Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Similar documents
RiskSense Attack Surface Validation for IoT Systems

SOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

RiskSense Attack Surface Validation for Web Applications

SIEMLESS THREAT MANAGEMENT

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Threat Centric Vulnerability Management

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Vulnerability Management

Choosing the Right Security Assessment

Automating the Top 20 CIS Critical Security Controls

Dan Lobb CRISC Lisa Gable CISM Katie Friebus

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

PCI DSS v3. Justin

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

SYNACK PCI DSS PENETRATION TESTING TECHNICAL WHITE PAPER

Transforming Security from Defense in Depth to Comprehensive Security Assurance

The Threat & Vulnerability Management Maturity Model

ForeScout ControlFabric TM Architecture

An ICS Whitepaper Choosing the Right Security Assessment

PCI Compliance Assessment Module with Inspector

Defense in Depth Security in the Enterprise

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

Vulnerability Assessments and Penetration Testing

Integrated, Intelligence driven Cyber Threat Hunting

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Department of Management Services REQUEST FOR INFORMATION

Six Sigma in the datacenter drives a zero-defects culture

Will you be PCI DSS Compliant by September 2010?

Bomgar Discovery Report

8 Must Have. Features for Risk-Based Vulnerability Management and More

TRUE SECURITY-AS-A-SERVICE

<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1

Automated, Real-Time Risk Analysis & Remediation

Device Discovery for Vulnerability Assessment: Automating the Handoff

NCSF Foundation Certification

Carbon Black PCI Compliance Mapping Checklist

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

Continuously Discover and Eliminate Security Risk in Production Apps

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Vulnerability Management. June Risk Advisory

Think Like an Attacker

RSA NetWitness Suite Respond in Minutes, Not Months

Chapter X Security Performance Metrics

SOLUTION BRIEF Virtual CISO

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

The New Era of Cognitive Security

Run the business. Not the risks.

What is Penetration Testing?

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

ForeScout Extended Module for Splunk

What every IT professional needs to know about penetration tests

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

Machine-Based Penetration Testing

Evolution of Cyber Attacks

SIEMLESS THREAT DETECTION FOR AWS

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

Total Security Management PCI DSS Compliance Guide

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

Data Sheet The PCI DSS

PCI Compliance. Network Scanning. Getting Started Guide

Keys to a more secure data environment

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Best Practices in Securing a Multicloud World

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

CYBER SOLUTIONS & THREAT INTELLIGENCE

Skybox Security Vulnerability Management Survey 2012

Total Protection for Compliance: Unified IT Policy Auditing

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Reinvent Your 2013 Security Management Strategy

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

EFFECTIVE, SCALABLE, #FULLSTACK VULNERABILITY MANAGEMENT

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

Ingram Micro Cyber Security Portfolio

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Machine-Based Penetration Testing

90% of data breaches are caused by software vulnerabilities.

CyberArk Privileged Threat Analytics

Qualys Indication of Compromise

The Top 6 WAF Essentials to Achieve Application Security Efficacy

INTELLIGENCE DRIVEN GRC FOR SECURITY

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

INFORMATION SECURITY BRIEFING

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

Compliance Audit Readiness. Bob Kral Tenable Network Security

Transcription:

Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc.

What s Changing with PCI DSS? Summary of PCI Business Value provides support for PCI DSS compliance: Automated vulnerability assessment of scan data with coverage for network, database, application, endpoints, and Internet of Things (IoT) devices. Threat-centric prioritization with continuous threat intelligence data feeds and analysis against assets in the environment. Industry-leading, AI-assisted penetration testing with real-time access to findings with remediation actions. Standardized business-based risk scoring, establishing a baseline and guide to measure continuous improvement. The Payment Card Industry (PCI) Council continues to make changes to ensure that their standards are up to date with emerging threats and changes in the market. However, as the PCI Data Security Standard (DSS) requirements continue to be clarified to help merchants and service providers, publicly known breaches continue to occur. This dilemma is driving a renewed focus on identifying high-risk vulnerabilities, priorities, remediation, and verification. Threat and vulnerability management touches many of the PCI DSS requirements, and it is an opportunity for organizations to navigate a path toward achieving continuous compliance and validation. One of the changes to the PCI DSS is the new requirement for service providers to perform penetration testing on segment controls at least every six months. This increased frequency for validation of security controls and vulnerabilities is acknowledging the increased cyber risk these organizations face today. Annual penetration testing still remains for merchants, but how long before this might require more frequent testing? Challenges for Achieving Continuous Compliance and Validation While each control for PCI DSS is individually called out, collectively they create a flow. The full set of controls follows a cycle. The requirements focus on protection, lifecycle management, and close-loop analysis that results in the validation of the controls. Developing effective, continuous compliance requires more than tracking and reporting progress, enumerating the mitigation efforts of identified vulnerabilities, and identifying and managing high-risk assets. The current actions of threat and vulnerability management do not necessarily lead to the validation of exposure, nor do they provide a way to measure remediation effectiveness. Implementation of a continuous compliance program must incorporate vulnerability and threat validation as a foundational element. Its focus is to verify the key answers for PCI DSS: what s susceptible to threats, what s actually exposed, have the threats been remediated, and what change factors put compliance at risk. Organizations will gain the ability to quantify and measure the safety of their environments, PCI segments and others, only when this flow of continuous validation is implemented. Solutions Mapping to PCI Requirements Compliance requires a combination of penetration testing and at least quarterly scanning and analysis. To address the constantly changing threat and vulnerability landscape, and identify changes in the environment that may introduce risk, a continuous approach is desired. The ultimate goal is to be able to validate risk exposure and remediation success. PCI DSS requirements produces a continuous lifecycle of threat and vulnerability validation. Platform the industry s most comprehensive, intelligent platform for managing cyber risk. Page 1

