Traps PCI Compliance Compensating Controls for Increased Security and Prevention of Advanced Threats Palo Alto Networks: Traps PCI Compliance Executive Summary The theft of credit card data continues to grow at an alarming rate. Not only is it costly to credit card companies and merchants, but it undermines consumer confidence. In response, the Payment Card Industry has developed the PCI Data Security Standard (PCI DSS), which includes 12 requirements for protecting cardholder data. Despite substantial investments made in securing their networks, organizations are realizing that being PCI compliant does not mean an enterprise is protected against advanced cyberattacks. Palo Alto Networks® Traps Advanced Endpoint Protection is an innovative endpoint protection technology that prevents exploits and malware, both known and unknown. Because PCI DSS was established before advanced endpoint protection technology existed, the standard still calls for outdated anti-virus scanning techniques without any ability to prevent unknown exploits. Despite this fact, companies focused on not only compliance, but also strong security posture are finding that Traps can be employed as a highly effective compensating control that not only meets, but also exceeds, the original PCI DSS requirement, resulting in a much stronger security and compliance posture. For example, prior to Traps technology, patching was the only way to ensure protection from known vulnerabilities and there was no reliable method to protect systems from unknown vulnerabilities or those with no available patch. The availability of Traps allows PCI system operators to significantly enhance security and exceed PCI DSS requirements by not only eliminating known vulnerabilities, but also protecting systems from exploitation of unknown vulnerabilities. Global Threat of Credit Card Fraud Total global payment-card fraud losses were $11.3 billion in 2012, up nearly 15 percent from the prior year, according to The Economist. The United States—the only country in which counterfeit-card fraud is consistently growing—accounted for 47 percent of that amount, according to the Nilson Report: card issuers lost $3.4 billion and merchants lost another $1.9 billion. As remote workforces tap in from points around the globe and enterprise borders dissolve, companies are becoming more difficult to protect. Add in the growing sophistication of global attackers and it’s clear that the number of threats and their potential costs are spiraling out of control. The good news is that recent technology developments have given rise to a new focus on threat prevention, instead of threat detection and remediation. While innovative technologies like Palo Alto Networks Traps work to proactively prevent exploits and malware, they are not yet specifically recognized as security or control techniques as defined by PCI DSS, so broader awareness and adoption is needed. Traps is a new, proven technology that can be used effectively as a compensating control to provide added defense and enhance a company’s security posture. Traps Overview Traps is an advanced endpoint protection solution that prevents advanced attacks originating from executables, data files or network-based exploits, known and unknown, before any malicious activity can successfully run. If an attack attempt is made, Traps will immediately block the attempt, terminate the process, and notify both the user and the administrator that an attack was thwarted. Whenever a block does occur, Traps will collect detailed forensics, including the offending process, the memory state when it was prevented, and many other details, that are reported to the Endpoint Security Manager (ESM). By employing Traps as a compensating control, organizations can not only meet PCI requirements, but far exceed compliance provisions through its automated and near-instantaneous security controls for endpoint protection. PAGE 2 Palo Alto Networks: Traps PCI Compliance When Traps is deployed with Palo Alto Networks market-leading next generation firewall to form an integrated Enterprise Security Platform, it supports PCI compliance in three ways: • By providing an incomparably robust set of capabilities for micro-segmentation of the cardholder data environment (CDE) and effectively reducing the scope of all related compliance activities. • By enabling security and compliance teams to simultaneously satisfy numerous individual requirements with a single, tightly integrated solution. • By going above and beyond the minimum requirements to not only provide more effective protection against today’s threats, but also deliver a future-proof solution capable of meeting PCI DSS requirements even as they continue to evolve. How Exploit Prevention Works Many advanced threats work by placing malicious code in a seemingly innocuous data file. When the file is opened, the malicious code leverages a vulnerability in the native application used to view the file and the code executes. Because the application being exploited is allowed by IT security policy, this type of attack will bypass whitelisting controls (See Appendix 2). What sets Traps apart is the fact that it focuses on the core techniques used by all exploits. It turns out that although there are many thousands of exploits, they all rely on a small set of core techniques that change infrequently. Furthermore, each exploit needs to use a series of those techniques in order to be successful. Traps renders these techniques ineffective by breaking that chain and blocking the technique the moment it is attempted. The Traps agent injects itself into each process as it is started. If the process attempts to execute any of the core attack techniques, the corresponding Exploit Prevention