ENDGAME, INC. P CI DS S SECURITY AR C H I TE CTURE AN D T E CHNO LOGY WHITEP AP E R

Transcription

1 W H I T E P A P E R ENDGAME, INC. P CI DS S SECURITY AR C H I TE CTURE AN D T E CHNO LOGY WHITEP AP E R B H AV N A S O N D HI CISA, Q S A ( P2 P E), PA- Q S A ( P 2 P E) N I C K T R E NC CI SSP, CI S A, Q S A, PA- Q S A

2 TABLE OF CONTENTS Executive Summary... 3 About Endgame... 3 Audience... 4 Methodology... 4 Summary Findings... 4 Assessor Comments... 5 Application Architecture and Security... 6 Technical Security Assessment... 8 Assessment Methods... 8 Assessment Environment... 8 Network Traffic Assessment... 8 Tools and Techniques...10 References...10 Appendix A: PCI DSS Requirements Coverage Matrix...11 Appendix B: Executed Test Plan...14 Conclusion...17 Endgame PCI DSS Security White Paper 2

3 EXECUTIVE SUMMARY Endgame, Inc. engaged Coalfire Systems Inc. (Coalfire), a respected Payment Card Industry (PCI) Qualified Security Assessor (QSA) and Payment Application QSA (PA-QSA) company, to conduct an independent technical assessment of their Endgame platform. Coalfire conducted assessment activities including technical testing, architectural assessment, and compliance validation. In this paper, Coalfire will describe how they confirmed that the Endgame platform met the PCI Data Security Standard (PCI DSS) v3.2 anti-malware requirements for Windows endpoints based on the sample testing and evidence gathered during this assessment. AB O U T ENDG AM E Endgame is a centrally managed endpoint security platform that stops advanced threats before damage and loss. The platform provides full stack prevention, accelerated detection and response, and automated hunting across the depth of the MITRE ATTACK matrix. Endgame s single, autonomous agent eliminates multiple host agents including anti-virus (AV), next-gen AV, Incident response, indicators of compromise (IOC)-based agents, and forensic tools. The Endgame platform provides automated workflow and guided response for analysts to instantly stop malicious activity. Below are highlights of various features and capabilities within the Endgame platform: Full Stack Prevention: Endgame uses advanced signature-less techniques to prevent exploits, malware, fileless attacks, malicious macros, and ransomware. Exploit Prevention: Patent-pending Hardware Assisted Control Flow Integrity (HA-CFI ) and enhanced Dynamic Binary Instrumentation (DBI) blocks zero-day exploits before malicious code execution. Malware Prevention at file execution: Endgame MalwareScore prevents execution of known and unknown malware and performs signature-less malware prevention. Fileless Attack Prevention: Patent-pending process injection prevention and Endgame MalwareScore prevents malicious module loads, dll injection, and shellcode injection to stop adversary evasion and fileless attacks. Malicious Macro Prevention: Heuristic-based macro prevention blocks malicious macros embedded in commonly targeted applications such as MS Office applications. Ransomware Prevention: Behavior-based ransomware prevention is effective against ransomware families such as BadRabbit, Petya, WannaCry, etc. Technique-Focused Protection: Expands across the breadth of the MITRE ATTACK Matrix, stopping ongoing attacks such as command and control, defense evasion, and privilege escalation by leveraging Endgame s knowledge of adversary tradecraft. Accelerated Endpoint Detection and Response: Endgame s Enhanced Attacker Visualization, Endgame Resolver, unveils various actions taken by the attacker to instantly identify the origin and extent of compromise. Endgame Resolver shows actions of the attack including process events, network connections, netflow, user logons, DNS requests, and file or registry modifications. Endgame s AI-Powered Security Mentor Artemis, uses natural language understanding to automate data collection, investigation, and alert triage at enterprise scale. Endgame PCI DSS Security White Paper 3