Verification of PCI Controls: Conduct Quarterly Vulnerability Scanning Perform Yearly Penetration Testing for Merchants Conduct Penetration Testing for Service Providers Every Six Months Review Public-Facing Web Applications via Manual or Automated Application Vulnerability Security Assessment Tools or Methods 11.3.4.2 11.3 6.6 11.2 6.1 6.4 PCI Requirements 6.6 11.2.1 6.2 Implementation of Significant Changes Web Application Alterations* Ensure All System Components and Software are Protected from Known Vulnerabilities by Installing Applicable Vendor-Supplied Security Patches Address High-Risk Vulnerabilities in Accordance with Entities Vulnerability Ranking Manage Changing Conditions: *While a WAF may meet the PCI requirement, we strongly recommend performing vulnerability assessments, as well. Remember, this needs to be done after changes to the application, not just annually. Identify Security Vulnerabilities and Risk Rank Analyze & Apply Threat-Centric Prioritization: What the above brings to light is the need for an ongoing partner relationship to support and perform verification assessments and make this process as effective as possible. Doing a one-time or one-off penetration test or vulnerability scan will not get you to compliance. Go Beyond Compliance with Solutions has multiple offerings to help organizations with PCI DSS compliance and is an Approved Scanning Vendor (ASV) and listed provider. The Platform provides visibility, prioritization, and actionable remediation recommendations to shrink attack surfaces and overall cyber risk exposure. Detailed attribution of all the critical vulnerabilities mapped to known exploits, malware, and exploit pulse is presented with detailed remediation action plans. Identify the vulnerabilities that are mostly likely to be used by adversaries to carry out infiltration and utilize post exploitation techniques to launch a successful lateral attack across the enterprise Provide visibility, prioritization, and actionable remediation recommendations to shrink attack surface Vulnerability Discovery helps merchants and service providers identify, prioritize, and provide remediation guidance to critical vulnerabilities. Our service provides a fully managed vulnerability assessment at monthly, quarterly, or annual intervals to swiftly and accurately identify misconfigurations and vulnerabilities on your network. You re provided with a detailed analysis of the assessment results, offering recommendations to remediate identified security gaps. Attack Surface Validation increases the organization s ability to identify and correlate for susceptible attack surface, identify indicators of attack, as well as improve the actionable intelligence of current threat feeds and extend the analysis beyond Internet exposed assets to Intranets (internal assets). Our solution provides a fully managed validation of the vulnerabilities and bypass existing controls that are most likely to be used by cyber adversaries to carry out infiltration and utilize post-exploitation techniques to launch a successful lateral attack. Platform the industry s most comprehensive, intelligent platform for managing cyber risk. Page 2

Why?, Inc. is the pioneer and market leader in threat and vulnerability management. The company provides enterprises and governments with clear visibility into their entire attack surface, including attack susceptibility and validation, as well as quantification of risks based on operational data. The Software-as-a-Service (SaaS) platform and related services unifies and contextualizes internal security intelligence, external threat data and business criticality to reduce cyber risk and move to a more pro-active, collaborative, and real-time discipline. It embodies hands-on expertise gained from defending critical government and commercial networks from the world s most dangerous cyber adversaries. Solution Summary Offerings: Platform Discovery Attack Validation The Platform provides visibility, prioritization, and actionable remediation recommendations to shrink your attack surface and overall cyber risk exposure. Detailed attribution of all the critical vulnerabilities mapped to known exploits, malware, and exploit pulse is presented with detailed remediation action plans. Identify the vulnerabilities that are mostly likely to be used by adversaries to carry out infiltration and utilize post exploitation techniques to launch a successful lateral attack across the enterprise One of the primary goals is identify, prioritize, and provide remediation guidance to critical vulnerabilities before your cyber adversary can exploit them. Our service provides a fully managed vulnerability assessment at monthly, quarterly, or annual intervals to swiftly and accurately identify misconfigurations and vulnerabilities on your network. You re provided with a detailed analysis of the assessment results, offering recommendations to remediate identified security gaps. Organizations require a solution that increases the organization s ability to identify and correlate for susceptible attack surface, identify indicators of attack, as well as improve the actionable intelligence of current threat feeds and extend the analysis beyond Internet exposed assets to Intranets (Internal Assets). Our solution provides a fully managed validation of the vulnerabilities and bypass existing controls that are most likely to be used cyber adversaries to carry out infiltration and utilize post exploitation techniques to launch a successful lateral attack across your organization. Platform the industry s most comprehensive, intelligent platform for managing cyber risk. Page 3

