Download - The Perils that PCI brings to Security
The Perils that PCI brings to Security
Gene Kim | Founder, CTOJosh Corman | Research Director, Enterprise Security Practice
IT SECURITY & COMPLIANCE AUTOMATION
Today’s Speakers
Josh Corman
Research Director
Enterprise Security Practice
Gene Kim
Founder & CTO
Tripwire, Inc.
Joshua CormanResearch Director, Enterprise Security
The 451 Group
The [Possible] Perils PCI Brings to Security
5
Research Director for Enterprise Security, The 451 Group Joined The 451 Group on Oct 2009►12 years in Networking and Security
– Former Principal Security Strategist [IBM ISS]– Sold stealth start-up vCIS to ISS in 2002
►Industry Leadership– Expert Faculty - The Institute for Applied Network Security (IANS)– 2009 NetworkWorld Top 10 Tech People to Know– Co-Founder: “Rugged” www.ruggedsoftware.org
►Things I’ve been researching: − Compliance vs Security− Virtualization and Cloud Computing− The Economics of Security− Politically Motivated Cyber (APT/APA/SMT)− Comprehensive Data Security
Who am I?
6
EVOLVINGTHREAT
EVOLVINGCOMPLIANCE
EVOLVINGTECHNOLOGY
EVOLVINGECONOMICS
EVOLVINGBUSINESS
COSTCOMPLEXITY
RISK
Constant Change
8
Our Ecosystem
►Vendors: Infrastructure►Vendors: Security Incumbents►Vendors: Innovative Start-Ups►The Investment Community►The Carriers / Service Providers►The Regulators►The Adversaries►The End-User Community►Others...
20
Information Asymmetry
Compliance
Free Report: Security derivatives: the downward spiral caused by information asymmetry
http://www.the451group.com/intake/securityderivatives/
25
PCI’s Target
PCI is not meant to protect *you*…
…that is your job
Intellectual PropertyProductivity
Corporate SecretsCompetitive Differentiation
Card Data / Systems
26
The Chosen Few…
If we apply a “purchase and deploy” lens to PCI DSS 1.2, we can infer which security product categories are sure to get spending.
The Winners: “Nine” security technologies specifically buoyed by PCI DSS
1. Firewall (FW)
2. Intrusion Detection Systems (IDS) – not even IPS. This can be NIDS or HIDS
3. Anti-Virus (AV)
4. Multi-Factor Auth
5. Encryption (Non-OS Native)
6. File Integrity Monitoring (FIM) – “like Tripwire”
7. Vulnerability Assessment/Management
8. *Log Management – not SIM or ESIM (*technically don’t need a product)
9. OPTIONAL: Web Application Firewall (WAF) or an SDLC
10.PCI Service: External scans by a certified ASV (Application Scanning Vendor) – Quarterly scans by a certified 3rd party (or after “major” changes)
11.PCI Service: The QSA Audit itself (annually ranging from $10,000 - $25,000)
12.If breached (which never happens) required to use a certified QIRA for Incident Response
27
CLICK PLAY►PCI Rocks YouTube Video:
– http://www.youtube.com/watch?v=xpfCr4By71U
►Is PCI the No Child Left Behind Act for Information Security?
A mismatch…
28
EVOLVINGTHREAT
EVOLVINGCOMPLIANCE
EVOLVINGTECHNOLOGY
EVOLVINGECONOMICS
EVOLVINGBUSINESS
COSTCOMPLEXITY
RISK
►Solve for all sources of change
– Threat
– Technology
– Business
– Economics
– Compliance
►Assume Information Asymmetry
– Seek new sources of Information– Distrust Legacy Wisdom
►Planning for Agility– Think 3-5 years– Look for extensibility and
roadmap
Change, Change, Change…
30
Related Reading*
Security derivatives: the downward spiral caused by information asymmetryhttp://www.the451group.com:80/report_view/report_view.php?entity_id=60884
The adversary: APTs and adaptive persistent adversarieshttp://www.the451group.com:80/report_view/report_view.php?entity_id=62643
Like spinning plates: five sources of cost, complexity and risk in IT security – Part 1
http://www.the451group.com:80/report_view/report_view.php?entity_id=62198
Security Quarterly: E-Crime and Advanced Persistent Threats: How Profit and Politics Affect IT Security Strategies
http://www.the451group.com/security/security_detail.php?icid=1060
* We will happily provide trial access for participants of this Webinar
Problem: Taking Too Long to Find Breaches/Risks
Average time between a breach and the detection of it: 156 days [5.2 months]
Breaches go undiscovered and uncontained for weeks or months in 75 % of cases.
Feb. 2010
2009
“…breaches targeting stored data averaged 686 days [of exposure]”
2010
Breach Discovery
“More than 75,000 computers … hacked” -- The attack began late 2008 and discovered last month
Feb. 2010
Result: The Time Delay Of Discovery Is Costly!
“The average cost per breach in 2009 was $6.7 million…”Ponemon Institute, Jan. 25, 2010
Breach Discovery
Result: The Time Delay Of Discovery Is Costly!
“The average cost per breach in 2009 was $6.7 million…”Ponemon Institute, Jan. 25, 2010
“Heartland Payment Systems announced today that it will pay Visa-branded credit and debit card issuers up to $60 million…”Bank Info Security, Jan. 8, 2010
Breach Discovery
IT SECURITY & COMPLIANCE AUTOMATION
Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure
High performers maintain a posture of compliance• Fewest number of repeat audit findings• One-third amount of audit preparation effort
High performers find and fix security breaches faster• 5 times more likely to detect breaches by automated control• 5 times less likely to have breaches result in a loss event
When high performers implement changes…• 14 times more changes• One-half the change failure rate • One-quarter the first fix failure rate • 10x faster MTTR for Sev 1 outages
When high performers manage IT resources…• One-third the amount of unplanned work• 8 times more projects and IT services• 6 times more applications
Source: IT Process Institute, May 2008
IT SECURITY & COMPLIANCE AUTOMATION
Visible Ops: Playbook of High Performers
The IT Process Institute has been studying high-performing organizations since 1999• What is common to all the high performers?
• What is different between them and average and low performers?
• How did they become great?
Answers have been codified in the Visible Ops Methodology
www.ITPI.org
IT SECURITY & COMPLIANCE AUTOMATION
2007: Three Controls Predict 60% Of Performance
To what extent does an organization define, monitor and enforce the following?• Standardized configuration strategy• Process discipline• Controlled access to production systems
Source: IT Process Institute, May 2006
IT SECURITY & COMPLIANCE AUTOMATION
Need: Close The Time GapMany Compromising Problems Are Difficult To Discover
Logging turned off FTP event to foreign IP
New user added
DLL modified by new user
FTP enabled
Login successful
10 failed logins
IT SECURITY & COMPLIANCE AUTOMATION
Just Detecting Change Is Not Enough…Policy-Based Intelligence Is Required
Logging turned off
New user added
DLL modified by new user
FTP enabledTypical FIM cannot make these types alerts. Change intelligence is required.Typical FIM cannot make these types alerts. Change intelligence is required.
IT SECURITY & COMPLIANCE AUTOMATION
Just Detecting Log Events Is Not Enough…Policy-Based Intelligence Is Required
Login successful
FTP event to foreign IP
10 failed loginsLog management alone cannot alert on these events—SIEM is required.Log management alone cannot alert on these events—SIEM is required.
IT SECURITY & COMPLIANCE AUTOMATION
Relating Change Events to Log Events… Best Chance To Discover Compromising Problems Quickly
Logging turned off
Login successful
FTP event to foreign IP
New user added
DLL modified by new user
FTP enabled
10 failed logins
Events of Interest
IT SECURITY & COMPLIANCE AUTOMATION
Solution: Intelligent Threat Control
Tripwire Enterprise Tripwire Log Center
File Integrity Monitoring
Compliance Policy Manager
Log Manager
SecurityEvent Manager
Tripwire VIATM
VISIBILITY INTELLIGENCE AUTOMATION
Tripwire Enterprise Tripwire Log Center
File Integrity Monitoring
Compliance Policy Manager
Log Manager
SecurityEvent Manager
Tripwire VIATM
VISIBILITY INTELLIGENCE AUTOMATION