4 Endgame Arbiter automates advanced attack analysis to determine file reputation, attack type, and other attributes, extracting IOCs to reveal previously unknown threats across the entire enterprise. Automated hunting using tradecraft analytics and Outlier analysis streamlines detection and response workflows to surface suspicious artifacts across millions of records in minutes. Precision and scalable response empowers Security Operations Center (SOC) teams to restore endpoints at enterprise scale with zero business disruption. AU D I E N CE This assessment white paper has three target audiences: 1. QSA and Internal Audit Community: This audience may be evaluating Endgame to assess a merchant or service provider environment for PCI DSS. 2. Administrators and Other Compliance Professionals: This audience may be evaluating Endgame for use within their organization for compliance requirements other than PCI DSS. 3. Merchant and Service Provider Organizations: This audience is evaluating Endgame for deployment in their cardholder data environment and the benefits this solution can offer. M E THODOLOGY Coalfire completed a multi-faceted technical assessment using the below industry and audit best practices. Coalfire conducted technical lab testing in its Colorado lab from October 6, 2017 to October 27, 2017, including remediation activities. At a high level, testing consisted of the following tasks: 1. Technical review of the architecture of the full solution and its components. 2. Implementation of the sensor in the Coalfire lab environment for Windows endpoints. 3. Introduction of malware binaries on local systems with Endgame software installed. 4. Confirmation of Endgame s ability to block and remove known malware samples for Windows endpoints. 5. Execution of malware scans using application programming interface (API) scripts for Windows endpoints. S U M M AR Y FINDINGS The following findings are relevant highlights of this assessment: When properly implemented following vendor guidance, the Endgame platform can provide coverage for PCI DSS Requirement 5 Protect all systems against malware and regularly update anti-virus software or programs, based on the sample testing and evidence gathered during this assessment. The Endgame platform detected and effectively prevented the execution of known malware samples for Windows endpoints. The Endgame platform provided hunting and scanning capabilities for Windows endpoints. The Endgame platform effectively mitigated the malware with the following solutions for Windows endpoints: Malware protection at file execution (prevents execution on installation) Malware detection for created and modified files Endgame PCI DSS Security White Paper 4

5 Application exploits prevention (prevents execution on installation) Application exploits detection Ransomware prevention Deletion of files The Endgame platform adequately generated logs of events such that malicious activity could be traced in accordance with PCI DSS requirements. The Endgame Host Sensor could not be disabled by unauthorized users. Endgame provides features for investigations (hunting for endpoint data), fileless attacks, whitelisting of files or applications, and IOC search on file, network, process, registry, and users. AS S E SSOR CO MMENTS The assessment scope focused on validating the use of Endgame in a PCI DSS environment, specifically to include its impact on PCI DSS Requirement 5. The Endgame platform, when properly implemented following guidance from Endgame, Inc., can be utilized to meet the technical portions of PCI DSS Requirement 5. However, as most computing environments and configurations vary drastically, it is important to note that use of this product does not guarantee security and even the most robust anti-virus solutions can fail when improperly implemented. A defense-in-depth strategy that provides multiple layers of protection should be followed as a best practice. Please consult with Endgame, Inc. for policy and configuration questions and best practices. It should also not be construed that the use of Endgame guarantees full PCI DSS compliance. Disregarding PCI requirements and security best practice controls for systems and networks inside or outside of PCI DSS scope can introduce many other security or business continuity risks to merchants or service providers. Security and business risk mitigation should be any merchant s or service provider s goal and focus for selecting security controls. Endgame PCI DSS Security White Paper 5

6 APPLICATION ARCHITECTURE AND SECURITY The Endgame platform offers prevention, detection and response, and threat hunting capabilities. The Endgame platform can either be hosted on-premises or in the cloud. Customers can host it themselves on their own infrastructure or Endgame can host it for the customer in the cloud. Endgame s light weight, autonomous agent provides online and offline 24x7 protection. The Endgame architecture is represented in Figure 1: Figure 1: Endgame Architecture Diagram The following are the key components and features of the Endgame platform: Endgame Host Sensor (sensor): The Endgame Host Sensor is a lightweight sensor, consuming less than 1% CPU resources, that is deployed on all monitored endpoints and hosts. The sensor can either run as a background process with no user interface or with a notification that gives details on current system threats and blocked actions. The sensor does not interfere with any installed software on the host, including anti-malware or anti-virus software. Endgame's advanced sensor technology allows the analyst to choose to install a persistent sensor for long-term protection or a dissolvable sensor for minimal endpoint footprint. Endgame Host Sensor Protection: The Endgame Host Sensor operates in the Operating System (OS) kernel and user space. It is tamper resistant and has available protections to prevent disabling of the sensor by the user. In addition, the sensor can be installed in disguised mode that changes sensor driver file name, sensor file name, and popup name. Endgame Host Sensor Operation: The Endgame Host Sensor continuously gathers event data including domain name system (DNS), file, image loads, network, netflow, process, registry and windows logon/logoff events and stores them in a secure database. This real-time event collection and tradecraft analytics allow analysts to identify threats and respond to them quickly. Endgame MalwareScore : A machine learning powered model that performs signature-less malware prevention and blocks known and unknown malwares on file-based execution. The model is used to Endgame PCI DSS Security White Paper 6

