jordan levesque - keeping your business secure€¦ · 22/09/2016 · siem: why does it matter?...
TRANSCRIPT
Jordan Levesque - Keeping your Business Secure
• Review of PCI
• Benefits of hosting with RCS
• File Integrity Monitoring
• Two Factor
• Log Aggregation
• Vulnerability Scanning
• Configuration Management andContinuous Deployment
Overview of PCIDSS
• Payment Card Industry Data Security Standard
• Mandated by card brands
• Framework for applying good security posture
What's new in 3.2?
• Greater focus on Multifactor Authentication
– All remote access must have MFA
– All local administrator access must have MFA
• PAN masking requirements
• Pushed out SSL/TLS 1.0 migration deadline to from June 2016 to June 2018
Why is PCI important?
Risk Overview
62% more breaches in 2013 than in 2012,
over 553 million identities stolen, up from 93 million in 2012, an increase of more than 594%
2012
2013
= 20 million
Risk Overview
Threats are becoming more advanced, and attacks are becoming more frequent
Breach Overview
Average time to detection of a breach
197 daysJan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Avg cost per record for retailers
$172Avg cost per breach
$4 million
Jan 1 Jul 17
What are the 12 Standards?
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Requirement 3: Protect stored cardholder data• Requirement 4: Encrypt transmission of cardholder data across open, public
networks• Requirement 5: Use and regularly update anti-virus software or programs• Requirement 6: Develop and maintain secure systems and applications• Requirement 7: Restrict access to cardholder data by business need to know• Requirement 8: Assign a unique ID to each person with computer access• Requirement 9: Restrict physical access to cardholder data• Requirement 10: Track and monitor all access to network resources and cardholder
data• Requirement 11: Regularly test security systems and processes• Requirement 12: Maintain a policy that addresses information security for all
personnel
Benefits of Hosting with RCS
Shared Responsibilityof PCI sub-requirements
RCS
362Admin Credentials
NCR Counterpoint
Managed Firewalls
Application Whitelisting
2FA
Security policy
Hosting
You
49Credentials
POS maintenance
Security policy
Cost, Time, Expertise
RCS Security personnel are trained in the use of security applications, and
become subject-matter experts
RCS has dedicated personnel to handle day-to-day operations of security applications
(the apps are very needy)
More cost-effective for RCS to manage security applications in bulk vs smaller deployments
Cost, Time, Expertise
File Integrity Monitoring (FIM)&
Application Whitelisting (AW)
FIM / Application Whitelisting
• Goes beyond traditional AV
– Signature-less, vs AV which is signature-based
– Analyzes patterns in file activity, not just file hashes or signatures
Hash / SignatureString of a fixed size which is used to identify data of an arbitrary size.
This is a one-way function.
“HelloWorld”
CryptoHashFunc.
3e25960a79dbc69b674cd4ec67a72c62
FIM / AW: Rule Abstraction
Signature-less rule example:
IF [any file hash]
SIGNED BY [LogMeIn]
EXECUTES AT [C:\%APPDATA%\local\logmein rescue unattended],
ALLOW EXECUTION
FIM / AW: File Report Example
FIM / AW: Control Models
Low
• Operates on a blacklist– Unapproved files allowed
– Banned files blocked
• Low potential for false positives
• Monitors file propagation
• Custom rules enforced for fine-tuning of allowed or disallowed file activity
High
• Operates on a whitelist– Unapproved files blocked
– Banned files blocked
• High potential for false positives
• Monitors file propagation
• Custom rules enforced for fine-tuning of allowed or disallowed file activity
Two-Factor Authentication(2FA)
Authentication Factors
Something you know
Password
Something you have
RSA TokenDigital Certificate
YubiKeyPhone & Duo Security
Something you are
IrisFingerprint
Voice
2FA: Our Solutions
YubiKeys
• Primary uses:– POS users– Back office users– Admin users
• Token is plugged in, and the center button is pressed at the 2FA prompt
Duo Push
• Primary uses:– Back-office
– Admin users
• A push is requested from the 2FA prompt, which is sent to the corresponding smartphone
2FA: Where does it apply?
During the Remote Desktop login
Security Information& Event Manager (SIEM)
SIEM: Why does it matter?
• Local event logs can be manipulated, SEIM provides forensically-sound archival of events
• Local event logs are overwritten when space runs out
• Can be mined / queried for deep security intelligence about any and all systems reporting in
Vulnerability Scanning
Vulnerability Scanning:HOLY VULNERABILITIES, BATMAN!
• Evaluates a system for open ports, missing patches, and other potential attack vectors or points of weakness
• Provides actionable intelligence and recommendations
Example from vendor’s website
Vulnerability Scanning:Breakdown Example
Configuration Management (CM)&
Continuous Deployment (CD)
CM&CD: The Challenge
How the heck do you enforce a change on X amount of servers without touching each one individually?
CM&CD: The Solution
Something akin to the Starkiller base,
but like… for the good guys. All seeing, all reaching.
CM&CD: How it works
Deployments are delivered to clusters of servers within defined maintenance windows
Windows Updates
AV Updates
Applications
Config Rules
CM&CD: Benefits
Well that’s all fine and dandy,
but what does that get me?
• Quick response to updates in best-practices
• Faster deployment of critical patches
• High compliance = high stability