eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Similar documents
The Convergence of Security and Compliance

Carbon Black PCI Compliance Mapping Checklist

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Traditional Security Solutions Have Reached Their Limit

Reducing the Cost of Incident Response

Product Security Program

Maximizing IT Security with Configuration Management WHITE PAPER

8 Must Have. Features for Risk-Based Vulnerability Management and More

NIST Special Publication

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Compliance 101: Basics for Security Professionals

Privileged Account Security: A Balanced Approach to Securing Unix Environments

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Compliance Audit Readiness. Bob Kral Tenable Network Security

Best Practices for PCI DSS Version 3.2 Network Security Compliance

THE TRIPWIRE NERC SOLUTION SUITE

Modern Database Architectures Demand Modern Data Security Measures

Run the business. Not the risks.

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

Best Practices in Securing a Multicloud World

Tripwire State of Cyber Hygiene Report

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

SIEMLESS THREAT DETECTION FOR AWS

locuz.com SOC Services

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

SIEMLESS THREAT MANAGEMENT

RSA INCIDENT RESPONSE SERVICES

AKAMAI CLOUD SECURITY SOLUTIONS

Advanced Security Tester Course Outline

Are we breached? Deloitte's Cyber Threat Hunting

Compliance with CloudCheckr

align security instill confidence

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Device Discovery for Vulnerability Assessment: Automating the Handoff

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

SIEM: Five Requirements that Solve the Bigger Business Issues

Vulnerability Assessments and Penetration Testing

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Security Operations & Analytics Services

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

IMPROVING NETWORK SECURITY

2017 Annual Meeting of Members and Board of Directors Meeting

SYMANTEC DATA CENTER SECURITY

ForeScout Extended Module for Splunk

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Enhanced Threat Detection, Investigation, and Response

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

WHITE PAPER. Applying Software-Defined Security to the Branch Office

RSA INCIDENT RESPONSE SERVICES

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Asset Discovery with Symantec Control Compliance Suite WHITE PAPER

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Insurance Industry - PCI DSS

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

CyberArk Privileged Threat Analytics

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

IoT & SCADA Cyber Security Services

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

01.0 Policy Responsibilities and Oversight

Security. Made Smarter.

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Vulnerability Management Trends In APAC

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Automating the Top 20 CIS Critical Security Controls

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Information Security Controls Policy

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Total Protection for Compliance: Unified IT Policy Auditing

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

Machine Learning and Advanced Analytics to Address Today s Security Challenges

deep (i) the most advanced solution for managed security services

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

The Business Case for Network Segmentation

SIEM Solutions from McAfee

HP Fortify Software Security Center

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

AWS Reference Design Document

IBM PowerSC. Designed for Enterprise Security & Compliance in Cloud and Virtualised environments. Highlights

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Protect Your End-of-Life Windows Server 2003 Operating System

Cisco Start. IT solutions designed to propel your business

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Transcription:

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Today s PCI compliance landscape is one of continuing change and scrutiny. Given the number of recent high-profile breaches in the retail space, the pressures will only increase and organizations are facing significant questions, such as: What are the best practices for PCI assessments? How does an organization best use limited resources to meet compliance requirements and, more importantly, provide a truly secure environment? In 2013, just over half (51%) of companies subject to the PCI Data Security Standards (PCI DSS) passed seven of the twelve requirements, and only 11.1% passed all twelve. These figures support the difficult nature of successful PCI assessments; getting the protection, monitoring, vulnerability scanning and enforcement elements right takes time and resources. Further complicating the issue is the fact that, while compliance is the goal, it s well-known that compliant does not always mean secure. The matrix of individual requirements included in many North American compliance regulations (e.g., PCI, SOX and HIPAA) will vary slightly, but the underlying data or business logic that is used to demonstrate adherence to these controls is essentially the same. By taking a positive security approach that arms their endpoints, organizations can reduce the complexity of assessments, while lowering administration costs and accelerating attainment of a compliant and secure - environment. 2

