Upload
tripwire
View
11.267
Download
1
Embed Size (px)
Citation preview
PCI: Thinking Beyond the Checkbox
2
Webinar Agenda
The Girl Scouts of Northern California PCI DSS Requirement 11 Top Considerations for Requirement 11 The Joys of Continuous Compliance Going Beyond PCI With Change Detection Forward Thinking to PCI DSS 3.2 How Tripwire Can Help
Glenn RogersCIO
Girl Scouts of Northern California
Tim ErlinDir. IT Risk and
Security StrategistTripwire
3
Girl Scouts of Northern CAPCI Overview
Payment Card Environment Audit Process Change Detection/Management Penetration Testing
4
PCI DSS Requirement 11What’s included?
Requirement 11Regularly Test Security Systems and Processes
Process and Procedure Acquire Tools/Vendors Testing
• Wireless Access Points ( Identify, Inventory, Monitor, Incident Response Plan)
• Internal and External Vulnerability Scanning
• Penetration Testing• Segmentation• Intrusion Detection• Change Detection• Security Policies
• Wireless scanning• Vulnerability scanning• Penetration testing• Network access control• Intrusion
detection/prevention• Change detection/File
Integrity Monitoring
• Don’t go into an audit without knowing what the results will be!
• Test network segmentation• Get Penetration Testing
results and take action
5
Requirement 11 Challenges & Considerations
Identify vulnerability scan vendor Scan, remediate & re-scan until “high-risk” vulnerabilities are resolved
“Scans… by qualified personnel.”
Scan and test after each change Network topology, firewall rules, VPN egress, product/software
updates
Intrusion detection Alerts
Change detection (FIM) Alerts
What are critical files?
Weekly? Or daily?
6
Joys of Implementing Continuous Compliance
No off days
Constant updates and monitoring are essential Security updates, intrusion detection & prevention engines up-to-date
Signatures up-to-date
Baselines Device configs
Files
Coordination & communication Between teams
Change management
7
Going Beyond PCI Checklist Inherent Value of Change Detection
Security vs. Compliance Greater security through more timely detection (Daily vs. Weekly
assessment)
Using change detection data to identify suspicious or malicious changes
Operational benefits Savings in time (Less time spent researching changes that have
occurred)
Savings in time through change reconciliation (details of changes are already documented, easily matched to changes in environment)
8
Forward Thinking on PCI DSS 3.2 Considerations for Planning
PCI DSS 3.2: 6.4.6: Change Control Verification
Validation of PCI compliance after changes
Best practice now, required after January 31, 2018
8.3: Multi-Factor Authentication Expanded requirement for systems/personnel
Best practice now, required after January 31, 2018
Service providers Detect & report security control failures
Penetration testing every 6 months
Establish responsibilities
Clarifications on Encryption No new deployments of SSL or TLSv1.0
Remove all SSL and TLSv1.0 by June 30, 2018
9
Tripwire Can Help with all of the 12 Requirements1: Build and Maintain a
Secure Network
2: Protect Cardholder Data
3: Maintain a Vulnerability Management
Program
4: Implement Strong Access
Control Measures
5: Regularly Monitor and Test
Networks
6: Maintain an Information
Security Policy
Requirement 1: Install and maintain
a firewall configuration to
Protect Cardholder Data
Requirement 3: Protect stored
cardholder data
Requirement 5: Protect all systems against malware and regularly update anti-
virus software or programs
Requirement 7: Restrict access to cardholder data by business need to
know
Requirement 10: Track and monitor
all access to network resources
and cardholder data
Requirement 12: Maintain a policy that addresses information
security for all personnel
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters
Requirement 4: Encrypt transmission
of cardholder data across open, public
networks
Requirement 6: Develop and maintain secure systems and
applications
Requirement 8: Identify and
authenticate access to system
components
Requirement 11: Regularly test
security systems and processes
Requirement 9: Restrict physical
access to cardholder data
ValidatesProvidesSupports
10
The Tripwire PCI Compliance Solution
PCI Council validated Approved Scanning Vendor
Enterprise class vulnerability management and discovery
Secure and reliable log collection, correlation and forwarding.
Enterprise class file integrity monitoring, change detection and policy compliance.
11
Tripwire and PCI DSS 3.2Addressing 3.2 with Tripwire Products
6.4.6Change Control Verification
8.3Multi-Factor Authentication
10.8, 11.3.4.1, 12.11Service Provider Requirements
2.2.3, 2.3, 4.1Strong Encryption Requirements
Tripwire can automate the validation of PCI DSS compliance on systems after a change.
Tripwire validate that multi-factor authentication is in place on systems in the CDE.
Tripwire can validate that newly required controls are in place for service providers.
Tripwire can discover and identify the encryption in use, as well as validate its compliance with PCI requirements.
12
It’s Not Just About PCIIntegration, automation with business context
Continuous Monitoring
Risk Reduction
Threat Detection and Response
Operational Cost Reduction
INTEGRATION
AUTOMATION
13
Tripwire delivers advanced threat protection, security, and compliance solutions
Thank You and Questions