Post on 16-Aug-2020
Joseph Lee
9th Apr. 2013
Data protection and Server security challenges of PCI DSS2.0
Source: Trend Micro
Source: Trend Micro, openclipart.org
Zero-day / APT Advanced Persistence Threat
Source: Trend Micro
CLOUD
VIRTUAL / CLOUD New Architecture
Physical 》 Virtual 》 Cloud
Virtual Server 50% - 71% Virtual Desktop 40% - 64%
Private Cloud 39% - 57% Public Cloud 38% - 53%
Source: Trend Micro, Gartner
72 % Servers will all be virtualized at 2014.
2011 Data Breach
96% of victims NOT PCI DSS compliant
• PCI DSS 2.0
84% of victim had Log of breach evidence
• Data Protection
94% of victim data comprised with Servers • Server Security
Compliant ? High Cost
Today’s Challenges -
High Risks
• Separate Data • Keep Arming • One Policy Fits All
Source: Trend Micro, PCI
• PCI DSS 2.0
–96% of victims NOT PCI DSS compliant
• Data Protection
• Server Security
PCI DSS Data Security Standard
Source: PCI, iStockPhoto
PCI DSS Data Security Standard
My company
Affiliates
Service Providers
Outsourcers
High Risk!
Source: PCI, iStockPhoto
PCI DSS 2.0 Requirement
1. Build & Maintain Secure Network
1) Install and maintain a Firewall configuration to protect cardholder data
2) Do not use vendor-supplied Defaults for system passwords and other security parameters
2. Protect Cardholder Data
3) Protect Stored cardholder data 4) Encrypt Transmission of cardholder data across open,
public networks 3. Maintain
Vulnerability mgmt. Program
5) Use and regularly Update Anti-Virus software or Programs
6) Develop and maintain Secure systems and applications
4. Implement Strong Access Control Measures
7) Restrict Access to cardholder data by business need to know
8) Assign a Unique ID to each person with computer access 9) Restrict Physical Access to cardholder data
5. Regular Monitor & Test Networks
10) Track and Monitor all access to network resources and cardholder data
11) Regularly Test security systems and processes 6. Maintain Info.
Security Policy 12) Maintain a Policy that addresses information security for
All Personnel
Source: Requirements and Security Assessment Procedures
PCI DSS 2.0 Requiremen
t Requirements Data Protection
(Data Life-Cycle) Server Security
(Virtual/Cloud) 1. Build & Maintain Secure Network Firewall, No default password/setting
1.2*, 1.4, 2.2, 2.4 1.x, 2.2.1, 2.2.2, 2.4,A.1*
2. Protect Cardholder Data Protect storage, Encrypt transmission
3.1, 3.2, 3.4, 3.5, 3.6, 4.1, 4.2
3. Maintain Vulnerability Management Program Patching for Anti-virus, System, and Apps
5.1, 5.2, 6.1, 6.2, 6.3*, 6.5*, 6.6
5.1*, 5.2*, 6.1*, 6.2*, 6.5*, 6.6
4. Implement Strong Access Control Measures Restrict (physical) access, Unique ID
9.7*, 9.9*
5. Regular Monitor & Test Networks Audit trial, File integrity
11.2 10.2*, 10.3*, 10.5, 10.6*, 11.2*, 11.4, 11.5
6. Maintain Information Security Policy Policy control, Intrusion
12.6, 12.9 12.6, 12.9*
* compensating controls http://apac.trendmicro.com/apac/solutions/enterprise/security-solutions/server-security/payment-card/requirements/index.html
Trend Micro Enterprise Security
PCI DSS 2.0 Requiremen
t Requirements Data Protection
(Data Life-Cycle) Server Security
(Virtual/Cloud) 1. Build & Maintain Secure Network Firewall, No default password/setting
1.2*, 1.4, 2.2, 2.4 1.x, 2.2.1, 2.2.2, 2.4,A.1*
2. Protect Cardholder Data Protect storage, Encrypt transmission
3.1, 3.2, 3.4, 3.5, 3.6, 4.1, 4.2
3. Maintain Vulnerability Management Program Patching for Anti-virus, System, and Apps
5.1, 5.2, 6.1, 6.2, 6.3*, 6.5*, 6.6
5.1*, 5.2*, 6.1*, 6.2*, 6.5*, 6.6
4. Implement Strong Access Control Measures Restrict (physical) access, Unique ID
9.7*, 9.9*
5. Regular Monitor & Test Networks Audit trial, File integrity
11.2 10.2*, 10.3*, 10.5, 10.6*, 11.2*, 11.4, 11.5
6. Maintain Information Security Policy Policy control, Intrusion
