Simplify PCI DSS Compliance with AlienVault USM

Mark Allen, Technical Sales ManagerAnthony Mack, Sales Engineer

What We’ll Cover• An overview of PCI DSS• Common challenges in PCI DSS

compliance• Questions to ask as you plan and

prepare• Core capabilities needed to

demonstrate compliance• How to use AlienVault USM to simplify

compliance

PCI DSS• All entities that store, process or transmit

payment cardholder data must maintain payment security

• 3 steps for compliance1. Assess2. Remediate3. Report

• Goal: Make payment security ‘business-as-usual’

PCI Compliance and Security

“In 10 years, of all companies investigated by Verizon forensics team following a breach, 0 were found to have been fully PCI compliant at the time of the breach”

Data from 2015 Verizon PCI Report

PCI DSS Version 3.1GOALS PCI DSS REQUIREMENTSBuild and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security

parameters

Protect Cardholder Data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors

The State of Compliance

Source: Verizon 2015 PCI Compliance Report

• 4 out of 5 organizations not fully compliant

• Only 1 in 4 organizations remained fully PCI compliant less than a year after a successful PCI validation

• Requirement 11 remains the biggest challenge for organizations

Common Challenges• Collecting relevant data on the state of your

compliance• Critical events • Configuration status

• Documenting the state of your compliance• Keep the auditor happy

• Maintaining compliance and making it part of “business as usual”

Questions to Ask• Where are your in-scope assets?

• How are they configured?• How are they segmented from the rest of your network?

• Who accesses these resources ?• When, Where, What can they do, and How?

• What are the vulnerabilities on these devices?• Apps, OS, etc?

• What constitutes your network baseline? • What is considered “normal” or “acceptable”?

What functionali

ty do I need for PCI DSS?

Identify systems &

applications

What functionali

ty do I need for PCI DSS?

Identify systems &

applications

Document vulnerable

assets

What functionali

ty do I need for PCI DSS?

Identify systems &

applications

Document vulnerable

assets

Find threats on your network

What functionali

ty do I need for PCI DSS?

Identify systems &

applications

Document vulnerable

assets

Find threats on your network

Look for unusual behavior

What functionali

ty do I need for PCI DSS?

Correlate the data

& respond

Identify systems &

applications

Document vulnerable

assets

Find threats on your network

Look for unusual behavior

What functionali

ty do I need for PCI DSS?

ASSET DISCOVERY• Active & Passive Network Scanning• Asset Inventory• Software Inventory

VULNERABILITY ASSESSMENT• Continuous

Vulnerability Monitoring• Authenticated /

Unauthenticated Active Scanning

• Remediation Verification

BEHAVIORAL MONITORING• Netflow Analysis• Service Availability

Monitoring

SIEM• Log Management• OTX threat data• SIEM Event Correlation• Incident Response

INTRUSION DETECTION• Network IDS• Host IDS• File Integrity Monitoring

The AlienVault Unified Security Management Platform (USM)

Unified, Essential Security Controls

Actionable Threat Intelligence: Let Us do the Work!

• Automatically detect and prioritize threats through: Correlation Directives Network IDS Signatures Host IDS Signatures Asset Discovery Signatures Vulnerability Assessment

Signatures Reporting Modules Incident Response Templates Data Source Plug-Ins

• Spend your time responding to threats, not researching them.

Open Threat Exchange (OTX)

• The world’s first truly open threat intelligence community

• Enables collaborative defense with actionable, community-powered threat data

• With more than 37,000 participants in 140+ countries

• And more than 3 million threat indicators contributed daily

• Enables security professionals to share threat data and benefit from data shared by others

• Integrated with the USM platform to alert you when known bad actors are communicating with your systems

PCI Compliance Reports in USMReport Name PCI DSS RequirementsAdmin Access to Systems 10.1-10.2 which focus on creating an audit trail of user

access to critical systems

Firewall Configuration Changes 1.1-1.3 which focus on firewalls and network device configuration

Authentication with Default Credentials 2.x which focuses on the use of vendor-supplied default credentials

All Antivirus Security Risk Events 5.1-5.2 which require anti-virus scanning with an up-to-date anti-virus solution

Database Failed Logins 7.1-7.2 which focus on limiting access to PCI data to only those who “need to know”

….plus 25 more!

Grouping In-Scope Assets

Built-in asset discovery provides a dynamic inventory allowing cardholder-related resources to be identified and monitored for unusual activity

Custom dashboards focusing on key assets highlights pertinent data

Generating Tickets For VulnerabilitiesUSM’s built-in software ticketing system creates trouble tickets from vulnerability scans and alarmsThese tickets specify who owns the remediation, the status and descriptive informationThe tickets also provide a historical record of issues handled, as well as the capability to transfer tickets, assign them to others and push work to other groupsUSM can also send email to an individual, external ticketing system, or execute a script as a result of a discovered vulnerability

Identifying Assets with Vendor Supplied Passwords

As stated earlier, neglecting to change the default password on ANY network device, especially anything allowing access to cardholder data is a terrible idea and leaves a huge hole in your defensesUSM is able to scan your assets for vulnerabilities such as allowing access via default passwords and generate reports on the findingsThis data can be crucial when verifying adherence to this practice to an auditor

888.613.6023

ALIENVAULT.COM

CONTACT US

HELLO@ALIENVAULT.COM

Now for some Questions..

Questions? Hello@AlienVault.comTwitter : @alienvault

Download a Free 30-Day Trial of USMhttp://www.alienvault.com/free-trial

Check out our 15-Day Trial of USM for AWShttps://www.alienvault.com/free-trial/usm-for-aws

Try our Interactive Demo Sitehttp://www.alienvault.com/live-demo-site

Join OTX:https://www.alienvault.com/open-threat-exchange