7 determine if a file is malicious and looks for static attributes of files (without executing the file) that include file structure, layout, and content. This also includes information such as portable executable (PE) header data, imports, exports, section names, and file size. These attributes are extracted from millions of file samples, which then are passed to a machine-learning algorithm that distinguishes a benign file from a malicious one. The machine learning model is updated as new data is procured and analyzed. This model is based on Google s VirusTotal engine. The Endgame platform provides Application Programming Interface (API) integration through which users can schedule periodic malware scans, generate audit log output and endgame platform task audit logs, and various other outputs required. API is based on representational state transfer (REST) principles where data resources are accessed via standard HTTPS requests in UTF-8 format to an API endpoint. Endgame platform communicates over HTTPS using JavaScript Object Notation (JSON), and response data received is encoded as JSON. Endgame Arbiter : Endgame s advanced cloud-based malware intelligence platform that provides behavioral and static malware analysis for all generated malware alerts. Users can submit the file for analysis from within the platform management console and login to Endgame Arbiter to view the analysis report. The report provides summary of the malware file, including filename, Endgame MalwareScore, hash values, static and behavioral analysis, reputation score, and VirusTotal report. The reputation score is calculated from Endgame s research team lab findings, VirusTotal, and thirdparty partners. Endgame Arbiter also communicates the updates pertaining to sensors, malware model, and whitelists to the Endgame platform when connected to the cloud, and the Endgame platform will distribute these updates to the sensors immediately. Multi-Client Management (MCM) Server/Endgame Platform: Management and monitoring server, hosted on-premises at the customer s headquarters or in the Amazon cloud. MCM allows administrators and analysts to monitor enterprise health by viewing endpoint data across multiple Endgame platforms from a single interface. MCM integrates several pieces of data from connected endpoints, and with this data administrators can perform installations, monitor system health, and take actions as necessary. The management console provides user and password management features for login to MCM and can also be configured via Lightweight Directory Access Protocol (LDAP). LDAP enables users registered within Active Directory (AD) to connect to the Endgame platform with AD credentials. Role-based Access and Control (RBAC) within Endgame platform provides local users with access to only specific functionality, page views, and permission rights. The Endgame platform can log various tasks or actions providing support for audit trail logging as required by PCI DSS. Endgame PCI DSS Security White Paper 7

8 TECHNICAL SECURITY ASSESSMENT AS S E SSMENT ME T HO DS Coalfire used the following methods to assess the potential PCI DSS coverage of the solution: 1. Analysis of the architecture and configuration of the solution in accordance with vendor guidelines. 2. Deployment of sensors to Windows systems along with enablement of policies. Windows policies were configured to enforce the detection and prevention of known malware on file execution. 3. Examination of sensor configurations to confirm protection cannot be turned off by nonadministrators on Windows endpoints. 4. Execution of known malware samples (to include ransomware, backdoor, trojan horse, spyware, virus, and worm) deliberately propagated to test machines. 5. Review of backend component for verification of detection, execution prevention, and deletion of all test sample malwares for Windows endpoints. Also, evaluation of backend component for verification that sensors were deployed, communicating, up-to-date, performing periodic scans via API scripts, and protecting against potential threats for the Windows endpoints. AS S E SSMENT ENVIRONME NT The Endgame platform was hosted in the cloud for testing purposes and the sensor was installed on the following system: Windows 2012 Server deployed in a virtual environment including default Windows applications with other anti-virus solutions disabled. N E TWORK T R AF F I C AS SE S SMENT A Wireshark Ethernet port sniffer was used to monitor the following traffic for components within the Endgame platform: Traffic from the Windows machine to the Endgame platform (Figure 2): No sensitive data was transmitted over the network from the Windows machine with the sensor deployed to the Endgame platform server and any log data or alert information was encrypted over TLS 1.2. Endgame PCI DSS Security White Paper 8