12.6, 12.9 12.6, 12.9*
http://apac.trendmicro.com/apac/solutions/enterprise/security-solutions/server-security/payment-card/requirements/index.html
Trend Micro Enterprise Security
Trend Micro 27%
Worldwide Corporate Endpoint Server Security Revenue Share by Vendor, 2011 Source: IDC,
2012
PCI Compliant Low Cost
Our Mission -
Low Risks
• Separate Data • Keep Arming • One Policy Fits All
X X
Source: Trend Micro, PCI
PCI DSS 2.0
• Data Protection
–84% of victim had Log of breach evidence
• Server Security
PCI DSS 2.0 Requirement Challenge - Keep Arming
1. Build & Maintain Secure Network
1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data
3) Protect stored cardholder data 4) Encrypt transmission of cardholder data across open, public networks
3. Maintain Vulnerability mgmt. Program
5) Use and regularly update anti-virus software
or programs 6) Develop and maintain secure systems & applications
4. Implement Strong Access Control Measures
7) Restrict access to cardholder data by business need to know 8) Assign a unique ID to each person with computer access 9) Restrict physical access to cardholder data
5. Regular Monitor & Test Networks
10) Track and monitor all access to network resources and cardholder data
11) Regularly test security systems and processes
6. Maintain Info. Security Policy
12) Maintain a policy that addresses information security for all personnel
Source: Requirements and Security Assessment Procedures
http://apac.trendmicro.com/apac/about/news/pr/
Data Protection on Cloud
Trend Micro Great 2012 win!
77M users
800M users
10M users
94M users
Customers 》 Their Customers
Global Threat Intelligence
• Smart Protection Network™
• Web Security Service
• Mobile App Reputation
Data Encryption
• SecureCloud™
• SafeSync™
Trend Micro Smart Protection Network™
http://cloudsecurity.trendmicro.com/us/technology-innovation/our-technology/smart-protection-network/index.html http://www.trendmicro.com/cloud-content/us/pdfs/business/case-studies/cs_dubex_officescan-mobile-security-dlp.pdf
Cloud Security 》
6 TB / day threat data analyzed
16 B / day URL, Email, & File queries correlated
200 M / day threats blocked
Trend Micro Smart Protection Network™
http://cloudsecurity.trendmicro.com/us/technology-innovation/our-technology/smart-protection-network/index.html http://www.trendmicro.com/cloud-content/us/pdfs/business/case-studies/cs_dubex_officescan-mobile-security-dlp.pdf
New patterns Previous: 24 hrs Now: 20 min
Trend Micro Smart Protection Network™
•40% Management Cost Saved (by Osterman Research, Inc.)
• Self-Learning
http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_tmes_cc_impact.pdf http://cloudsecurity.trendmicro.com/us/technology-innovation/our-technology/smart-protection-network/index.html
http://www.trendmicro.com/cloud-content/us/pdfs/business/case-studies/cs_dubex_officescan-mobile-security-dlp.pdf
PCI DSS 2.0 Requirement Challenge - Separate Data
1. Build & Maintain Secure Network
1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security
parameters
2. Protect Cardholder Data
3) Protect stored cardholder data
4) Encrypt transmission of cardholder data across open, public networks
3. Maintain Vulnerability mgmt. Program
5) Use and regularly update anti-virus software or programs 6) Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
7) Restrict access to cardholder data by business need to know
8) Assign a unique ID to each person with computer access
9) Restrict physical access to cardholder data
5. Regular Monitor & Test Networks
10) Track and monitor all access to network resources and cardholder data
11) Regularly test security systems and processes
6. Maintain Info. Security Policy
12) Maintain a policy that addresses information security for all personnel
Source: Requirements and Security Assessment Procedures
Separate Data?
