The IT Search Company

Transcription

1 The IT Search Company

2 PCI for Gala Coral Peter Bassill CISO Gala Coral Group The IT Search Company 2 Splunk Inc. 2010

3 Agenda My 2 minutes of Fame Who is Gala Overview of Gala What is PCI DSS Splunking PCI A detailed review of the searches and the thinking behind them Where to find out more The IT Search Company 3 Splunk Inc. 2010

4 Splunking at Gala About Me Peter Bassill Gala Coral Group 14 years experience in Information Security LLM (Information Law), CISSP, CISA & GCFA Runner up to Security Person of the Year Technical Dive Instructor Qualified Pilot Lives on a farm Uses Splunk to control temp & humidity in greenhouses The IT Search Company 4 Splunk Inc. 2010

5 Whois Gala Coral Group About Gala Coral Group employees servers 2400 regional presences 1gig indexing per peak load Average 30gig per day PCI Tier 1 compliant for 5 years Using Splunk for 4 ½ years 4 Data Centers 3 Main Offices 1 Happy Family The IT Search Company 5 Splunk Inc. 2010

6 Whois Gala Coral Group The IT Search Company 6 Splunk Inc. 2010

7 Why Splunk History 2005 Sold EIQ by a very good sales person 2007 A Geek install of Splunk happened 2008 EIQ retired to the skip, Splunk takes over 2009 All our Splunk Ninja s leave, CTO switches to RSA Envision 2010 Splunk returns The IT Search Company 7 Splunk Inc. 2010

8 Why Splunk EIQ v Splunk 1 round, 1 knockout DDoS Attack, 320 meg per second, 1.7 million attackers, 1.02 billion threads The IT Search Company 8 Splunk Inc. 2010

9 Splunking at Gala Architecture Overview Linux based architecture Cloud based LiveCD built servers - built to exceed NSA standards Front facing load balancers Quadruple layered firewalls The IT Search Company 9 Splunk Inc. 2010

10 Splunking at Gala Whats does that look like? The IT Search Company 10 Splunk Inc. 2010

11 Splunking at Gala Splunk Architecture Overview Single Head End for Searching and App hosting 2 Dedicated Indexers 3 Splunk Databases The IT Search Company 11 Splunk Inc. 2010

12 What is PCI DSS Payment Card Industry Data Security Standard (PCI DSS) Set of Security Standards for protecting credit card information Standards were initially developed separately by card companies Late 2008 common PCI council developed a set of standards to form PCI DSS v1.1 The IT Search Company 12 Splunk Inc. 2010

13 How does this impact my Organization? Any organization that accepts, stores, processes, or transmits credit card information is required to comply with PCI The IT Search Company 13 Splunk Inc. 2010

14 Merchant Tiering Tier 1 2 Description Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year. 3 Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. The IT Search Company 14 Splunk Inc. 2010

15 Compliance & Validation Requirements Tier Validation Action Validated By 1 2 Annual On-site PCI Data Security Assessment Quarterly Network Scan Annual PCI Self-Assessment Questionnaire (SAQ) Quarterly Network Scan Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor Merchant Approved Scanning Vendor 3 4* Annual PCI SAQ Quarterly Network Scan Annual PCI SAQ Quarterly Network Scan (if applicable) Merchant Approved Scanning Vendor Merchant Approved Scanning Vendor *The PCI DSS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants. The IT Search Company 15 Splunk Inc. 2010

16 The 12 Commandments Build & Maintain a Secure Network 1. Install & Maintain a Firewall 2. No vendor supplied passwords or security parameters Protect Cardholder Information 3. Obfuscate cardholder information (encryption, truncation, tokenization, etc.) 4. Encrypt transmissions of cardholder data across open, public networks The IT Search Company 16 Splunk Inc. 2010

17 The 12 Commandments (cont ) Maintain a Vulnerability Mgmt Program 5. Use & regularly update anti-virus software 6. Develop & maintain secure systems & applications Implement Strong Access Control Measures 7. Restrict access to cardholder data 8. Assign unique IDs to computer users 9. Restrict physical access to cardholder data The IT Search Company 17 Splunk Inc. 2010

18 The 12 Commandments (cont ) Regularly Monitor and Test Networks 10. Track & monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security The IT Search Company 18 Splunk Inc. 2010

19 Consequence of Non-Compliance Card Company Fines & Higher Transaction Fees FTC Oversight Direct & Indirect Costs resulting from the data breach but potentially most damaging Brand Damage Loss of consumer confidence The IT Search Company 19 Splunk Inc. 2010

20 Splunking PCI What is it the auditor wants? Every auditor is different, so they want different things You know your environment best but Easy to view dashboard All the information in one place Consistent story throughout the business The IT Search Company 20 Splunk Inc. 2010

21 Splunking PCI What is it I want? Policy Compliance Risk Reporting on Alteris Tickets Vulnerability Tracking The IT Search Company 21 Splunk Inc. 2010

22 Splunking PCI Lets get more interesting.. Are you bored yet? Shall we stopping with the slides? The IT Search Company 22 Splunk Inc. 2010

23 Splunking PCI Where can I find out more SplunkBase: PCI App for Splunk (cc license) peterbassill.com: Regex s Splunk searches Or you can me at splunk@peterbassill.com The IT Search Company 23 Splunk Inc. 2010

24 24