

Virtual Patching for PCI compliance High Productivity & Low Management Cost

Emergency patch Desktops Emergency patch Servers

Loss of Productivity

USD 2,340 USD 39,000 USD 65,000

USD 65 USD 65 USD 0

2,000 desktops, 150 servers, multiple apps. from vendors and self-development * Compensating Control

Agentless Protection

Virtual Patching Protection

Deep Security

VM VM VM

Previously - Agent

VM VM VM

Now - Agentless

VM

Source: Trend Micro

VM VM VM

Out-of-date

Secure Virtual

Appliance

Copyright 2009 Trend Micro Inc.

• SYMC/MFE consume 3x –12x more resources in sch. scans & could not handle more than 25 desktop VMs/host • DS supports 2-3 times no. of desktop VMs/host than traditional AV

• DS supports 40-60% more server VMs/host than traditional AV

Scheduled scan resource usage over baseline – 50 VMs per host

300% VM densities enabled by Deep Security

Source: Trend Micro, Tolly

273%

81%

307%

SYMC Trend MFE

MFE

2143%

692%

2053%

SYMC Trend MFE

MFE CPU IOPS

SYMC Trend SYMC Trend

Deep Security All-in-one Dashboard

Secure Virtual

Appliance VM VM

SVA & Protected Guests

VM VM VM

Antivirus

Trend Micro Deep Security


Log Inspection

Deep Packet Inspection

Agentless

Source: Trend Micro

Source: Trend Micro

ROI of Deep Security

Procedure Cost Savings Benefit

Initial Install/Setup 71% Faster deployment on new VMs. Very fast: as little as 2-3 minutes per VM

Ongoing Management 87% Patching is significantly easier. Very fast: can be accomplished with no downtime.

VM Density Improvement for VDI Efforts 35% Improved VM

density

http://www.computerlinks.co.uk/FMS/20685.new_research_from_osterman_research.pdf http://www.techdata.com/(S(i1afov45rbaolgu4ictxt5y5))/trendmicro/files/TREND%20MICRO_TCO%20WP03_DSAM_110302US.pdf

Benefits of Server Security

Low Cost Simplified Administration & Deployment

Higher VM Density & Performance Savings

Low Risks All-in-One

Latest Updated

PCI Compliant Maintain a Policy for all

Keep Arming

“Choosing solutions from a vendor like Trend Micro that understands cloud computing and helps us take advantage of it

— that just makes sense.”

Taylor Simpson, Co-owner, Good Harbor Vineyards

Source: Trend Micro

Documents

Data protection and Server security challenges of PCI DSS2...Apr 27, 2013 · Joseph Lee . 9. th. Apr. 2013. Data protection and Server security challenges of PCI DSS2.0