taking the pain out of pci compliance
TRANSCRIPT
Taking the Pain out of PCI ComplianceApril 14, 2016
Aaron WarnerSystems Engineer Manager, CISSP
2
Agenda
1. Tripwire PCI Products and Where Tripwire can Help
2. Top 3 PCI Mistakes with the focus on Tripwire Enterprise
3. Tripwire Enterprise PCI Demo
4. Q & A
3
The Tripwire PCI Compliance Solution
PCI Council validated Approved Scanning Vendor
Enterprise class vulnerability management and discovery
Secure and reliable log collection, correlation and forwarding.
Enterprise class file integrity monitoring, change detection and policy compliance.
4
Tripwire Can Help with all of the 12 PCI 3.1 Requirements1: Build and Maintain a
Secure Network
2: Protect Cardholder Data
3: Maintain a Vulnerability Management
Program
4: Implement Strong Access
Control Measures
5: Regularly Monitor and Test
Networks
6: Maintain an Information
Security Policy
Requirement 1: Install and maintain a firewall configuration to Protect Cardholder
Data
Requirement 3: Protect stored
cardholder data
Requirement 5: Protect all systems against malware and regularly update anti-
virus software or programs
Requirement 7: Restrict access to cardholder data by business need to
know
Requirement 10: Track and monitor
all access to network resources
and cardholder data
Requirement 12: Maintain a policy that addresses information
security for all personnel
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters
Requirement 4: Encrypt transmission
of cardholder data across open, public
networks
Requirement 6: Develop and maintain secure systems and
applications
Requirement 8: Identify and
authenticate access to system
components
Requirement 11: Regularly test
security systems and processes
Requirement 9: Restrict physical
access to cardholder data
ValidatesProvidesSupports
5
TOP 3 Mistakes that Provide PCI Pain
1. Set and Forget FIM (File Integrity Monitoring)
2. Periodic PCI Assessment
3. Applying Only a PCI Solution and Not Leveraging the Product for Security
6
Mistake #1 Set and Forget File Integrity MonitoringPCI 3.1 Authorized Changes?
Why is this important?
How are Authorized Changes Determined?
7
Authorized ChangesWhat is this ITIL thing?
1. IT Best Practices2. System Changes Best Practices
• Change Windows• Change Management Ticketing Systems• Test Environments
Phase 1 – Stabilize Patient, Modify First Response
Almost 80% of outages are self-inflicted. The first step is to control risky changes and reduce MTTR by addressing how changes are managed and how problems are resolved.
8
Mistake #2 Periodic PCI AssessmentCurrent State of PCI Affairs
Only one third sustain compliance
year over year
Verizon 2015
NEED CONTINUOUS COMPLIANCE
9
The Cost of Point-in-Time ComplianceC
hang
e in
sys
tem
s, p
roce
sses
, or o
pera
tions
Time
Audit
Exceptional effort to achieve compliance results in passing an audit.
Configuration drift decreases compliance Result is more exceptional effort
10
Continuous Compliance Lowers CostsC
hang
e in
sys
tem
s, p
roce
sses
, or o
pera
tions
Compliance Audit Deadline or
Security Event
Quarterly Audit Review or Security Assessment
Continuous Security and Compliance
Lowers Cost Increases Efficiency Increases Security Reduces Risk
11
Mistake #3 Applying only a PCI solution and not leveraging the product for Security
AND
IT SECURITY & COMPLIANCE AUTOMATION
Audit Change
Enhanced File Integrity MonitoringAudit Change & Assess Compliance
Tripwire Enterprise Console
Detection Engine
Baseline Critical system, configuration
& content files
Change ChangeChange Assess
Compliance
Was it compliant?Was it authorized?
Directory Services
DesktopsFile Systems Network Devices
Databases Hypervisors Applications
13
Tripwire PCI Difference
Most proven & trusted track record Tripwire was written in the original spec Auditors know & love Tripwire
Most robust SCM offering for PCI Deep change expertise Best of breed FIM Continuous compliance & highly
automated, audit-ready reports Dedicated POS Threat Protection Broadest platform support Innovative product integrations with other
providers for greater efficiency
Best PCI expertise cross the entire customer experience.
Thank You!