9 Figure 2: Communication between the Windows machine and the Endgame platform machine hosted in the cloud. Encrypted data (logs or update information) is always transmitted. Endgame PCI DSS Security White Paper 9

10 T OOLS AN D T ECHNIQUES Standard tools Coalfire utilized for this technical assessment included: TOOL NAME Live Malware Samples DESCRIPTION Sample binaries of known malware for Windows systems: Sample Windows malware obtained from thezoo aka Malware DB at Sample Windows malware provided by Endgame vendor for testing purposes *Note Visiting and downloading from the above sites may lead to malware infection. It is highly recommended against. Wireshark Wireshark Ethernet port sniffer to observe the traffic coming in and out of the system R E FERENCE S PCI SSC - Data Security Standard - PCI SSC - Data Security Standard- Payment Application Data Security Standard Program Guide, v Endgame Administrator Guide: Admin User Guide pdf Endgame User Guide: User Guide pdf Endgame API Documentation: Endgame API Docs.pdf Endgame Platform Upgrade: Upgrade Endgame to the 2.4[1].pdf Endgame Sensor Upgrade: Sensor Upgrade via Upload and Execute[1].pdf Cloud Updates to Platform: Cloud Communication Design.pdf Endgame PCI DSS Security White Paper 10

11 APPENDIX A: PCI DSS REQUIREMENTS COVERAGE MATRIX COMPLIANCE LEVEL PCI DSS REQUIREMENT DESCRIPTION Compliance directly supported via use of the Endgame platform Requires merchant action for full compliance COMPLIANCE SUPPORTED ASSESSOR COMMENTS Maintain a Vulnerability Management Program Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. Endgame provides the following features: Can directly deploy sensors (endpoint software application) on Windows systems through the Endgame management console. Sensors can also be deployed manually on Windows through command line terminal. Provides direct monitoring capability for the sensor deployed systems through the Endgame management console (hosted on a customer s physical premises or in the cloud). Endgame, Inc. uses Endgame MalwareScore, the machine learning model developed by Endgame, Inc. to detect and prevent against known malware. This allows Endgame to detect known malware, block them from running, and remove them when requested by an administrator. Testing showed that Endgame was able to detect, block at file execution, and remove malware by providing the file path for several examples of viruses, Trojans, ransomware, rootkits, and other known malware on the Windows OS endpoint. Administrators can configure the policies on Windows systems to detect and prevent malware. Deletion of file requires actions to be performed on the endpoints through management console. The configurations have to be performed by Administrators in order to be compliant with PCI DSS requirements. This is a process/procedure requirement. Customers (merchants or service providers) must periodically evaluate the systems they use to ensure they are not considered commonly affected. Endgame Host Sensors can be deployed on Windows endpoints and sensor deployments would be required to evaluate and identify malware threats on these endpoints. Endgame PCI DSS Security White Paper 11

12 PCI DSS REQUIREMENT 5.2 Ensure that all anti-virus mechanisms are maintained as follows. Are kept current Perform periodic scans Generate audit logs which are retained per PCI DSS Requirement COMPLIANCE SUPPORTED ASSESSOR COMMENTS 5.2.a The sensor software installed on Windows endpoints checks and detects malicious files on execution and performs real-time checks against the Endgame MalwareScore., Automatic updates on the Endgame platform feature are available when there is connectivity to the cloud environment (Arbiter), thus meeting the PCI DSS automatic updates requirement. Windows endpoint sensors then receive updates from the Endgame platform management console. 5.2.b Policies can be configured on Windows systems via API scripts that will need to be developed and deployed on Endgame platform servers in respective environments to have the scans performed periodically. 5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active. 5.4: Ensure that security policies and operational procedures for protecting systems against 5.2.c Logging as required by PCI DSS can be generated via API scripts that will need to be developed and deployed on Endgame platform servers in respective environments requiring administrators to perform necessary actions. The audit logs generated will need to be forwarded to syslog servers for retention purposes to meet PCI DSS Requirement The logging could include actions performed by users or administrators on the management console as well as tasks that were executed for Windows endpoints from within the management console 5.3.a The Endgame management and monitoring console shows the monitoring status (Active, Inactive, Unmonitored, or Deployment Failure status mode) of all endpoints where the sensor is deployed through the management console. 5.3.b The management console provides the functionality to delete or uninstall the endpoint sensor device based on the administrator type setting and permissions. No users can disable the sensor software running locally on the Windows machine without appropriate administrator permissions. 5.3.c This is an administrative control and requires authorization to be provided by management to meet the control requirement. This is a policies and procedures based requirement. While Endgame can help meet the requirements for protecting against malware, it is up to administrators to Endgame PCI DSS Security White Paper 12

