Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. PCI Compliance & Technology.

Published byBarbra Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. PCI Compliance & Technology."— Presentation transcript:

1 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. PCI Compliance & Technology Vishal Lanjekar Lead Solutions Architect SAARC

2 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2 Today’s Landscape The security market has changed A risk based, adversary-centric approach is needed Proactive vs. Reactive

3 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. PCI Challenges

4 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4 4 PCI Challenges Top Management being held accountable Evolving threat of customer data breaches is prevalent and debilitating Targeted cardholder and customer data throughout infrastructure

5 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 PCI Challenges (continued) Infrastructure lags behind Existing infrastructure must be upgraded to withstand evolution Exposure persists as infrastructure cannot be replaced in a timely fashion Compliance burnout and evolution 5+ years of compliance projects have not delivered business value Compliance mandates revised…and new mandates will emerge Projects more expansive, expensive and time intensive Time pressure and escalating tension with PCI deadlines/fines Real-Time Monitoring is the key

6 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Approaches to Monitoring

7 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7 7 Monitoring/Audit Enabling Technologies PCI Requirement PCI Network Infrastructure Impacted Auditing Technology 1. Install and maintain a firewall configuration to protect cardholder data Firewalls, routers, switches, wireless networks, databases, perimeter networks, hosts with external connectivity ► Firewalls ► Network configuration management 2. Do not use vendor-supplied defaults for system passwords and other security parameters Servers, Web servers, DNS, DHCP, databases ► Configuration management ► Password policy management 3. Protect stored cardholder dataEncryption, AAA technologies across OS, app, and DB layers; key management infrastructure ► Various encryption technologies 4. Encrypt transmission of cardholder data across open, public networks Perimeter devices, wireless networks, encryption applications ► Various encryption technologies 5. Use and regularly update anti-virus software Desktop, server, and network based AV technologies ► Anti-virus software 6. Develop and maintain secure systems and applications OS, DB, commercial and in-house applications, application development environments, application layer firewalls ► Patch management, vulnerability management, configuration management

8 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8 © 2007 ArcSight Confidential 8 Monitoring/Audit Enabling Technologies PCI Requirement PCI Network Infrastructure Impacted Auditing Technologies 7. Restrict access to cardholder data by business need-to-know All system components of card flow affected network segments ► Access, authentication and authorization ► Identity management 8. Assign a unique ID to each person with computer access All system components of card flow affected network segments ► Access, authentication and authorization ► User directories ► Password policy management ► Identity management ► Configuration management 9. Restrict physical access to cardholder data Physical security systems, wireless access points, mobile/handheld devices ► Access, authentication and authorization 10. Track and monitor all access to network resources and cardholder data Security devices (FW, IDS, IPS, AAA), networking equipments, OS, DB, and Applications ► Log management/SIEM 11. Regularly test security systems and processes External and internal PCI networks ► VA scanners, NIDS/HIDS, HIPS/NIPS, file integrity monitoring 12. Maintain a policy that addresses information security Asset management ► Policy management ► Manual process review

9 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9 9 No Big Picture Across Point Technologies Encryption / Key Management Routers 6 5 4 3 2 1 Control Objectives Anti Virus Configuration Management Vulnerability Management Patch Management Physical Security Systems Access Authentication Authorization Identity Management Password Policy Management Access Authentication Authorization Identity Management Wireless Network Encryption Network & Host IPS & IDS Log Management Vulnerability Management Policy Management Access Authentication Authorization Incident Response Management Firewalls Network Configuration Management Password Policy Management Remote office Online infrastructure Central Site Retail presence

10 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10 Complexity of Compliance Audit Example: PCI Data Security Standard 6 Control Objectives Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Controls Regularly Monitor and Test Networks Maintain an Information Security Policy Encryption / Key Management Routers Anti Virus Configuration Management Vulnerability Management Patch Management Physical Security Systems Access Authentication Authorization Identity Management Password Policy Management Access Authentication Authorization Identity Management Wireless Network Encryption Network & Host IPS & IDS Log Management Vulnerability Management Policy Management Access Authentication Authorization Incident Response Management Firewalls Network Configuration Management Password Policy Management 17 Primary Technologies Involving 100s or 1000s of Impacted Assets

11 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11 Traditional Approaches to Monitoring 1. Manual Point audits of individual infrastructure components Slow and ineffective approach Does not accomplish the broader objective of “securing cardholder data” on a continuous/ongoing basis 2. Requirement-specific auditing technologies VA scanners, IDS and configuration management technologies Remains a discrete and disjointed auditing process Provides only partial automation

12 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12 HP’s Approach - Event data-based monitoring Least intrusive Most comprehensive approach to continuous audit coverage across Spans all requirements and necessary primary technologies Different degrees of monitoring Basic collection and storage (syslog, homegrown) Basic search layer Reporting Dashboards Real time alerting

13 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13 A comprehensive platform for monitoring modern threats and risks, augmented by services expertise and the most advanced security user community, Protect724 HP ArcSight Security Intelligence Establish complete visibility Analyze events in real time to deliver insight Respond quickly to prevent loss Measure security effectiveness across people, process, and technology Data capture Event correlation Controls monitoring User monitoring App monitoring Fraud monitoring Log management App

14 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14 HP ArcSight Compliance PCI Compliance Pre-packaged solutions for regulatory compliance Standards-based event management solution Applicable offerings for “governance approach” and “regulation specific approach” organizations Comprehensive sets of best practices based reports, rules, active lists and dashboards for audit and compliance It's great to see ArcSight leading the SIEM market … (ArcSight’s) Compliance Insight Packages allows enterprises to meet short term compliance deadlines while also satisfying evolving longer term security and compliance needs. ―Nick L. Galletto, Partner, Security Services at Deloitte & Touche LLP

15 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15 HP ArcSight CIP for PCI: Sample Dashboards and Reports

16 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16 Active Actions To Emerging Threats Analyze – Determine control point closest to node – Determine best method to quarantine node Quarantine – Set MAC Filter(s) – Disable Switch Port(s) – VLAN Quarantine – Firewall/Router ACL – Disable User Account IP Traffic Control Remove VPN User Change ACL IP Traffic Control Multiple Quarantine Options for the Right Impact Set MAC Filter Disable Switch Port Quarantine VLAN Authentication, Directory Server Wired Switch Infrastructure Router Firewall VPN Wireless Infrastructure Mobile user Disable User Set MAC Filter Locate – Determine node access provide router/switch access information

17 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17 Risk and Compliance What does it provide? A consolidated view of risk across your enterprise Features Prioritized heat map of risk Risk score consolidating all areas of risk enables a commitment to Risk Level Agreements (RLAs) Pre-defined risk templates Customer Benefits Holistic, business-centric view of IT risk Decision intelligence for quick response Leverage existing investment in HP Business Server Automation (BSA) and universal configuration management database (uCMDB)

18 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Summary

19 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19 A different approach is required Business faces more risk than ever Traditional defenses won’t work Summary – The HP ArcSight Platform The only effective solution for detecting, managing, and minimizing modern threats and risks Complete visibility Improved uptime Streamlined compliance

20 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you

Download ppt "© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. PCI Compliance & Technology."

Similar presentations

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.
THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.

THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.
BalaBit Shell Control Box

BalaBit Shell Control Box
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
16254_08_2002 © 2002, Cisco Systems, Inc. All rights reserved. Cisco’s Security Vision Mario Mazzola Chief Development Officer August 29, 2002.

16254_08_2002 © 2002, Cisco Systems, Inc. All rights reserved. Cisco’s Security Vision Mario Mazzola Chief Development Officer August 29, 2002.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor

Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Similar presentations

Ads by Google