This document provides an overview of a briefing on data security, PCI compliance, and how systems management automation can help organizations stay compliant. The briefing covered the challenges of data security and PCI compliance for retailers, the process for satisfying credit card companies and security assessors, key areas to focus on, and how an integrated systems management solution from Kaseya and Omega can help by providing visibility, control, automation and security across an organization's network and endpoints. [/SUMMARY]
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Retail IT 2013: Data Security & PCI Compliance Briefing
1. Retail IT 2013:
Data Security & PCI
Compliance Briefing
Kaseya and Omega
2. Data Security and PCI Compliance: Leveraging Systems Management Automation to Stay Compliant
Speakers
Shekar Swamy
President & Senior Security Strategist
Omega
Randy Briggs
US Director – Retail, Hospitality & Leisure
Kaseya
3. Agenda
• The Burden of Data Security & Compliance
• The Process to Satisfy Card Brands and Security
Assessment Firms
• Key Areas To Pay Attention To
• The Role of Systems Management Technology
• ROI of an Integrated Solution
• About Kaseya
• Considerations & Recommendations
• Helping You Bridge the Gaps
• Q&A
4. The Burden of Data Security &
PCI Compliance
omegasecure.com
5. About Omega ATC
21-year history of performance in retail
Omega systems and services – widely used in the market
Helped many companies achieve compliance – Level 1,
Level 2 and Level 4 merchants across the US
Highly secure Data Center to manage data security
Working relationship with major QSA firms
Participating Organization in the PCI council
NACS data security committee
SIGMA Resource and participant
Rapid deployment process
6. Some of our Customers
EDN, INC.
Jaco Oil Company
17. The Stage…
Retail Front End
Payments
Network Processor
(Cards and
LAN other traffic)
Firewall/ Internet
Router
“BOS”
LAN
Payment In-store
Appliance
POS LAN
Security
Cameras Back Office
PC
omegasecure.com
22. Where’s Your ROI?
90% of your problems disappear
Your entire environment and systems function smoothly
Eliminate the need to hire more people
Automate hundreds of routine IT tasks –
set it and forget it
Data security that protects you
Rapid deployment
Scalable architecture – small, medium and large
Expert support from System Engineers and
Security Strategists
Comply with 286+ controls
27. Unified Systems Management
Event Management Automation Business Intelligence
• Alerts / Notifications • Scheduling • Reporting
• System Events • Procedures • Dashboards
• Logs • API/Messaging • Interactive Data Views
IT Configuration Management Business Continuity
• Remote Management • Image Deployment • Image Backup • File & Folder Backup
• Software Deployment • Desktop Migration • Image Virtualization
• Power Management • Mobile Device Management
Asset Management Service Delivery
• Network Discovery • Directory Services • Service Desk/Ticketing • Policy Compliance
• Hardware Inventory • Software Inventory • Policy Management • Time Tracking
• Service Billing
Security Systems Monitoring
• Anti-Virus • Patch Management • Systems Checks & Alerts • SNMP Monitoring
• Anti-Malware • Software Updates • Event Monitoring • Log Monitoring
• Performance Monitoring • VM Monitoring
28. Best Practice Management
100’s of Pre-Defined Views, Maintenance Routines, Policies and
Automation Procedures
• Device Views by Type
By OS Type/Ver
Exchange, SQL, IIS, etc
• Maintenance Routines
PC and Server Optimization
• Monitor Sets
Application Events/Logs
Hardware Thresholds
Up/Down Faults
Servers, Database, Exchange and Domains
3rd Party Backup, Security and Network Infrastructure
(Out -Of-The-Box BP Configuration Wizard)
29. Unified Security Protection is Critical
• Endpoint security is achieved in layers:
Managed Antivirus/Antimalware
URL Filtering
Local Firewall
Device blocking
Application blocking
Logfile Monitoring
Regular System Audits
OS Patching
Application Patching
Remote System Tracking
System Wiping
30. Security Considerations
We’ve all heard the horror stories
• In 2012 the Retail industry made up 45% of data breach
investigations; a 15% increase from 2011 (Trustwave)
• Average cost of a data breach is $5.5 million per breach –
(Ponemon Institute)
• Symantec source code stolen recently
PC-Anywhere – stop using
• Uninstall/Disable Java everywhere if possible
• Dexter Malware – POS systems IS the target
• The number of new endpoint malware Kaspersky sees on
a daily basis averages about 71,000
Targeted attacks will continue…
31. Security Considerations
• Network Perimeter Disappearing
• Endpoint IS the Target (including mobile)
• Compromised Endpoint = Compromised EVERYTHING
(including cloud)
• AV is NOT a commodity
• Security is not ONLY Anti-virus
• Layered Security is Important
• Monitoring and Remediation as Part of the Solution
Retail E-Commerce Websites and POS
