Upload
tripwire
View
768
Download
2
Tags:
Embed Size (px)
Citation preview
Configuration Assessment &Change Auditing Solutions
VISIBILITYINTELLIGENCE
AUTOMATION
IT Security and Compliance Automation
Tripwire is the leading global provider of IT Security & Compliance Automation solutions
PCI: A Valuable Security Framework, Not a Punishment
2IT SECURITY and COMPLIANCE AUTOMATION Don’t Take Chances. TAKE CONTROL.
Today’s Speakers
John KindervagSenior Analyst
Forrester Research
Cindy Valladares
PCI Solutions Manager
Tripwire
PCI Unleashed: Embracing PCI As A Next-Generation Security ArchitectureJohn KindervagSenior AnalystForrester Research
5Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Key Components of PCI
Successful companies will derive value from PCI.
3
PCI incentivizes security.2
PCI is here to stay.1
7Entire contents © 2009 Forrester Research, Inc. All rights reserved.
“PCI feels like something that is being done to me and not something being done with me.”
— CISO global company
8Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Executive summary
•PCI is imposed on all businesses using credit cards in any way.
• It is the result of a long-term and systemic failure in corporate governance.
– Willingness to accept poor internal data security practices
– Profitability was more important than security.
•Corporations assumed that card brands took all the risk.
•PCI DSS was created to transfer some risk to merchants.
9Entire contents © 2009 Forrester Research, Inc. All rights reserved.
PCI misperceptions
•How can you be hacked if you are compliant?
•PCI is a never-ending process with complex requirements.
– It requires day-to-day and hour-to-hour diligence to remain compliant.
– The difficulty a company is having becoming PCI-compliant is a direct reflection of its overall approach to information security.
•The validation of compliance ≠ security.
10Entire contents © 2009 Forrester Research, Inc. All rights reserved.
The PCI troika
Compliance
Validation
Security
11Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Compliance
•Compliance is the act of meeting the terms of the PCI DSS.
•Compliance assumes self-enforcement.
• It is not enforced by the card brands.
•Noncompliance is penalized by fines.
•Noncompliance is not an option.
Compliance
12Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Validation
•Merchants are assumed to be 100% PCI-compliant at all times.
•Different levels of merchants may require third-party validation (QSA assessment).
•Validation is like your dad checking up on you.
•Many companies that appear to be “PCI-compliant” have misrepresented their compliance.
•You will hear the term “compliance validation.”
Validation
13Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Security
•Security encompasses all elements of protecting your network and data from misuse.
•Security should be a given in any organization.
•Buzzword time!
•Your greatest “corporate social responsibility” is to protect your customer’s data.
Security
14Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Compliance does not equal security
•Compliance incentivizes security.
•Compliance is a stick and not a carrot.
•PCI has succeeded masterfully.– PCI has gotten the attention of the enterprise:
•Fines and fees
•Brand damage
•Lawsuits
15Entire contents © 2009 Forrester Research, Inc. All rights reserved.
How can companies derive value from their PCI-compliance initiatives?•There are several important ways that PCI provides value to in-scope companies:
– PCI creates awareness for data-centric security.
– PCI unlocks budgets for security.
– PCI defines a set of tactical best practices for network and data security.
– PCI is easily molded into an understandable and actionable security, risk, and compliance framework.
•Make PCI your security framework.
16Entire contents © 2009 Forrester Research, Inc. All rights reserved.
The open source of compliance
•Used by millions of companies, it:– Has been vetted.
– Has established support communities actually.
– Has a highly trained workforce.
– Is easy to hire expertise around.
•Non-PCI companies are looking at PCI as a best practices framework.
17Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Compliance costs less than compromise
•Cost is a variable based on your beginning state of security.
•PCI reduces costs.– Prescriptive
– Helps avoid costly breaches
– Cost-effectively achieve the SOX, etc.
•PCI is not a zero-sum game.
18Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Source: April 10, 2007, “Calculating The Cost Of A Security Breach” Forrester report
The cost of a breach
19Entire contents © 2009 Forrester Research, Inc. All rights reserved.
TJX accrued expenses (10,000) — 2008
20Entire contents © 2009 Forrester Research, Inc. All rights reserved.
The pièce de résistance
• “Since discovering the computer intrusion, we have taken steps designed to strengthen the security of our computer systems and protocols and have instituted an ongoing program with respect to data security.”
21Entire contents © 2009 Forrester Research, Inc. All rights reserved.
“High-level frameworks have little value.”
— CISO global company
Compliance by cheerleading
22Entire contents © 2009 Forrester Research, Inc. All rights reserved.
A PCI framework has value
•Your company will need to become compliant with PCI anyway.
•Use your efforts to define your future security objectives.
•Leverage existing controls.
•Expand new PCI-related controls to other areas.
•PCI has never claimed to be perfect bulletproof security.
•You can’t repeal PCI.
24Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Key Takeaways
PCI incentivizes good security and makes an excellent baseline framework.
3
PCI unlocks budgets.2
PCI is actionable.1
25Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Good security=
free compliance
26
COMPLIANCESECURITYCONTROL
Increased Security through Constant Compliance
Tripwire VIA™VISIBILITY INTELLIGENCE AUTOMATION Cindy Valladares | Solutions Marketing
28 Don’t Take Chances. TAKE CONTROL.
Problem: Taking Too Long to Find Breaches/Risks
Average time between a breach and the detection of it: 156 days [5.2 months]
Breaches go undiscovered and uncontained for weeks or months in 75 % of cases.
Feb. 2010
2009
“…breaches targeting stored data averaged 686 days [of exposure]”
2010
Breach Discovery
“More than 75,000 computers … hacked” -- The attack began late 2008 and discovered last month
Feb. 2010
29 Don’t Take Chances. TAKE CONTROL.
Result: The Time Delay Of Discovery Is Costly!
“The average cost per breach in 2009 was $6.7 million…”
Ponemon Institute, Jan. 25, 2010
“Heartland Payment Systems announced today that it will pay
Visa-branded credit and debit card issuers up to $60 million…”Bank Info Security, Jan. 8, 2010
Breach Discovery
31 Don’t Take Chances. TAKE CONTROL.
Need: Close The Time GapMany Compromising Problems Are Difficult To Discover
Logging turned off FTP event to foreign IP
New user added
DLL modified by new user
FTP enabled
Login successful
10 failed logins
32 Don’t Take Chances. TAKE CONTROL.
Just Detecting Change Is Not Enough…Policy-Based Intelligence Is Required
Logging turned off
New user added
DLL modified by new user
FTP enabledTypical FIM cannot make these types alerts. Change intelligence is required.
33 Don’t Take Chances. TAKE CONTROL.
Just Detecting Log Events Is Not Enough…Policy-Based Intelligence Is Required
Login successful
FTP event to foreign IP
10 failed logins Log management alone cannot alert on these events—SIEM is required.
34 Don’t Take Chances. TAKE CONTROL.
Relating Change Events to Log Events… Best Chance To Discover Compromising Problems Quickly
Logging turned off
Login successful
FTP event to foreign IP
New user added
DLL modified by new user
FTP enabled
10 failed logins
Events of
Interest
35 Don’t Take Chances. TAKE CONTROL.
Tripwire Enterprise Tripwire Log Center
File Integrity Monitoring
Compliance Policy Manager
Log Manager
SecurityEvent Manager
Tripwire VIATM
VISIBILITY INTELLIGENCE AUTOMATION
Solution: Intelligent Threat Control
36 Don’t Take Chances. TAKE CONTROL.
Questions
Cindy Valladares | [email protected]
www.tripwire.com
Twitter: @cindyv @TripwireInc
John Kindervag | Forrester [email protected]
www.forrester.com