Compliance Audit Readiness. Bob Kral Tenable Network Security

Transcription

1 Compliance Audit Readiness Bob Kral Tenable Network Security

2 Agenda State of the Market Drifting Out of Compliance Continuous Compliance Top 5 Hardest To Sustain PCI DSS Requirements Procedural support Proof Communicating Business Goals, Policies, Procedures, Evidence

3 State of the Market Data breaches Lack of resources, abundance of reactionary cycles Point solution sprawl Difficulty communicating Don t know what s on our networks, changing IT landscape When organizations do not know the risks they face, serious threats are left unaddressed that could mushroom into enormous exposures. ISACA, A Global Look at IT Audit Best Practices

4 ISACA Survey Four of the takeaways from a recent ISACA study: IT changes and security are top of mind significant concerns about finding qualified resources and skills IT audit risk assessments are an absolute must Know your audience to communicate effectively ISACA, A Global Look at IT Audit Best Practices

5 Security Professionals Truly continuous and comprehensive monitoring Better evidence Efficiencies - Do more with less Communication vehicles - Better communications

6 Compliance a baseline PCI DSS Compliance Annual Assessment But our viewpoint has always been that the PCI DSS is a baseline, an industry-wide minimum acceptable standard, not the pinnacle of payment card security. Verizon 2015 DBIR

7 Drifting Out Of Compliance PCI DSS Compliance Annual Assessment Interim Assessment 80% Verizon 2015 PCI Report

8 Continuous Rising Standard of Due Care Ongoing basis Ongoing awareness ongoing risk-based decisions continuous monitoring continuous reporting continuously conduct risk assessments near real time information

9 Continuous and efficient Automated processes, including the use of automated support tools (e.g., vulnerability scanning tools, network scanning devices), can make the process of continuous monitoring more cost-effective, consistent, and efficient. NIST

10 Top 5 Hardest-To-Sustain PCI DSS Requirements 37% 46% 48% 48% 49%

11 Default passwords Many system administrators, let alone users, admit to writing down and sharing privileged passwords an unwanted but understandable behavior given how many passwords are needed across the IT estate. Unfortunately, passwords remain a critical and fundamental weak spot. Verizon 2015 DBIR

12 Password Audits

13 Where s The Sensitive Data? Security Metrics

14 Sensitive Data Audit

15 Asset Discovery Mobile Users MDM integration and passive network traffic On-Premises Users Scanning, sniffing and logging of endpoint On-Premises Apps Scanning, sniffing and logging of servers SaaS Applications Discovery through network and log analysis IaaS Applications API integration and traditional auditing

16 e) Anti-virus audit

17 Malware Defenses Anti-Virus Agent Detection Ensure 100% of your desktops are protected by malware defense Audit Anti-Virus Signatures Ensure the latest malware signatures are deployed to 100% of your systems and Internet Defenses Ensure proxy, sandbox, IPS & next-gen firewalls are deployed correctly

18 Firewall audit

19 Audit Configurations Regulatory Compliance Instrument testing for PCI, FISMA, NIST & more Compliance Best Practice Implement new continuous monitoring best practices Audit Defenses Ensure firewalls, malware defenses & monitoring are enabled

20 Scan, patch, verify,... a patch deployment strategy focusing on coverage and consistency is far more effective at preventing data breaches than fire drills attempting to patch particular systems as soon as patches are released. Verizon 2015 DBIR

21 Patching Audit

22 Vulnerability Life Cycle Measure Patch Windows Track how long vulnerabilities live before mitigation Compare Patch Rates Report patch rates for groups, technologies & locations Audit Accepted Risk Analyze which vulnerabilities won t be fixed Find Recurring Vulnerabilities Software updates can re-introduce fixed security issues Track Patch Logs See in real-time when software is installed

23 Reporting & Analytics Patch Window Track missing patches outside of patch window Compliance Standards Audit security policy against PCI, NIST, HIPPA & more Malware Defenses Identify systems without malware defenses Insider Threat Monitor authentication logs to identify abuse Incident Response Leverage system, network & logs to hunt malware

24 Audit Readiness Business Goal Policy Policy Policy Policy Procedures Procedures Procedures Evidence Evidence Evidence

25 Business Goals

26 Policies Support Goals Business Goal Supporting Policies 2. Greater than 75% of systems identified by passive asset classification have also been evaluated by active device scanning.

27 Conversation and Collaboration Policy Greater than 75% of systems identified by passive asset classification have also been evaluated by active device scanning. What s realistic to expect? How many sensitive systems do we have? How many transient hosts do we have? How many of those hosts have we not seen before? Are some of these hosts candidates for agents?

28 Reporting & Analytics Patch Window Track missing patches outside of patch window Compliance Standards Audit security policy against PCI, NIST, HIPPA & more Malware Defenses Identify systems without malware defenses Insider Threat Monitor authentication logs to identify abuse Incident Response Leverage system, network & logs to hunt malware

29 Thank You Bob Kral,

30 Financial Service Tenable Customers Retail/Consumer Technology Media Communications Healthcare Education Public Sector Energy

31

32 Compliance Reporting

33 Audit Checks

34 Content Audits