The following five steps outline a path to meet these goals. 1 Adopt a proactive approach in order to speed up pre-compliance data gathering. Compliance is not a one-time event or an annual project. While easier said than done, an ideal compliance program is constant and proactive, and allows IT to know and see what is on every endpoint and server. In many organizations, IT finds it difficult to know and identify all the assets and data needed to meet compliance requirements. This can lead to a fire-drill mentality during the data-gathering phase, as manual classification; discovery based on negative models (scanning and re-scanning data); and little business intelligence developed against data all lead to a cumbersome and static process. Instead, a proactive approach relies on defined trust sources and focuses on the business process of data gathering. Combining trust policies (IT trusted systems and applications) with business policies leads to a more efficient way to categorize data. This process helps to rapidly identify the bad by whitelisting and filtering out trusted files/processes, which in turn drives and optimizes prevention techniques and helps to enforce security and compliance policy. This process also delivers the ability to focus and prioritize on the high-risk files for security and compliance. 2 Stop scanning your in-scope environment. Over-reliance on scanning is an operational norm and, thus, a challenge many organizations face and, as malware evolves, scanning is increasingly ineffective. In addition, scanning provides volumes of data but in many cases little actionable information, leading to increased use of resources for little or no gain. Within PCI DSS 3.0, Requirement 5 recognizes the limits of scanning and suggests that scanning alone, even if one thinks they are identifying 100% of potential malware, won t meet requirements. Traditional negative security is scan-based, and by nature is limited in its ability to identify and protect. Positive security, with real-time monitoring and threat intelligence capabilities delivered via the cloud, provides the full continuum of the threat landscape, and a real-time enforcement engine with endpoint and network integration. In addition, positive security can cover all network assets, including third-party elements. As recent history has shown, breaches often start via third-party access points, so a positive security posture can help identify and mitigate these threats. 3Apply real-time vulnerability and threat analysis to all in-scope systems. Requirement 6 of PCI DSS 3.0 states that an organization needs to establish a process to identify security vulnerabilities and assign a risk ranking. Further, these rankings have to identify all high risk and critical vulnerabilities, and patches must be installed within one-month, including unsupported systems. In a traditional scan-based system, this requirement is difficult to meet as it requires manual risk assessment. This manual scanning process can be based on news groups, updates and feeds, and is subject to human error. Compare this with a positive security approach using real-time assessment vulnerability analysis and response, delivered via the cloud and updated constantly. This process is not reliant on manual updates, includes recent modifications and alerts, and can cover unsupported elements of a system, e.g., Windows XP. This alternative delivers active intelligence in real time, allowing security teams to see the entire kill chain in seconds; from vulnerable processes to a persistent malicious service. In a scan-based environment, this could take days or weeks to re-create using traditional tools, during which time the organization is vulnerable to attack. 3

4 Control change rather than analyze it to plan and provide for continuous support of all the in-scope systems all the time. PCI assessments, like many IT projects, can fall victim to scope creep, where the original and mandated task grows exponentially to encompass extra work that may or may not produce fruitful results. One way to manage this issue is to focus on critical system and file changes, and avoid analysis paralysis. This can be done by filtering out all the irrelevant changes on the front-end, thus allowing the team to zero in on only authorized critical changes that are relevant to security and compliance. When the IT team is able to scope out large amounts of data and focus instead on in-scope compliance endpoints, they can introduce control over critical infrastructure files, leading to better audit and chain of custody, and a lower administrative cost of change analysis. With this concentrated approach, systems and processes can be identified, protected and updated in real-time, enabling a more secure environment. This also allows the team to provide compensating controls even for systems at or near end-of-life. By focusing on, and protecting the critical data in legacy systems, IT teams can extend security coverage for endpoints. This strategy: locks down a full audit of all inventory; extends compliance coverage; and provides compensating controls for requirements 6.1 and 6.2, as well as a full audit and reporting of endpoint security. Such a whitelisting approach is called out in the PCI FAQs*, which state: Examples of controls that may be combined to contribute to an overall compensating control include. properly-configured application whitelisting that only permits authenticated system files to execute, and isolating the unsupported systems from other systems and networks. *Available at http://www.pcistandards.org/faq 5Ensure you can validate and confirm coverage of the security policy across the Business-As-Usual processes. As highlighted in the PCI DSS Best Practices for Implementing PCI DSS into Business-as-Usual Processes, the ability to enforce the standard on a continuous basis is critical. With proper enforcement, IT teams can ensure their systems are protected, and the burden of the assessment process is reduced with audit evidence that stakeholders are aware of the DSS requirements (see Requirement 12). A positive security approach assists the organization in proving that PCI DSS policy has been distributed to stakeholders, as evidence is collecting that addresses the adherence to PCI DSS policies at mandated points across the enterprise. A positive security approach distributes these mandates to each stakeholder, ensuring the ownership and understanding of responsibilities. This provides audit information and an assurance that standards have been met and the organization is compliant, while ensuring that compliance data is collected within one place. 4

SUMMARY PCI assessments are a key element for all covered entities and, if conducted properly, can lead to not just a compliant organization but a secure one. But in order to make this a reality, careful planning, adequate resources and the proper positive security approach need to be focused on the task. These five suggestions are a good starting point for a positive PCI assessment, but a constantly-aware and proactive approach to PCI compliance and a positive security strategy is the best preparation for a PCI assessment. Visit www.carbonblack.com or contact us at PCIConsultation@carbonblack.com for more information or a free PCI consultation. About Carbon Black Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy the best prevention strategies for their business, and leverage the expertise of 10,000 professionals to shift the balance of power back to security teams. Only Carbon Black continuously records and centrally retains all endpoint activity, making it easy to track an attacker s every action, instantly scope every incident, unravel entire attacks and determine root causes. Carbon Black also offers a range of prevention options so organizations can match their endpoint defense to their business needs. Carbon Black has been named #1 in endpoint protection, incident response, and market share. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling security teams to: Disrupt. Defend. Unite. 2016 Carbon Black is a registered trademark of Carbon Black, Inc. All other company or product names may be the trademarks of their respective owners. 20160112 RKB 1100 Winter Street Waltham, MA 02451 USA P 617.393.7400 F 617.393.7499W www.carbonblack.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback