PCI: A Valuable Security Framework, Not a Punishment

Configuration Assessment &Change Auditing Solutions

VISIBILITYINTELLIGENCE

AUTOMATION

IT Security and Compliance Automation

Tripwire is the leading global provider of IT Security & Compliance Automation solutions

PCI: A Valuable Security Framework, Not a Punishment

2IT SECURITY and COMPLIANCE AUTOMATION Don’t Take Chances. TAKE CONTROL.

Today’s Speakers

John KindervagSenior Analyst

Forrester Research

Cindy Valladares

PCI Solutions Manager

Tripwire

PCI Unleashed: Embracing PCI As A Next-Generation Security ArchitectureJohn KindervagSenior AnalystForrester Research

5Entire contents © 2009 Forrester Research, Inc. All rights reserved.

Key Components of PCI

Successful companies will derive value from PCI.

3

PCI incentivizes security.2

PCI is here to stay.1


PCI unleashed


“PCI feels like something that is being done to me and not something being done with me.”

— CISO global company


Executive summary

•PCI is imposed on all businesses using credit cards in any way.

• It is the result of a long-term and systemic failure in corporate governance.

– Willingness to accept poor internal data security practices

– Profitability was more important than security.

•Corporations assumed that card brands took all the risk.

•PCI DSS was created to transfer some risk to merchants.


PCI misperceptions

•How can you be hacked if you are compliant?

•PCI is a never-ending process with complex requirements.

– It requires day-to-day and hour-to-hour diligence to remain compliant.

– The difficulty a company is having becoming PCI-compliant is a direct reflection of its overall approach to information security.

•The validation of compliance ≠ security.


The PCI troika

Compliance

Validation

Security


Compliance

•Compliance is the act of meeting the terms of the PCI DSS.

•Compliance assumes self-enforcement.

• It is not enforced by the card brands.

•Noncompliance is penalized by fines.

•Noncompliance is not an option.

Compliance


Validation

•Merchants are assumed to be 100% PCI-compliant at all times.

•Different levels of merchants may require third-party validation (QSA assessment).

•Validation is like your dad checking up on you.

•Many companies that appear to be “PCI-compliant” have misrepresented their compliance.

•You will hear the term “compliance validation.”

Validation


Security

•Security encompasses all elements of protecting your network and data from misuse.

•Security should be a given in any organization.

•Buzzword time!

•Your greatest “corporate social responsibility” is to protect your customer’s data.

Security


Compliance does not equal security

•Compliance incentivizes security.

•Compliance is a stick and not a carrot.

•PCI has succeeded masterfully.– PCI has gotten the attention of the enterprise:

•Fines and fees

•Brand damage

•Lawsuits


How can companies derive value from their PCI-compliance initiatives?•There are several important ways that PCI provides value to in-scope companies:

– PCI creates awareness for data-centric security.

– PCI unlocks budgets for security.

– PCI defines a set of tactical best practices for network and data security.

– PCI is easily molded into an understandable and actionable security, risk, and compliance framework.

•Make PCI your security framework.


The open source of compliance

•Used by millions of companies, it:– Has been vetted.

– Has established support communities actually.

– Has a highly trained workforce.

– Is easy to hire expertise around.

•Non-PCI companies are looking at PCI as a best practices framework.


Compliance costs less than compromise

•Cost is a variable based on your beginning state of security.

•PCI reduces costs.– Prescriptive

– Helps avoid costly breaches

– Cost-effectively achieve the SOX, etc.

•PCI is not a zero-sum game.


Source: April 10, 2007, “Calculating The Cost Of A Security Breach” Forrester report

The cost of a breach


TJX accrued expenses (10,000) — 2008


The pièce de résistance

• “Since discovering the computer intrusion, we have taken steps designed to strengthen the security of our computer systems and protocols and have instituted an ongoing program with respect to data security.”


“High-level frameworks have little value.”

— CISO global company

Compliance by cheerleading


A PCI framework has value

•Your company will need to become compliant with PCI anyway.

•Use your efforts to define your future security objectives.

•Leverage existing controls.

•Expand new PCI-related controls to other areas.

•PCI has never claimed to be perfect bulletproof security.

•You can’t repeal PCI.


PCI unleashed framework


Key Takeaways

PCI incentivizes good security and makes an excellent baseline framework.

3

PCI unlocks budgets.2

PCI is actionable.1


Good security=

free compliance

26

COMPLIANCESECURITYCONTROL

Increased Security through Constant Compliance

Tripwire VIA™VISIBILITY INTELLIGENCE AUTOMATION Cindy Valladares | Solutions Marketing

27 Don’t Take Chances. TAKE CONTROL.

Agenda

How Tripwire Helps

What’s Needed

The Problem


Problem: Taking Too Long to Find Breaches/Risks

Average time between a breach and the detection of it: 156 days [5.2 months]

Breaches go undiscovered and uncontained for weeks or months in 75 % of cases.

Feb. 2010

2009

“…breaches targeting stored data averaged 686 days [of exposure]”

2010

Breach Discovery

“More than 75,000 computers … hacked” -- The attack began late 2008 and discovered last month

Feb. 2010


Result: The Time Delay Of Discovery Is Costly!

“The average cost per breach in 2009 was $6.7 million…”

Ponemon Institute, Jan. 25, 2010

“Heartland Payment Systems announced today that it will pay

Visa-branded credit and debit card issuers up to $60 million…”Bank Info Security, Jan. 8, 2010

Breach Discovery


Need: Close The Time Gap

Breach DiscoveryDiscoveryDiscovery


Need: Close The Time GapMany Compromising Problems Are Difficult To Discover

Logging turned off FTP event to foreign IP

New user added

DLL modified by new user

FTP enabled

Login successful

10 failed logins


Just Detecting Change Is Not Enough…Policy-Based Intelligence Is Required

Logging turned off

New user added


FTP enabledTypical FIM cannot make these types alerts. Change intelligence is required.


Just Detecting Log Events Is Not Enough…Policy-Based Intelligence Is Required

Login successful

FTP event to foreign IP

10 failed logins Log management alone cannot alert on these events—SIEM is required.


Relating Change Events to Log Events… Best Chance To Discover Compromising Problems Quickly

Logging turned off

Login successful

FTP event to foreign IP

New user added


FTP enabled

10 failed logins

Events of

Interest


Tripwire Enterprise Tripwire Log Center

File Integrity Monitoring

Compliance Policy Manager

Log Manager

SecurityEvent Manager

Tripwire VIATM

VISIBILITY INTELLIGENCE AUTOMATION

Solution: Intelligent Threat Control


Questions

Cindy Valladares | [email protected]

www.tripwire.com

Twitter: @cindyv @TripwireInc

John Kindervag | Forrester [email protected]

www.forrester.com

Technology

PCI: A Valuable Security Framework, Not a Punishment