http://cloud.trendmicro.com/building-a-truly-secure-cloud-with-dell-and-trend-micro/
Dell Cloud Service
http://cloud.trendmicro.com/building-a-truly-secure-cloud-with-dell-and-trend-micro/
AES 256 Encryption
Secure Key Exchange
Offsite Key Storage
Encrypted Data
Customer Support +
SecureCloud
Dell Cloud Service
Trend Micro SecureCloud
Separate Cardholder Data
Source: Trend Micro
vCloud®
Enterprise Key
Cloud Service Provider
Trend Micro SecureCloud
Console
Shared Storage
VM Corporate
App VM VM VM
Hypervisor
My Data
ESX, vSphere
Trend Micro SecureCloud Security Policies
1. Access Management
2. Device for Encryption
3. Running Instances
4. Policies & Rules: for Access & Protection
Source: Trend Micro
PCI DSS 2.0 Requirement Challenge - One Policy Fits All
1. Build & Maintain Secure Network
1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security
parameters
2. Protect Cardholder Data
3) Protect stored cardholder data
4) Encrypt transmission of cardholder data across open, public networks
3. Maintain Vulnerability mgmt. Program
5) Use and regularly update anti-virus software or programs
6) Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
7) Restrict access to cardholder data by business need to know 8) Assign a unique ID to each person with computer access
9) Restrict physical access to cardholder data
5. Regular Monitor & Test Networks
10) Track and monitor all access to network resources and cardholder data
11) Regularly test security systems and processes
6. Maintain Info. Security Policy
12) Maintain a policy that addresses information security
for all personnel Source: Requirements and Security Assessment Procedures
Data Life-Cycle
Data Protection on Cloud
Encryption Device Control DLP
Source: Trend Micro
Gateway & Server DLP
Gateway Encryption
• DLP Network Monitor • Interscan Messaging Security
• ScanMail for Exchange/Lotus Domino • Threat Management Services
• Worry-Free Business Security Adv*
• Email Encryption Gateway • Interscan Messaging Security
• Hosted Email Encryption
Source: Trend Micro
Transmit Data
Life-Cycle of Data Protection
Secure Cloud
Gateway & Server DLP
Gateway Encryption
• DLP Network Monitor • Interscan Messaging Security
• ScanMail for Exchange/Lotus Domino • Threat Management Services
• Worry-Free Business Security Adv*
• Email Encryption Gateway • Interscan Messaging Security
• Hosted Email Encryption
• Deep Security – Deep Packet Inspection
• Vulnerability Management Services
Data Discovery
Web Site Protection
DLP
Integrity Monitoring
DLP Endpoint PortalProtect
Deep Security – Integrity Monitoring
SecureCloud™ SafeSync™
Source: Trend Micro
Transmit Data Store Data
Store Data
Life-Cycle of Data Protection
Secure Cloud
Gateway & Server DLP
Gateway Encryption
• DLP Network Monitor • Interscan Messaging Security
• ScanMail for Exchange/Lotus Domino • Threat Management Services
• Worry-Free Business Security Adv*
• Email Encryption Gateway • Interscan Messaging Security
• Hosted Email Encryption
• DLP Endpoint • OfficeScan
• Worry-Free Business Security Adv*
Media Encryption (File/Folder, Disk, Email,
Removable Media)
DLP & Device Control
• Endpoint Encryption • Email Encryption Client
• Deep Security – Deep Packet Inspection
• Vulnerability Management Services
Data Discovery
Web Site Protection
DLP
Integrity Monitoring
DLP Endpoint PortalProtect
Deep Security – Integrity Monitoring
SecureCloud™ SafeSync™
Source: Trend Micro
Process Data (Endpoint) Transmit Data Store Data
Store Data
Life-Cycle of Data Protection
Secure Cloud
Process Data (Endpoint) Transmit Data
Gateway & Server DLP
Gateway Encryption
• DLP Network Monitor • Interscan Messaging Security
• ScanMail for Exchange/Lotus Domino • Threat Management Services
• Worry-Free Business Security Adv*
• Email Encryption Gateway • Interscan Messaging Security
• Hosted Email Encryption
Store Data
Store Data
• DLP Endpoint • OfficeScan
• Worry-Free Business Security Adv*
Media Encryption (File/Folder, Disk, Email,
Removable Media)
DLP & Device Control
• Endpoint Encryption • Email Encryption Client
• Deep Security – Deep Packet Inspection
• Vulnerability Management Services
Data Discovery
Web Site Protection
DLP
Integrity Monitoring
DLP Endpoint PortalProtect
Deep Security – Integrity Monitoring
Threat Information, Policy Management
SIEM • SNMP • SYSLOG
Enterprise Security Manager
SecureCloud™ SafeSync™
Source: Trend Micro
Life-Cycle of Data Protection
ROI of Data Protection
http://www.trendmicro.com/us/marketing/roi-calculator/virtual-appliance/roi-calculator/index.html http://go.trendmicro.com/tco-calculator/
http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_tmes_cc_impact.pdf http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_osterman-virtualization.pdf
Benefits of Data Protection
Low Cost Centralized Administration
Performance Savings by Cloud Integration
Low Risks Persistent Data Protection
Latest Updated
PCI Compliant Separate Data
Maintain a Policy for all
PCI DSS 2.0
• Data Protection
• Server Security
–94% of victim data comprised with Servers
PCI DSS 2.0 Virtualization Guidelines
Source: PCI
PCI DSS 2.0 Virtualization Guidelines
Area of Responsibility Type of Cloud Service
IaaS PaaS SaaS
Data
Software, User applications
O/S, Databases Virtual Infrastructure
(hypervisor, virtual appliances, VMs, virtual networks etc)
Computer and Network Hardware (processor, memory, storage, cabling, etc.)
Data Center (physical facility)
Example of how scope and responsibility may differ by type of cloud service:
Cloud Service Provider
Cloud Customer
Source: PCI
Amazon Web Services™ Customer Agreement
4.2 Other Security and Backup. You are responsible for properly configuring and using the Service Offerings and taking your own
steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to
protect Your Content from unauthorized access and routine archiving Your Content.
http://aws.amazon.com/agreement/#4 (30 March 2011)
The cloud Customer has responsibility for Security and needs to plan for Protection.
Source: Amazon
PCI DSS 2.0 Requirement Challenge - One Policy Fits All
1. Build & Maintain Secure Network
1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security
parameters
2. Protect Cardholder Data
3) Protect stored cardholder data 4) Encrypt transmission of cardholder data across open, public networks
3. Maintain Vulnerability mgmt. Program
5) Use and regularly update anti-virus software or programs
6) Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
7) Restrict access to cardholder data by business need to know 8) Assign a unique ID to each person with computer access 9) Restrict physical access to cardholder data
5. Regular Monitor & Test Networks
10) Track and monitor all access to network resources and cardholder data
11) Regularly test security systems and processes
6. Maintain Info. Security Policy
12) Maintain a policy that addresses information security
for all personnel
Source: Requirements and Security Assessment Procedures
Physical + Virtual + Cloud
Trend Micro Deep Security
Deep Packet Inspection
IDS / IPS Web App. Protection
Application Control
Firewall Integrity Monitoring
Anti- malware
Log Inspection
Source: Trend Micro
7 PCI Regulations, 20+ Sub-Controls
(1.) Network Segmentation
(1.x) Firewall
(5.x) Anti-virus
(6.1) Virtual Patching*
(6.6) Web App. Protection
(10.5) Daily Log Review
(11.4) IDS / IPS
(11.5) File Integrity Monitoring * Compensating Control
Source: Trend Micro
Deep Security for PCI compliance High Security & Low Management Cost
Source: Trend Micro
PCI DSS 2.0 Requirement Challenge - Keep Arming
1. Build & Maintain Secure Network
1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data