13 PCI DSS REQUIREMENT malware are documented, in use, and known to all affected parties. COMPLIANCE SUPPORTED ASSESSOR COMMENTS create and document specific policies as required for their respective environments. Endgame PCI DSS Security White Paper 13

14 APPENDIX B: EXECUTED TEST PLAN PCI DSS REQUIREMENT TEST DEFINITION PER PCI VALIDATION PLAN COMPLIANCE SUPPORTED ENDGAME RESULTS AND TESTING Maintain a Vulnerability Management Program Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable antivirus technology exists Review vendor documentation and examine anti-virus configurations to verify that anti-virus programs; Detect all known types of malicious software, Remove all known types of malicious software, and Protect against all known types of malicious software. Examples of types of malicious software include viruses, Trojans, worms, spyware, adware, and rootkits. Produced a report and log record that indicated that the sensor software was installed, active, and gathered events to detect and prevent threats from endpoints within scope of PCI DSS. 1. Detect all "KNOWN" types of malware: Endgame MalwareScore allows Endgame to detect known malware and block them from running. Demonstrated that the types of malware that were detected included ransomware, backdoor, trojan horse, spyware, virus, and worm. 2. Remove all KNOWN types of malware: Demonstrated that administrator users can delete the detected malicious file through the management console. The types of malware that were removed included ransomware, backdoor, trojan horse, spyware, virus, and worm For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving Interview personnel to verify that evolving malware threats are monitored and evaluated for systems not currently considered to be commonly affected by malicious software, in order 3. Protect against all "KNOWN" types of malware: Demonstrated how the solution detected and then banned or blocked known malware that was part of the known malware list from VT for Windows endpoints. The types of malware that were protected included ransomware, backdoor, trojan horse, spyware, virus, and worm. Demonstrated how easily the Sensor software was deployed on any given system (OS coverage and implementation features). Also illustrated how any given system was assessed even if it was not part of the in-scope PCI systems. Endgame PCI DSS Security White Paper 14

15 PCI DSS REQUIREMENT malware threats in order to confirm whether such systems continue to not require anti-virus software. 5.2 Ensure that all antivirus mechanisms are maintained. Are kept current Perform periodic scans Generate audit logs which are retained per PCI DSS Requirement TEST DEFINITION PER PCI VALIDATION PLAN to confirm whether such systems continue to not require anti-virus software. 5.2.a Examine policies and procedures to verify that antivirus software and definitions are required to be kept up to date. 5.2.b Examine anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are: Configured to perform automatic updates, and Configured to perform periodic scans. COMPLIANCE SUPPORTED ENDGAME RESULTS AND TESTING Demonstrated that MalwareScore analyzes, detects, and protects the malicious files for Windows endpoints. Once the Endgame platform was updated with the newer version via cloud, updates were pushed out to sensor software on endpoints through the management console. Demonstrated that Endgame periodically scanned in-scope systems for malware through API scripts that can be executed on the Endgame platform server. Demonstrated that automatic updates could be performed when connected to the Arbiter in the cloud environment. The Windows endpoint sensor was then upgraded from within the Endgame platform management console. 5.2.c Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that: The anti-virus software and definitions are current. Periodic scans are performed. 5.2.d Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that: Anti-virus software log generation is enabled, and Demonstrated that Endgame s machine learning model was sourced from current repositories and received information through Arbiter. Demonstrated that Endgame periodically scanned in-scope systems through the use of API scripts. Demonstrated that anti-virus logs are available through the Endgame platform; however, administrators are required to execute scripts periodically on the platform to generate logs as required by PCI DSS. These logs are currently retained as per customers retention requirements. These could be retained in accordance with PCI DSS Requirements 10.7 or could be Endgame PCI DSS Security White Paper 15

16 PCI DSS REQUIREMENT 5.3 Ensure that antivirus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a caseby-case basis. If antivirus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active. 5.4: Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. TEST DEFINITION PER PCI VALIDATION PLAN Logs are retained in accordance with PCI DSS Requirement a Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify the anti-virus software is actively running. 5.3.b Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that the anti-virus software cannot be disabled or altered by users. 5.3.c Interview responsible personnel and observe processes to verify that antivirus software cannot be disabled or altered by users, unless specifically authorized by management on a caseby-case basis for a limited time period. 5.4 Examine documentation and interview personnel to verify that security policies and operational procedures for protecting systems against malware are: Documented, In use, and Known to all affected parties. COMPLIANCE SUPPORTED ENDGAME RESULTS AND TESTING configured to have the logs sent out via Syslog for retention purposes. Demonstrated via log reports and live console view that the sensor software was either running or active on Windows endpoints and that the policy was enforcing the proper configurations. Demonstrated that users cannot disable the sensor software running locally on the Windows machine without appropriate administrator permissions. Demonstrated that Endgame could be configured by a user with proper administrative access and that a policy was in place that dictated when authorized changes could be made for Windows endpoints. This is a policies and procedures based requirement. Customers are required to implement this requirement for their environment. Demonstrated that Endgame logs were queried and that health statistics regarding the client software were collected to provide proof of agent uptime as well as policy compliance. Endgame PCI DSS Security White Paper 16

17 CONCLUSION After reviewing the requirements of the PCI DSS, Coalfire determined, through review of business impacts and a technical assessment, that Endgame, as outlined in this document, could meet PCI DSS Requirement 5 for Windows endpoints. The ability to achieve overall compliance with any regulation or standard will be dependent upon the specific design and implementation of the Endgame platform. Endgame demonstrated a high level of flexibility for managing endpoints, customization of policies, file analysis, notifications, configurations including logging, and LDAP and RBAC settings, which makes it an option for companies aiming to comply with PCI DSS anti-malware requirements. Endgame PCI DSS Security White Paper 17

18 ABOUT THE AUTHORS Bhavna Sondhi Senior Security Consultant CISA, QSA (P2PE), PA-QSA (P2PE) Bhavna Sondhi is a Sr. Security Consultant for the Application Security team at Coalfire. Bhavna is responsible for conducting PCI DSS, PA-DSS, and P2PE assessments as well as authoring technical whitepapers. Bhavna joined Coalfire in 2013 and brings over 11 years of software engineering and Information Security experience to the team, leading extensive consulting and assessment engagements within USA, Europe, and Asia. As a lead PA-QSA and P2PE-QSA, Bhavna supports assessments for some of the largest payment software providers in the world and her software engineering experience plays a vital part in ensuring the teams recognize the importance of secure code development and Information Security within their operational practices. Nick Trenc Director Nick Trenc is the Director of the Application Security team at Coalfire. Nick has several years of experience working in Information Security and has an in-depth understanding of application, network, and system security architectures. He holds CISA, CISSP, QSA, and PA-QSA certifications. Published November ABOUT COALFIRE Coalfire is the cybersecurity advisor that helps private and public sector organizations avert threats, close gaps, and effectively manage risk. By providing independent and tailored advice, assessments, technical testing, and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives, and fuel their continued success. Coalfire has been a cybersecurity thought leader for more than 16 years and has offices throughout the United States and Europe. Coalfire.com Copyright Coalfire Systems, Inc. All Rights Reserved. Coalfire is solely responsible for the contents of this document as of the date of publication. The contents of this document are subject to change at any time based on revisions to the applicable regulations and standards (HIPAA, PCI-DSS et.al). Consequently, any forward-looking statements are not predictions and are subject to change without notice. While Coalfire has endeavored to ensure that the information contained in this document has been obtained from reliable sources, there may be regulatory, compliance, or other reasons that prevent us from doing so. Consequently, Coalfire is not responsible for any errors or omissions, or for the results obtained from the use of this information. Coalfire reserves the right to revise any or all of this document to reflect an accurate representation of the content relative to the current technology landscape. In order to maintain contextual accuracy of this document, all references to this document must explicitly reference the entirety of the document inclusive of the title and publication date; neither party will publish a press release referring to the other party or excerpting highlights from the document without prior written approval of the other party. If you have questions with regard to any legal or compliance matters referenced herein you should consult legal counsel, your security advisor and/or your relevant standard authority. Endgame PCI DSS Security White Paper 18