Systems are a Prime Target
32. Recommendations
• Bridge the Points of IT Service Disconnect (Silos)
the total solution is much better than the sum of its parts
• Centralize Management even if you have Decentralized
Roles
• Gain complete visibility and control of remote systems
(on/off your network)
• Be proactive not reactive (monitoring and alerting is not
good enough if you can’t quickly remediate)
• Choose partners and technology providers who specialize
in your industry
Systems Management Suite Will Help
You Take Security To The Next Level
33. Recommendations
• Embrace Systems Management AUTOMATION
Routine repetitive tasks (set it and forget it)
Proactive remediation (diagnostics, executables
& processes)
Extensibility & integration w/ other systems
Customized services to your environment
Rules, Checks & Balances (if, then, else logic)
The best policies are those that can be enforced
Manage thousands of systems as
easily as you can manage one system
34. “Not a Question of If – But When”
• It’s not a question of if – but when – your
organization will experience a serious security
breach
Even enterprises with the most mature security
organizations and advanced security controls
can’t prevent every single breach
Source: Forrester, “Planning For Failure” Nov 9, 2011
35. Live Q&A
Thank You For Your Time!
Randy Briggs Shekar Swamy
508-698-9725 (Direct) 636-557-7777 X 2450
617-834-1128 (Cell) Cell: 610-639-0172
randy.briggs@kaseya.com shekar.swamy@omegasecure.com
www.kaseya.com www.omegasecure.com
Notes de l'éditeur
Good morning, or good afternoon or good evening everyone depending on which time zone you might be in right now. Welcome to the Kaseya and Omega Data Security and PCI Compliance Briefing and taking time out of your busy day to join us on such an important topic, especially for the retail industry. Since we have a lot to cover, we’re going to go ahead and get started. Please feel free to submit your questions through the webinar chat session and we’ll do our best to answer as many of them as we have time for at the end of this presentation.(Next Slide)
My name is Randy Briggs and I’m one of your speakers today. I’mthe US Director of our Retail Solutions vertical at Kaseya. Kaseya is an industry leading provider of IT Systems Management solutions and a visionary leader on Gartner’s magic quadrant for client management tools. Our solutions are widely adopted in the Retail industry among others to help companies achieve measurable and sustained improvements in IT Service delivery, cost containment and risk mitigation as it relates to systems management, security and compliance.I am joined today with Shekar Swami who is the President and Senior Security Strategist at Omega. Omega is a recognized provider of data security solutions and services that help retailers of all sizes overcome their systems management and security challenges. Through a combination of their solutions, security expertise and services using the Kaseya platform, Omega helps companies quickly build a foundation for success by assisting them with accelerating and maintaining PCI compliance. Shekar, thank you for joining me today.(Next Slide)
Here is our agenda for today’s session:I am going to provide a brief overview of Kaseya and more importantly review the important role that IT Systems Management solutions plays in helping you achieve complete visibility and control of your distributed infrastructure and helping you take IT services and data security and compliance to the next level.Throughout our respective presentations, both Shekar and I will be pointing out specific security issues and challenges the retail industry is faced with and we’ll be suggesting recommendations based on best practices and our own experiences working with hundreds of retailers that you may want to consider implementing for your specific environment and situation to help bridge the gaps.(Next Slide)
Good morning, or good afternoon or good evening everyone depending on which time zone you might be in right now. Welcome to the Kaseya and Omega Data Security and PCI Compliance Briefing and taking time out of your busy day to join us on such an important topic, especially for the retail industry. Since we have a lot to cover, we’re going to go ahead and get started. Please feel free to submit your questions through the webinar chat session and we’ll do our best to answer as many of them as we have time for at the end of this presentation.(Next Slide)
Kaseya is a privately held global company who started in the year 2000 and has realized significant year over year growth over the last 12 years. We have over 30 offices located in 20 countries, we employ over 450 employees and have over 15,000 customers who use our technology every day to manage millions of IT assets. As I mentioned in my introduction, Kaseya is a leader on Gartner’s Magic Quadrant for client management tools and along with our corporate clients who deploy our solution in-house, we have a significant market share of the Managed Services industry who provide IT services to their customers as an outsourced service…like Shekar and his team of security experts at Omega. Currently 53 of the top 100 global MSPs use Kaseya to provide outsourced IT services to their clients. The solution is totally re-brandable to look and feel like it’s your own custom service application.Kaseya, in case you’re wondering what that means, is a Native American word that means to secure and protect. So to net it out, our sole focus and vision has been, and continues to be, to help companies and IT Service providers secure, protect and manage their IT assets and distributed networks.(Next Slide)
Our Vision is to provide Enterprise-Class IT Systems Management for Everybody. So whether you’re a small IT group who manages a hundred systems or a larger IT organization managing tens of thousands of systems, you can leverage the same functionality & best practices and experience the power of systems management automation to optimize IT service operations and lower your cost of service delivery regardless of your size or what industry you’re in.The other critical component of executing on this vision is to provide solutions that are Fast to implement and deploy (a few weeks vs. months); Easy to use and manage that will help you be more productive; and Affordable so it will fit your budget…but also to provide a solution that is flexible and scalable to adapt to changing technologies and will grow with you as your company grows and as your IT service needs change over time.This is best represented on the next slide describing the Kaseya Architecture(Next Slide)Fast; companies are able to implement in a very short period of time (a few weeks vs. months) and deploy across their entire environment within hours vs. days or weeksEasy to use and easy to manage; bringing your core service functions and tasks you perform on a daily basis together in a single pane-of-glass, giving you complete visibility & control of all your assets in one place and an intuitive interface that makes it very easy to use, the ability to leverage best practices and IT service automation to help you be more productive and do your job 10 times easier, and the ability to create your own reports and make system-wide changes on the fly.Affordable: Cost is based on number of endpoints you manage and service functions you choose; and customers have the choice of In-house or hosted SaaS subscription models to fit your budget and preferences.TechValidate, an independent survey company recently surveyed our customers and a high percentage of them realized a positive ROI within the first 6 months but can be as quick as only a few months depending on your situation.(Next Slide)
Kaseya was developed from the ground-up with security in mindThe core framework or architecture is as important as the solutions built on top of itOur developers and engineers bring decades of experience designing secure systems for Government and Commercial applications across all industries including Banking and Financial Institutions, Education, Healthcare, and of course Retail among othersBack in 2000 our company was formed when our founders won a bid with the NSA who needed a secure architecture to deliver IT services to their remote systems from anywhere whether those assets were on or off their network. The result is what you see in this diagram.A small lightweightAgent gets deployed on the endpoint which initiates all communications back to your server and will not accept any inbound connectionsVirtually impossible for a 3rd party application to attack the agent from the networkAES 256 encryptedcommunications tunnel between the agent and the Kaseya server (no reliance on VPNs, appliances, or multiple port schemes)Proprietary and Patented algorithms for secure and efficient communications - Rolling key every time the server tasks the agent/endpointNo plain-text data packets passing over the network - nothing available for an attacker to exploitThe Kaseya web console (VSA) fully supports operating as an SSL web site
We provide all of the content for you out of the box to help you get up and running quickly based on best practices configuration wizards, and allow you the flexibility to tweak these or build your own content and agent procedures (automation) as needed.
Having all these services unified, integrated and feeding information to each other working in concert with each other provides a higher level of systems management vs. having disparate silo’d tools that don’t talk to each other or work together. You have a much higher level of visibility, control and intelligence over your environment allowing you to be much more efficient in delivering services, being proactive in identifying and remediating issues.
We’ve all heard the horror stories – but the intent here is not to throw any particular retailer or brand under the bus. Let any retailer who hasn’t been through a security issue or breach cast the first stone! This first statistic is a big eye opener and reinforces the fact that the cybercriminals are attacking where the money is…intellectual and personal property and cardholder data.When it comes down to your intellectual property, your brand reputation and customer loyalty you don’t want to be tomorrow’s news about a security breach…and it costs a lot of money to recover as seen here that the average cost of a data breach is $5.5 Million per breach.Hackers are not only targeting the endpoint to penetrate your network and shoplift your data, they clearly are going after companies that create cyber-security applications … and that’s a trend that will continue.A few other key takeaways from the just released Trustwave 2013 Global Security Report was that - 63% of investigations revealed that it was a third-party provider that introduced security deficiencies easily exploited by hackers…and E-commerce sites accounted for 48% of all investigationsIt is clear that these targeted attacks will continue and the Retail Industry is a prime target
Companies have done a good job in securing the network perimeter; so much so that the hackers aren’t spending their time going after the data center; but with the highly distributed nature of retail, there’s so much more to consider when it comes to security protection. Hackers know the endpoint is often the easiest path to gain entry into the retailer’s network and data.Clearly with a new generation of shoppers,increases in E-Commerce, tablets and mobile device usage, mobile payments, social media tools are all representing new security challenges for retailers. The retailer is forced to fight an advanced battle – often with platforms that work against them. Another key takeaway from the Trustwave report is that Mobile malware increased 400%, with malware found on Android devices growing from 50,000 to more than 200,000 samples.
The questions you need to ask yourself is how quickly can you respond. Another interesting statistic from the Trustwave Global Security report was that 64% of organizations attacked took more than 90 days to detect an intrusion with the average time for detection being 210 days!So, how can you ensure early detection and do you have the tools and systems in place for quick remediation of incidents? How can you stay protected from the ever-growing global network of hackers? How quickly can you recover from what appears to be the inevitable security or compliance disaster that has the ability to damage or even destroy your brand reputation? How quickly can you detect, remove, uninstall, prevent access, re-deploy, avoid viruses from spreading to other systems…across hundreds or thousands of endpoints across your entire infrastructure?Just as having a good disaster recovery plan to get back to normal operations when a natural or man-made disaster strikes, when it comes to security and compliance, QUICK action is the key and you need a platform, an architecture, and a concert of service functions (Audit/Inventory, Patching, AV, AM, Monitoring & Remediation, your service desk…all your layered security components) working together to remediate as quickly as possible.
Common myths & misconceptions of Automation:Scheduling Only – scheduling certain things to run at certain times (patches, AV & software updates, auditing, etc.)Automation is only used for routine maintenance tasksI need to have a script-God on my staff with a certain scripting language skill setWe’ve already spent too much time creating our own custom scripts and don’t want to start over recreating themI’m going to automate myself out of a job – replacing manual typewriters with electronic typewriters and then word processing applications never replaced the typist, just like Excel spreadsheets didn’t replace the number crunchers! Automation doesn’t mean replacing the human element; it’s a solution that makes your job easier and makes you more productive and allows you to take your skill sets and services to a higher level! Using the excel spreadsheet analogy, when you change a formula in one cell you want it to update the entire spreadsheet – the same concept applies across your entire infrastructure or across groups of machines, locations, types, etc.We’ve actually had people tell us when they left their job to work for another company, a major consideration when choosing their new employer was if they use Kaseya! When you have your house in order, it’s easier to attract and retain good skills and talentSo now that we explored the myths and what Automation is not…let’s explore the power of true ITSM Automation
So it comes down to “not a question of if…but when” your organization will experience a serious security breach. An interesting recent survey from Forrester on this subject revealed:During the past 12 months, 25% of IT security decision-makers and influencers reported at least one breach of their sensitive information; but interesting to note that 21% of respondents didn’t feel comfortable answering that question – a testament to just how sensitive enterprises have become to the potential economic impact and damage to corporate reputation of a publicized security breach.In the same report, Forrester believes that even among those respondents that reported no breaches in the past 12 months, many of them suffered a breach – they just don’t know it.It’s important to realize that you need technology solutions to assist with compliance. In the case of PCI, there are many requirements that have to do with policies and procedures unrelated to technology but there other areas where you need to rely on technology to help you get and stay compliant. Having said that, just because you’re PCI compliant doesn’t mean your environment is secure and conversely, just because your systems and networks are secure doesn’t mean you’re in compliant. You need both, and that’s where the partnership between Kaseya and Omega comes in. To provide a blended approach where you can leverage the best technology along with a team of highly experienced security and compliance specialists to help you be successful in this on-going security battle.