3) Protect stored cardholder data 4) Encrypt transmission of cardholder data across open, public networks
3. Maintain Vulnerability mgmt. Program
5) Use and regularly update anti-virus software or programs
6) Develop and maintain secure systems & applications
4. Implement Strong Access Control Measures
7) Restrict access to cardholder data by business need to know 8) Assign a unique ID to each person with computer access 9) Restrict physical access to cardholder data
5. Regular Monitor & Test Networks
10) Track and monitor all access to network resources and cardholder data 11) Regularly test security systems and processes
6. Maintain Info. Security Policy
12) Maintain a policy that addresses information security
for all personnel
Source: Requirements and Security Assessment Procedures
09 AUG 2011… 7 important updates… 13.2MB… REBOOT REQUIRED
23 AUG 2011… 1 important update… 3.6MB… NO REBOOT
13 SEP 2011… 3 important updates… 65.4MB… NO REBOOT
11 OCT 2011… 4 important updates… 34.6MB… REBOOT REQUIRED
25 OCT 2011… 1 important update… 36K… NO REBOOT
08 NOV 2011… 2 important updates… 2.4MB… REBOOT REQUIRED
13 DEC 2011… 5 important updates… 26.1MB… REBOOT REQUIRED
29 DEC 2011… 3 important updates… 14.3MB… NO REBOOT
10 JAN 2012… 5 important updates… 19.1MB… REBOOT REQUIRED
Virtual Patching
DPI Rules
Addressing 7 PCI Regulations and 20+ Sub-Controls Including:
(1.) Network Segmentation
(1.x) Firewall
(5.x) Anti-virus
(6.1) Virtual Patching*
* Compensating Control
Source: Trend Micro, IT-Harvest, IDC, http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/virtual-patching-roi-calculator/index.html http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/virtual-patching-roi-calculator/index.html
Virtual Patching for PCI compliance High Productivity & Low Management Cost
Emergency patch Desktops Emergency patch Servers
Loss of Productivity
USD 2,340 USD 39,000 USD 65,000
USD 65 USD 65 USD 0
2,000 desktops, 150 servers, multiple apps. from vendors and self-development * Compensating Control
Agentless Protection
Virtual Patching Protection
Deep Security
VM VM VM
Previously - Agent
VM VM VM
Now - Agentless
VM
Source: Trend Micro
VM VM VM
Out-of-date
Secure Virtual
Appliance
Copyright 2009 Trend Micro Inc.
• SYMC/MFE consume 3x –12x more resources in sch. scans & could not handle more than 25 desktop VMs/host • DS supports 2-3 times no. of desktop VMs/host than traditional AV
• DS supports 40-60% more server VMs/host than traditional AV
Scheduled scan resource usage over baseline – 50 VMs per host
300% VM densities enabled by Deep Security
Source: Trend Micro, Tolly
273%
81%
307%
SYMC Trend MFE
MFE
2143%
692%
2053%
SYMC Trend MFE
MFE CPU IOPS
SYMC Trend SYMC Trend
Deep Security All-in-one Dashboard
Secure Virtual
Appliance VM VM
SVA & Protected Guests
VM VM VM
Antivirus
Trend Micro Deep Security
Integrity Monitoring
Log Inspection
Deep Packet Inspection
Agentless
Source: Trend Micro
Source: Trend Micro
ROI of Deep Security
Procedure Cost Savings Benefit
Initial Install/Setup 71% Faster deployment on new VMs. Very fast: as little as 2-3 minutes per VM
Ongoing Management 87% Patching is significantly easier. Very fast: can be accomplished with no downtime.
VM Density Improvement for VDI Efforts 35% Improved VM
density
http://www.computerlinks.co.uk/FMS/20685.new_research_from_osterman_research.pdf http://www.techdata.com/(S(i1afov45rbaolgu4ictxt5y5))/trendmicro/files/TREND%20MICRO_TCO%20WP03_DSAM_110302US.pdf
Benefits of Server Security
Low Cost Simplified Administration & Deployment
Higher VM Density & Performance Savings
Low Risks All-in-One
Latest Updated
PCI Compliant Maintain a Policy for all
Keep Arming
“Choosing solutions from a vendor like Trend Micro that understands cloud computing and helps us take advantage of it
— that just makes sense.”
Taylor Simpson, Co-owner, Good Harbor Vineyards
Source: Trend Micro