Module (EPM) prevents that exploit, kills the process, and reports all of the details to the Endpoint Security Manager. Traps Forensic data is collected Process is terminated SAFE! User/admin is notified PDF Document is opened by user Reported to ESM Traps seamlessly injected into processes Process is protected as exploit attempt is trapped Traps triggers immediate actions Attack is blocked before any successful malicious activity Figure 1: Traps blocks a core set of techniques to stop advanced attacks before they happen The collection of detailed forensics and reports by the Endpoint Security Manager results in better visibility and an understanding of attacks that were prevented. Malware Prevention In addition to preventing exploits hiding in data files, Traps employs a comprehensive approach to the prevention of malicious executables. Malicious executables can be inadvertently downloaded and run by users without their knowledge. In order to prevent executable malware, Traps focuses on core techniques, as it does for exploits embedded in data files, plus two additional methods: policy-based restrictions and integration with the WildFire™ threat intelligence cloud. When combined, these methods offer unparalleled malware prevention. The process works as follows: 1. Policy-Based Restrictions: Organizations can easily set up policies restricting specific execution scenarios. PAGE 3 Palo Alto Networks: Traps PCI Compliance 2. WildFire Inspection: Traps queries the WildFire threat cloud with a hash to assess the file’s standing within the global threat community. 3. Malware Techniques Mitigation: Traps implements technique-based mitigations that prevent attacks by blocking techniques such as thread injection. Traps is an integral part of the Palo Alto Networks Enterprise Security Platform, which provides unparalleled protection of cardholder data. It includes network segmentation capabilities, application and user identification, advanced threat prevention, and coverage for multiple PCI requirements resulting in a level of protection for cardholder data that goes beyond the baseline capabilities specified in the PCI DSS. Traps Advanced Endpoint Prevention: Compensating Controls for PCI Compliance According to the Verizon 2014 PCI Compliance Report , payment card data remains one of the easiest types of data to convert to cash—which is why 74 percent of attacks on retail, accommodation, and food services companies target precisely this type of information. Organizations are challenged to meet PCI DSS compliance commitments and oftentimes there may be areas where they are unable to meet requirements. Many companies are not aware of the fact that if an organization is unable to meet the requirements as they are explicitly written, compensating controls may be used to comply with PCI DSS standards with the added benefit of achieving higher levels of security than prescribed. According to the PCI Security Standards Council , these are the criteria for a compensating control: “Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: 1. Meet the intent and rigor of the original stated PCI DSS requirement; 2. Provide a similar level of defense as the original PCI DSS requirement; 3. Be ‘above and beyond’ other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and 4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.” Compensating controls can play a critical role in building a strong security program. For example, in order to protect payment card information wherever it is collected or stored, Traps can be employed as a highly effective compensating control that not only meets the original PCI DSS requirement, but goes above and beyond what is mandated. PAGE 4 Palo Alto Networks: Traps PCI Compliance Strengthening Security and Compliance Posture with Traps Palo Alto Networks Traps provides Advanced Endpoint Protection to support organizations in their efforts to achieve PCI compliance. Traps is an integral part of the Palo Alto Networks Enterprise Security Platform, which also includes a next-generation firewall and the WildFire threat intelligence cloud. Working in concert, this platform provides comprehensive compliance capability as summarized in the table below. [Note: See Appendix 1 for additional details on how Palo Alto Networks Enterprise Security Platform addresses PCI security requirements.] While every scenario will be different, below are a few examples showing the use of compensating controls to meet specific PCI requirements. Compliance Capabilities PCI DSS Requirements v3.0 Next Gen FW WildFire Traps Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Identify and authenticate access to system components Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a security policy that addresses information security for all personnel Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data (Sub Requirements 1.3.5, 1.4) While this PCI requirement category focuses on firewall protection, Traps does provide a capability to recognize and prevent an exploit from launching with the intent of collecting or sending unauthorized outbound traffic from the data environment or changing personal firewall configuration on end devices. This capability, when combined with Palo Alto Networks next-generation firewalls, provides an organization with a solution that explicitly meets additional sub-requirements. PAGE 5 Palo Alto Networks: Traps PCI Compliance Palo Alto Networks portfolio of hardware and virtual next-generation firewalls enable definitive least privileges access control (i.e., deny all applications, users, and content except for that which is necessary) for all networks involving cardholder data. Palo Alto Networks supports all sub-requirements pertaining to DMZ implementations intended to prohibit direct public access between the Internet and any CDE system. Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters (Sub Requirements 2.2.2, 2.2.3, 2.2.4, 2.2.5) The intent behind Requirement 2 is to implement sufficient preventive controls to reduce the attack surface. These controls include changing vendor passwords; enabling only necessary services, protocols, daemons; and removing unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and web servers. For a relatively complex cardholder data environment, there are potentially thousands of instances in which unnecessary services, unnecessary functionality, and unsecure services could operate. Furthermore, unknown vulnerabilities in services that have been deemed necessary can be exploited resulting in a security breach. Given the many threat vectors and attack points, the chance of these preventive controls breaking down is very high. As a result, organizations face elevated risks since it only takes one unsecure service to be running for a well-crafted attack to compromise a system. Traps provides an automated preventive control capability to reduce risks associated with threat vectors or attack points. The unique approach employed by Traps ensures that even if unnecessary services are running, vulnerabilities in those services cannot be exploited. Traps will block the exploit technique and prevent any malicious activities from occurring. Insightful forensics evidence is collected to support incident response processes or further investigative activities. With Traps operating in the CDE, organizations can reduce their risk to a level more in line with the business’ risk tolerance position. Requirement 3: Protect Stored Cardholder Data (Sub Requirements 3.6.2, 3.6.3, 3.6.7) This requirement focuses on reducing the amount of cardholder data stored and ensuring that stored data is appropriately masked and encrypted. Despite rigorous encryption techniques, the cardholder data must often exist in an unencrypted state in memory, which has become a frequent point of attack. Furthermore, encryption keys must be properly protected, which poses challenges for many businesses. Not only do businesses need to store, protect, back up and track keys, they must also deal with interoperability issues, a lack of management standards, and multiple locations where encryption is employed, whether endpoint devices, databases, or storage systems. Given these management challenges, encryption alone may be sufficient to meet compliance requirements, but often does not provide adequate security for cardholder data. Compromising the storage and distribution of encryption keys or making unauthorized key substitutions places the organization at risk. Furthermore, encryption alone does not protect against malware that scrapes the unencrypted cardholder data from memory. Traps prevents exploits and malware from launching malicious code that would try to compromise encryptions keys or cardholder data. By preventing exploits and malware, businesses are in a better position to protect stored cardholder data and the related encryption keys. If key management processes do break down, Traps provides an effective compensating control for PCI DSS Section 3.6. PAGE 6 Palo Alto Networks: Traps PCI Compliance Requirement 5: Use and Regularly Update Anti-Virus Software or Programs (Sub Requirements 5.1, 5.1.1, 5.2. 5.3) Traditional anti-virus/anti-malware (AV/AM) software has varying degrees of effectiveness. AV/AM software is designed to detect and remove malicious software from a system before disrupting computer operation, gathering sensitive information, or gaining access to a system or application. However, these tools have been shown to detect only a fraction of the advanced attacks targeting cardholder data environments. AV/AM identification techniques, whether signature-based, heuristic-based, or behavioral-based, have known limitations such as timely protection against new attacks, potential system performance impacts, and potential high rate of false positives. Also, security operation teams are simply overwhelmed by the sheer volume of malware attacks. As a result, the probability is extremely high that malware and exploits will bypass tradition AV/AM products. Traps uses an innovative approach to prevent malware and exploits from wreaking havoc and can run alongside traditional AV/AM software. Instead of focusing on the millions of individual attacks themselves, Traps is designed to proactively stop all attacks targeting endpoints by automatically blocking a core set of techniques that every attacker must link together in order to execute an exploit. Traps also integrates with the WildFire threat intelligence cloud, leveraging real-time threat intelligence from thousands of WildFire customers. The efficacy of the anti-exploit and anti-malware capabilities employed by Traps far exceeds traditional AV/ AM products. However, since the requirements still call for obsolete techniques like periodic AV scanning, Traps will be considered a compensating control for this requirement until the regulation is updated to reflect the current state of technology. Some customers will choose to run Traps alongside a free AV solution supplied by the OS vendor in order to maximize both security and compliance. Requirement 6: Develop and Maintain Secure Systems and Applications (Sub Requirements 6.2, 6.4) Within organizations, software vulnerabilities are discovered at an alarming rate. Patches become available after the vulnerability has been in existence for months or years and inevitably take time to thoroughly test and deploy. PCI DSS requires both prompt remediation of critical software vulnerabilities (Section 6.2) and responsible