2. What We’ll Cover
• An overview of PCI DSS
• Common challenges in PCI DSS
compliance
• Questions to ask as you plan and prepare
• Core capabilities needed to demonstrate
compliance
• How to use AlienVault USM to simplify
compliance
3. PCI DSS
• All entities that store, process or transmit payment
cardholder data must maintain payment security
• 3 steps for compliance
1. Assess
2. Remediate
3. Report
• Goal: Make payment security ‘business-as-usual’
4. PCI Compliance and Security
“In 10 years, of all companies
investigated by Verizon forensics
team following a breach, 0 were
found to have been fully PCI
compliant at the time of the breach”
Data from 2015 Verizon PCI Report
5. PCI DSS Version 3.1
GOALS PCI DSS REQUIREMENTS
Build and Maintain a
Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and
Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for employees and
contractors
6. The State of Compliance
Source: Verizon 2015 PCI Compliance Report
• 4 out of 5 organizations
not fully compliant
• Only 1 in 4 organizations
remained fully PCI
compliant less than a year
after a successful PCI
validation
• Requirement 11 remains
the biggest challenge for
organizations
7. Common Challenges
• Collecting relevant data on the state of your compliance
• Critical events
• Configuration status
• Documenting the state of your compliance
• Keep the auditor happy
• Maintaining compliance and making it part of “business
as usual”
8. Questions to Ask
• Where are your in-scope assets?
• How are they configured?
• How are they segmented from the rest of your network?
• Who accesses these resources ?
• When, Where, What can they do, and How?
• What are the vulnerabilities on these devices?
• Apps, OS, etc?
• What constitutes your network baseline?
• What is considered “normal” or “acceptable”?
14. Correlate
the data &
respond
Identify
systems &
applications
Document
vulnerable
assets
Find threats on
your network
Look for
unusual
behavior
What
functionality
do I need for
PCI DSS?
16. Actionable Threat Intelligence: Let Us do the Work!
• Automatically detect and
prioritize threats through:
Correlation Directives
Network IDS Signatures
Host IDS Signatures
Asset Discovery Signatures
Vulnerability Assessment Signatures
Reporting Modules
Incident Response Templates
Data Source Plug-Ins
• Spend your time responding to
threats, not researching them.
17. Open Threat Exchange (OTX)
• The world’s first truly open threat intelligence
community
• Enables collaborative defense with actionable,
community-powered threat data
• With more than 37,000 participants in 140+
countries
• And more than 3 million threat indicators
contributed daily
• Enables security professionals to share threat
data and benefit from data shared by others
• Integrated with the USM platform to alert you
when known bad actors are communicating with
your systems
18. PCI Compliance Reports in USM
Report Name PCI DSS Requirements
Admin Access to Systems 10.1-10.2 which focus on creating an audit trail of user
access to critical systems
Firewall Configuration Changes 1.1-1.3 which focus on firewalls and network device
configuration
Authentication with Default Credentials 2.x which focuses on the use of vendor-supplied default
credentials
All Antivirus Security Risk Events 5.1-5.2 which require anti-virus scanning with an up-to-
date anti-virus solution
Database Failed Logins 7.1-7.2 which focus on limiting access to PCI data to only
those who “need to know”
….plus 25 more!
19. Grouping In-Scope Assets
Built-in asset discovery
provides a dynamic inventory
allowing cardholder-related
resources to be identified and
monitored for unusual activity
Custom dashboards focusing
on key assets highlights
pertinent data
20. Generating Tickets For Vulnerabilities
USM’s built-in software ticketing system
creates trouble tickets from vulnerability
scans and alarms
These tickets specify who owns the
remediation, the status and descriptive
information
The tickets also provide a historical record of
issues handled, as well as the capability to
transfer tickets, assign them to others and
push work to other groups
USM can also send email to an individual,
external ticketing system, or execute a script
as a result of a discovered vulnerability
21. Identifying Assets with Vendor Supplied Passwords
As stated earlier, neglecting to change the
default password on ANY network device,
especially anything allowing access to
cardholder data is a terrible idea and
leaves a huge hole in your defenses
USM is able to scan your assets for
vulnerabilities such as allowing access via
default passwords and generate reports on
the findings
This data can be crucial when verifying
adherence to this practice to an auditor
22. 888.613.6023
ALIENVAULT.COM
CONTACT US
HELLO@ALIENVAULT.COM
Now for some Questions..
Questions? Hello@AlienVault.com
Twitter : @alienvault
Download a Free 30-Day Trial of USM
http://www.alienvault.com/free-trial
Check out our 15-Day Trial of USM for AWS
https://www.alienvault.com/free-trial/usm-for-aws
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join OTX:
https://www.alienvault.com/open-threat-exchange