Josh Corman, Research Director, Enterprise Security Practice, is often known for his deep insights into and candid discussions about the state of enterprise security and the variables and trends that impact it. Listen as Josh discusses how and why PCI compliance has affected the state of security-specifically, the impact of approaching PCI as a checklist. He also gives ideas for what we need to do, and the types of solutions we need to have to not only satisfy the PCI audit, but to also provide real system security. Josh discusses this in an informal back and forth format with Gene Kim, Tripwire co-Founder and CTO.
In this webcast, you'll learn:
How compliance introduced cost complexity by causing a divergence between what we need to do to pass an audit versus avert threats.
The fallacy that being PCI compliance means you're secure.
Controls that both help you pass your PCI audit while also deterring advanced threats.
How Tripwire VIA solutions provide that rare combination of controls that address both compliance and security.
4. The [Possible] Perils PCI Brings to Security
Joshua Corman
Research Director, Enterprise Security
The 451 Group
5. Who am I?
Research Director for Enterprise Security, The 451 Group
Joined The 451 Group on Oct 2009
►12 years in Networking and Security
– Former Principal Security Strategist [IBM ISS]
– Sold stealth start-up vCIS to ISS in 2002
►Industry Leadership
– Expert Faculty - The Institute for Applied Network Security (IANS)
– 2009 NetworkWorld Top 10 Tech People to Know
– Co-Founder: “Rugged” www.ruggedsoftware.org
►Things I’ve been researching:
− Compliance vs Security
− Virtualization and Cloud Computing
− The Economics of Security
− Politically Motivated Cyber (APT/APA/SMT) 5
− Comprehensive Data Security
20. Information Asymmetry
Compliance
20
Free Report:
Security derivatives: the downward spiral caused by information asymmetry
http://www.the451group.com/intake/securityderivatives/
25. PCI’s Target
PCI is not meant to protect *you*…
…that is your job
Intellectual Property
Card Data / Productivity
Systems Corporate Secrets
Competitive Differentiation
25
26. The Chosen Few…
If we apply a “purchase and deploy” lens to PCI DSS 1.2, we can infer which
security product categories are sure to get spending.
The Winners: “Nine” security technologies specifically buoyed by PCI DSS
1. Firewall (FW)
2. Intrusion Detection Systems (IDS) – not even IPS. This can be NIDS or HIDS
3. Anti-Virus (AV)
4. Multi-Factor Auth
5. Encryption (Non-OS Native)
6. File Integrity Monitoring (FIM) – “like Tripwire”
7. Vulnerability Assessment/Management
8. *Log Management – not SIM or ESIM (*technically don’t need a product)
9. OPTIONAL: Web Application Firewall (WAF) or an SDLC
1. PCI Service: External scans by a certified ASV (Application Scanning Vendor) –
Quarterly scans by a certified 3rd party (or after “major” changes)
2. PCI Service: The QSA Audit itself (annually ranging from $10,000 - $25,000) 26
3. If breached (which never happens) required to use a certified QIRA for Incident
Response
27. A mismatch…
CLICK PLAY
►PCI Rocks YouTube Video:
– http://www.youtube.com/watch?v=xpfCr4By71U
27
►Is PCI the No Child Left Behind Act for Information Security?
28. Change, Change, Change…
►Solve for all sources of change EVOLVING
THREAT
– Threat
– Technology
– Business
– Economics EVOLVING EVOLVING
COMPLIANCE TECHNOLOGY
– Compliance COST
COMPLEXITY
RISK
►Assume Information Asymmetry
– Seek new sources of Information
– Distrust Legacy Wisdom
EVOLVING EVOLVING
ECONOMICS BUSINESS
►Planning for Agility
– Think 3-5 years
– Look for extensibility and roadmap
28
30. Related Reading*
Security derivatives: the downward spiral caused by information
asymmetryhttp://www.the451group.com:80/report_view/report_view.php?entity_i
d=60884
The adversary: APTs and adaptive persistent
adversarieshttp://www.the451group.com:80/report_view/report_view.php?entity_
id=62643
Like spinning plates: five sources of cost, complexity and risk in IT security – Part 1
http://www.the451group.com:80/report_view/report_view.php?entity_id=62198
Security Quarterly: E-Crime and Advanced Persistent Threats: How Profit and
Politics Affect IT Security Strategies
http://www.the451group.com/security/security_detail.php?icid=1060
30
* We will happily provide trial access for participants of this Webinar
34. Problem: Taking Too Long to Find Breaches/Risks
Breaches go undiscovered and uncontained
for weeks or months in 75 % of cases.
2009
Breach Average time between a breach and the detection of Discovery
it: 156 days [5.2 months]
Feb. 2010
“…breaches targeting stored data averaged 686 days
[of exposure]”
2010
“More than 75,000 computers … hacked” -- The attack
began late 2008 and discovered last month
Feb. 2010
35. Result: The Time Delay Of Discovery Is Costly!
Breach Discovery
“The average cost per breach in
2009 was $6.7 million…”
Ponemon Institute, Jan. 25, 2010
36. Result: The Time Delay Of Discovery Is Costly!
Breach Discovery
“Heartland Payment Systems
announced today that it will pay
“The average cost per breach in
Visa-branded credit and debit
2009 was $6.7 million…”
card issuers 25, 2010 $60 million…”
Ponemon Institute, Jan. up to
Bank Info Security, Jan. 8, 2010
38. Higher Performing IT Organizations Are More
Stable, Nimble, Compliant And Secure
• Fewest
• One-third
• 5 times
• 5 times
• 14 times more
• One-half
• One-quarter
• 10x faster
• One-third
• 8 times more
• 6 times more
Source: IT Process Institute, May 2008
40. 2007: Three Controls Predict 60% Of Performance
• Standardized configuration strategy
• Process discipline
• Controlled access to production systems
Source: IT Process Institute, May 2006
41. Need: Close The Time Gap
Many Compromising Problems Are Difficult To Discover
Logging turned off FTP event to foreign IP
New user added
Login successful
FTP enabled
10 failed logins
DLL modified by new user
42. Just Detecting Change Is Not Enough…
Policy-Based Intelligence Is Required
Logging turned off
New user added
Typical FIM cannot make these types
alerts. Change intelligence is required. FTP enabled
DLL modified by new user
43. Just Detecting Log Events Is Not Enough…
Policy-Based Intelligence Is Required
FTP event to foreign IP
Login successful
Log management alone cannot alert
10 failed logins
on these events—SIEM is required.
44. Relating Change Events to Log Events…
Best Chance To Discover Compromising Problems Quickly
Logging turned off FTP event to foreign IP
Events New user added
of Login successful
Interest FTP enabled
10 failed logins
DLL modified by new user
Many organizations have file integrity monitoring, log management and even event management solutions in place.But the average time it takes these same organizations to discover that a breach has occurred is months.During that time their critical data and infrastructure is at risk of compromise—if it has not already been compromised.There is an industry-wide problem: The time it takes to discover breaches is far too long and it needs to be shortened.
The cost of this time delay is enormous.These organizations not only suffer monetarily, their “mojo” is also badly damaged.They loose shareholder trust and value.Their name remains in the press and presentation like this for a very long time.
The cost of this time delay is enormous.These organizations not only suffer monetarily, their “mojo” is also badly damaged.They loose shareholder trust and value.Their name remains in the press and presentation like this for a very long time.
Tripwire VIA delivers intelligent threat control by providing…Visibility across your infrastructure to know what is happening at all times.Intelligence to know which changes or events are suspect and may put your infrastructure and data at risk of compromise.Automation to help you to categorize high risk changes and events, remediate certain conditions, and automate compliance requirements such as reporting.