testing and change management (Section 6.4). These can be conflicting priorities in some circumstances. Furthermore, patches are merely an after-the-fact remedy for a risk that has likely been in place for a long period of time. Exploit and malware prevention is the only true preventive control. An organization running Traps on the critical systems in scope for PCI is in a very different position from most organizations. Although the standard only requires protection from known vulnerabilities, an organization running Traps is also protected from unknown vulnerabilities and should develop a vulnerability risk assessment policy that reflects this enhanced environment. In particular, patches that would be deemed “critical” for most organizations may not be “critical” for an organization running Traps. This is because an assessment of whether the vulnerability poses “an imminent threat to the environment” would result in a determination that the system is actually not vulnerable due to Traps protection. Given that Traps provides comprehensive protection from exploitation of vulnerabilities, both known and unknown, it exceeds the core PCI requirement, albeit using a method not prescribed by the standard. PAGE 7 Palo Alto Networks: Traps PCI Compliance Software Deployed Exploits Begin Vulnerability Discovered Public Announcement of Vulnerability Patch Deployed Patch Released Protected by Traps Exploit and Malware Prevention Protected by Vendor Patch Figure 3: Exploit and malware prevention provide broader risk reduction than patching alone As shown on the timeline above, vulnerabilities exist from the time the software is put into use. From that point until a patch is installed, the system is at risk. By implementing the exploit and malware prevention in Traps, this risk is virtually eliminated. This makes Traps the ideal compensating control for PCI DSS Section 6.2. Conclusion Fig 3 - Exploit and malware prevention provide broader risk reduction than patching alone. With data breaches on the rise, it’s clear that simply being PCI DSS compliant does not guarantee protection of sensitive cardholder data. Organizations are realizing that if they cannot meet PCI DSS requirements as stated, compensating controls are an effective way to meet and exceed PCI requirements while improving security posture. In this regard, Palo Alto Networks Traps Advanced Endpoint Protection, working together with the Enterprise Security Platform, is an invaluable solution that delivers: • Definitive, least privileges access control and other essential security capabilities for effectively segmenting off the cardholder data environment and thereby reducing the scope and cost of achieving PCI DSS compliance; • Support for a considerable cross-section of the PCI DSS requirements; and, • Capabilities that go above and beyond the standard’s baseline specifications to more thoroughly protect cardholder data—and the remainder of an organization’s computing environment— from the latest generations of unknown malware and advanced threats. For more information regarding the Palo Alto Networks enterprise security platform and its component technologies, please visit www.paloaltonetworks.com. PAGE 8 Palo Alto Networks: Traps PCI Compliance Appendix 1: PCI Security Requirements Supported by Palo Alto Networks Enterprise Security Platform The Palo Alto Networks Enterprise Security Platform is an integrated, next-generation solution that is designed from the ground up to reduce an organization’s attack surface, and prevent the most sophisticated cyberattacks from achieving their objectives. It is comprised of three core elements: a Next-Generation Firewall, Threat Intelligence Cloud and Advanced Endpoint Protection. The table below outlines how Palo Alto Networks Enterprise Security Platform supports many of the individual requirements specified in the PCI DSS. PCI DSS REQUIREMENT REQUIREMENT 1: Install and maintain a firewall configuration to protect cardholder data REQUIREMENT 2: Do not use vendor supplied defaults for system passwords and other security parameters REQUIREMENT 3: SUPPORTED SUB-REQUIREMENTS 1.2, 1.2.1, 1.2.3, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.4 The Palo Alto Traps Advanced End Protection prevents an exploit from executing unauthorized processes used to extract data from any CDE system 2.2.2, 2.2.3,2.2.4,2.2.5, 2.3 3.6.2, 3.6.3, 3.6.7 Encrypt transmission of cardholder data across open, public networks 5.1,5.1.1, 5.2, 5.3 The Palo Alto Networks Traps Advanced Endpoint Protection provides a much-needed complement to legacy anti-virus solutions that are largely incapable of providing protection against unknown malware, Zero Day exploits, and advanced persistent threats (APTs). 6.2, 6.3, 6.5, 6.6 As a fully application-aware solution, the Palo Alto Networks Enterprise Security Platform is capable of preventing a wide range of application-layer attacks that have, for example, taken advantage of improperly coded or configured web apps. Protect all systems against malware and regularly update anti-virus software or programs Develop and maintain secure systems and applications PAGE 9 Traps prevents exploit and malware from launching malicious code that would try to compromise encryption keys while stored or being distributed. Standards-based IPSec VPNs are supported for secure site-tosite connectivity, while GlobalProtect delivers secure remote access for individual users via either an SSL or IPSec-protected connection. With its unique application, user, and content identification technologies, the Palo Alto Networks solution is also able to thoroughly and reliably control the use of potentially risky end-user messaging technologies, e.g., email, instant messaging, and chat, down to the level of individual functions such as those that allow messages but disallow attachments and file transfers. REQUIREMENT 4: REQUIREMENT 6: All components of the Palo Alto Networks Enterprise Security Platform require user authentication, and implement strong encryption for all non-console and remote administration sessions, whether the component is accessed directly or via the corresponding central management system. Traps’ technique mitigation engine provides an excellent preventive control to identify and block malicious activities when existing controls (such as remove unnecessary or unsecure services) fail. Protect stored cardholder data REQUIREMENT 5: DESCRIPTION OF CAPABILITIES Palo Alto Networks next generation firewall and network products support all sub-requirements pertaining to DMZ implementations intended to prohibit direct public access between the Internet and any CDE system. Palo Alto Networks: Traps PCI Compliance PCI DSS REQUIREMENT REQUIREMENT 7: SUPPORTED SUB-REQUIREMENTS 7.2, 7.2.1, 7.2.3 Standards-based IPSec VPNs are supported for secure site-to-site connectivity, while GlobalProtect delivers secure remote access for individual users via either an SSL or IPSecprotected connection. With its unique application, user, and content identification technologies, the Palo Alto Networks solution is also able to thoroughly and reliably control the use of potentially risky end-user messaging technologies, e.g., email, instant messaging, and chat, down to the level of individual functions such as those that allow messages but disallow attachments and file transfers. 8.1, 8.1.1, 8.1.3, 8.1.4, 8.1.6, Native capabilities and tight integration with Active Directory and other identity stores support a wide range of authentication policies, including: use of unique user IDs, immediate revocation for terminated users, culling of inactive accounts, lockout following a specified number of failed login attempts, lockout duration, idle session timeouts, and password reset and minimum strength requirements. Support is also provided for several forms of multi-factor authentication, including tokens and smartcards. Restrict access to cardholder data by business need to know REQUIREMENT 8: Identify and authenticate access to system components 8.1.7, 8.1.8, 8.2, 8.2.1, 8.2.3, 8.2.4, 8.2.5, 8.3, 8.5, 8.6, 8.7 REQUIREMENT 9: DESCRIPTION OF CAPABILITIES n/a n/a 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, The Palo Alto Networks Enterprise Security Platform maintains extensive logs/audit trails for WildFire, configurations, system changes, alarms, traffic flows, threats, URL filtering, data filtering, and Host Information Profile (HIP) matches. The solution also supports both daily and periodic review of log data with both native, customizable reporting capabilities and the ability to write log data to a syslog server for archival and analysis by third-party solutions (including popular security event and information management systems, such as Splunk). Traps records endpoint activity, including processes launched and the user name for each process launched. Restrict physical access to cardholder data REQUIREMENT 10: Track and monitor all access to network resources and cardholder data 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4, 10.6, 10.6.1, 10.6.2, 10.6.3, REQUIREMENT 11: 11.3.3, 11.4, 11.5 The Palo Alto Networks Enterprise Security Platform fully inspects all allowed communication sessions for threat identification and prevention. A single unified threat engine delivers NSS Labs Recommended intrusion prevention (IPS), stream-based anti-virus prevention, and blocking of unapproved file types and data. Traps, along with the cloud-based WildFire engine, extends these capabilities further by identifying new or modified files in order to prevent unknown and targeted malware and exploits. n/a n/a Regularly test security systems and processes REQUIREMENT 12: Maintain a security policy that addresses information security for all personnel PAGE 10 Palo Alto Networks: Traps PCI Compliance Appendix 2: Why Whitelisting Alone Cannot Prevent Advanced Threats Many new products have been developed in attempts to combat the increasingly sophisticated and targeted threats facing organizations today. One approach taken by some products is application whitelisting. This approach is based on the premise that if you create a list of applications that are specifically allowed and then prevent any other file from executing, you can achieve maximum protection for the endpoint. While this basic functionality can be useful to reduce the attack surface, it is by no means a comprehensive approach to endpoint security. Attackers will circumvent application whitelisting by exploiting applications that are on the approved list. Once the application has been successfully exploited, the attacker can run malicious code while keeping all of the activity in memory. This means that no new files are created and no new executables attempt to run, rendering the whitelisting software completely ineffective against this type of attack. Traps provides multiple layers of protection. Basic whitelisting can be done in addition to more advanced whitelist/blacklist and dynamic analysis via the Wildfire threat intelligence cloud. In addition, the unique anti-exploitation capabilities of Traps will prevent exploitation of applications that are allowed to run. The combination of these techniques makes for an unparalleled approach to advanced endpoint protection. 4401 Great America Parkway Santa Clara, CA 95054 Main:+1.408.753.4000 Sales: +1.866.320.4788 Support:+1.866.898.9087 www.paloaltonetworks.com Copyright ©2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_WP_TPCIC_011515
© Copyright 2024