Appendix A Platform Offerings Mapped to PCI-DSS: PCI Requirement Brief Description How Can Assist Product Product Discovery Attack Validation 2.0 Do not use default passwords or security parameters provides visibility into system components, vulnerable services, default and misconfigurations, default user accounts, and insecure vendor default settings. 5.1.2 Identify and evaluate evolving malware threats attack validation evaluates the efficacy of Antivirus systems and other controls in place to protect and defend against polymorphic and malware mutants. 6.1 Establish a process to identify security vulnerabilities and assign a risk ranking Threat Intelligence is aggregated from the Dark Web and over 60 different sources. All the identified vulnerabilities are aggregated and correlated for attack susceptibility. prioritizes vulnerabilities based on risk, exploitability, and the ability to launch a lateral attack. 6.2 Ensure that all components and software are protected from known vulnerabilities continuous assessment and validation will allow organizations to prioritize critical vulnerabilities and provide guidance on applicable patches. validates if critical systems are being patched within 30 days. 6.5 Address common coding vulnerabilities in software-development processes OWASP Top 10 and Top 25 Programming Errors The vulnerabilities identified in 6.5.1 through 6.5.10 provide a minimum baseline. It is up to the organization to remain up to date with vulnerability trends and incorporate appropriate measures into their secure coding practices. solution provides full context of vulnerabilities including common coding errors that are introduced during the development process or by using existing libraries and frameworks. 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks. Implement a methodology for penetration testing to review public-facing web applications via manual or automated application vulnerability security assessment tools or methods. This is an evaluation of web applications in a distinct and customized approach based on the target web application s features. We provide an in-depth understanding of how an input changes data inside the application. We use a proprietary framework to discover multiple attack vectors by passing or inputting data to user interfaces, application programming interfaces (APIs), and other places where inputs are processed. 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). is an approved scanning vendor (ASV). Our service provides a fully managed vulnerability assessment at monthly, quarterly, or annual intervals to swiftly and accurately identify misconfigurations and vulnerabilities on your network. You re provided with a detailed analysis of the assessment results, offering recommendations to remediate identified security gaps. This includes identifying high risk vulnerabilities must be addressed in accordance with the entity s vulnerability ranking (as defined in Requirement 6.1), and verified by rescans. Platform the industry s most comprehensive, intelligent platform for managing cyber risk. Page 4

PCI Requirement Brief Description How Can Assist Product Product Discovery Attack Validation 11.3 Implement a methodology for penetration testing that includes the following: Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope-reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and consideration of threats and vulnerabilities experienced in the last 12 months Specifies retention of penetration testing results and remediation activities results. attack validation empowers organizations to identify and correlate for susceptible attack surface, identify indicators of attack, as well as improve the actionable intelligence of current threat feeds and extend the analysis beyond Internet exposed assets to Intranets (Internal Assets). As a part of the penetration testing and attack surface validation custom exploits and well know common hacker techniques will be used to identify indicators of attack (IOAs) against your existing environment (platforms, applications, devices, and computing elements). Our solution provides a fully managed validation of the vulnerabilities and bypass existing controls that are most likely to be used cyber adversaries to carry out infiltration and utilize post exploitation techniques to launch a successful lateral attack across your organization. The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks. 11.3.4.1 New requirement for service providers to perform penetration testing on segmentation controls at least every six months. Effective February 1, 2018 Platform the industry s most comprehensive, intelligent platform for managing cyber risk. Page 5

Platform the industry s most comprehensive, intelligent platform for managing cyber risk. Contact Us Today to Learn More About, Inc. +1 844.234.RISK +1 505.217.9422 info@.com CONTACT US SCHEDULE A DEMO READ OUR BLOG 2018, Inc. All rights reserved. and the logo are registered trademarks of, Inc. SB_Compliance_01222018

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback