Compliance Audit Readiness Bob Kral

Tenable Network Security

Agenda • State of the Market

• Drifting Out of Compliance

• Continuous Compliance

• Top 5 Hardest To Sustain PCI DSS Requirements

– Procedural support

– “Proof”

• Communicating Business Goals, Policies, Procedures, Evidence

State of the Market • Data breaches

• Lack of resources, abundance of reactionary cycles

• Point solution sprawl

• Difficulty communicating

• Don’t know what’s on our networks, changing IT landscape

“When organizations do not know the risks they face, serious threats are left unaddressed that could mushroom into enormous exposures.”

ISACA, A Global Look at IT Audit Best Practices

ISACA Survey • Four of the takeaways from a recent ISACA study:

– IT changes and security are top of mind

– significant concerns about finding qualified resources and skills

– IT audit risk assessments are an absolute must

– Know your audience to communicate effectively

ISACA, A Global Look at IT Audit Best Practices

Security Professionals

• Truly continuous and comprehensive monitoring

• Better “evidence”

• Efficiencies - Do more with less

• Communication vehicles - Better communications

Compliance a baseline

“But our viewpoint has always been that the PCI DSS is a baseline,

an industry-wide minimum acceptable standard, not the pinnacle of payment

card security.”

Verizon 2015 DBIR

PCI DSS

Compliance

Annual

Assessment

Drifting Out Of Compliance

PCI DSS

Compliance

80%

Interim

Assessment

Annual

Assessment

Verizon 2015 PCI Report

“Continuous” Rising Standard of Due Care

“Ongoing basis” “Ongoing awareness”

“continuous reporting”

“ongoing risk-based decisions”

“continuous monitoring”

“near real time information”

“continuously conduct risk assessments”

Continuous and efficient

“Automated processes, including the use of automated support tools

(e.g., vulnerability scanning tools, network scanning devices), can

make the process of continuous monitoring more cost-effective,

consistent, and efficient.”

NIST 800-137

Top 5 Hardest-To-Sustain PCI DSS Requirements

37% 48% 46%

49% 48%

Default passwords

“Many system administrators, let alone users, admit to writing down

and sharing privileged passwords — an unwanted but understandable

behavior given how many passwords are needed across the IT estate.

Unfortunately, passwords remain a critical and fundamental weak

spot.”

Verizon 2015 DBIR

Password Audits

“Where’s The Sensitive Data?”

Security Metrics

Sensitive Data Audit

Mobile Users MDM integration and passive

network traffic

On-Premises Users Scanning, sniffing and logging

of endpoint

On-Premises Apps Scanning, sniffing and logging

of servers

SaaS Applications Discovery through network and

log analysis

IaaS Applications API integration and traditional

auditing

Asset Discovery

Anti-virus audit • e)

Anti-Virus Agent Detection Ensure 100% of your desktops are

protected by malware defense

Audit Anti-Virus Signatures Ensure the latest malware signatures are

deployed to 100% of your systems

Email and Internet Defenses Ensure proxy, sandbox, IPS & next-gen

firewalls are deployed correctly

Malware Defenses

Firewall audit

Regulatory Compliance Instrument testing for PCI, FISMA, NIST

& more

Compliance Best Practice Implement new continuous monitoring

best practices

Audit Defenses Ensure firewalls, malware defenses &

monitoring are enabled

Audit Configurations

“Scan, patch, verify, . . .”

“a patch deployment strategy focusing on coverage and consistency is far more effective at preventing data breaches than “fire drills” attempting to patch particular systems as soon as patches are released.”

Verizon 2015 DBIR

Patching Audit

Measure Patch Windows Track how long vulnerabilities

live before mitigation

Compare Patch Rates Report patch rates for groups,

technologies & locations

Audit Accepted Risk Analyze which vulnerabilities

won’t be fixed

Find Recurring Vulnerabilities Software updates can

re-introduce fixed security issues

Track Patch Logs See in real-time when software

is installed

Vulnerability Life Cycle

Patch Window Track missing patches outside of

patch window

Compliance Standards Audit security policy against PCI,

NIST, HIPPA & more

Insider Threat Monitor authentication logs to

identify abuse

Incident Response Leverage system, network & logs

to hunt malware

Malware Defenses Identify systems without

malware defenses

Reporting & Analytics

Audit Readiness Business Goal

Policy Policy Policy Policy

Procedures Procedures Procedures

Evidence Evidence Evidence

Business Goals

Policies Support Goals

2. Greater than 75% of systems identified by passive asset

classification have also been evaluated by active device scanning.

Business Goal

Supporting

Policies

Conversation and Collaboration

• What’s realistic to expect?

• How many sensitive systems do we have?

• How many transient hosts do we have?

• How many of those hosts have we not seen before?

• Are some of these hosts candidates for agents?

Policy

Greater than 75% of systems identified by passive asset classification

have also been evaluated by active device scanning.

Patch Window Track missing patches outside of

patch window

Compliance Standards Audit security policy against PCI,

NIST, HIPPA & more

Insider Threat Monitor authentication logs to

identify abuse

Incident Response Leverage system, network & logs

to hunt malware

Malware Defenses Identify systems without

malware defenses

Reporting & Analytics

Thank You

Bob Kral, rkral@tenable.com

Tenable Customers Financial Service Retail/Consumer

Public Sector Communications

Media

Technology

Education Healthcare

Energy

Compliance Reporting

Audit Checks

Content Audits