Simplifying PCI DSS 3.2 Compliance with Preempt
If your organization handles credit cards, you are no doubt familiar with Payment Card Industry Data Security Standard (PCI DSS) compliance. PCI DSS is a set of requirements and procedures that have been established in order to strengthen security of cardholder transactions and data in order to reduce fraud. PCI DSS controls have been implemented for many years but as hackers have advanced their efforts, new requirements continue to emerge with updates to existing controls and reporting.
Meeting the 12 requirements for the PCI DSS 3.2 framework isn’t easy. Organizations need to achieve, demonstrate, and maintain compliance at all times. Not meeting requirements exposes them to liabilities and reputation.
Here are some of the ways that Preempt can help organizations with meeting a wide variety of the requirements established by PCI DSS 3.2.
Preempt allows organizations to proactively enforce policies based on identity, behavior and risk. The ability to build highly flexible policies, while also determining real-world enforcement makes Preempt uniquely capable of meeting a wide variety of requirements. Below are some of the highlights, download our full technical note here for more detail.
Build and Maintain a Secure Network and System
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Preempt provides a potential compensating control to a traditional firewall by enforcing access based on identity, role, ownership and more in addition to traditional elements such as network locations
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Preempt continuously monitors all passwords in the environment including passwords based on data from well-known breaches, password dictionaries, and vendors defaults. The system also restricts access to services based on membership, can force password changes for non-compliant passwords, and even trigger additional identity controls such as MFA based on policy.
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus programs
- Preempt provides capabilities to detect the presence of malware and intrusions by observing at the network level. By analyzing traffic, Preempt can identify deviation from normal behavior in real time, alert the owner of the account in real time, prevent the actions or challenge the account. These controls provide important protection for new malware variants that may not be recognized by endpoint security signatures.
Requirement 6: Develop and maintain secure systems and applications
- Preempt constantly monitors systems behavior in real time, and detects vulnerabilities that don’t have a patch and are commonly used to compromise accounts and steal data.. All entities are automatically scored by risk and can be controlled based on this risk score.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know
- Preempt can segment and add access control to network resources based on roles, risk levels, activity, network locations and many other parameters resulting in a flexible rule base that adapts to almost any scenario. Policies can restrict access to systems and computers based on administrative and/or business roles.
Requirement 8: Identify and authenticate access to system components
- Preempt adds MFA to any network resource or application without the need to change it’s code. Various conditions can be added to the policy basing this on account attribute, risk, subnet or other parameters and applying different actions based on the goal. This achieves network segmentation which is based on identity. Preempt detects shared accounts, elevation of rights, creation of new privileged user accounts, automatically detects and tracks unused stale or dormant accounts.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
- Preempt audits all access requests to any entity on the network. This information is based on analysis of actual network traffic and is thus not subject to log manipulation by an attacker. The solution also detects any changes to AD accounts, creation of new accounts, rights elevation and other types of events. Preempt monitors access activity and constantly process this data to detect security events such as excessive access, anomalous access, activity from abnormal network locations and or geographical locations, detection of attack tools and much more.
Requirement 11: Regularly test security systems and processes
- Preempt continuously assess the network configuration for known vulnerabilities such as weak passwords, exposed passwords in the sysvol, uses of suspicious protocol implementations, stealthy admins, new accounts, use of path the hash and other logical vulnerabilities. This information can be used to augment the scanning reports from traditional vulnerability scanners, which don’t monitor for these issues. Preempt can be used as a continuous prevention and detection solution which goes beyond the common attack vectors detected by a signature based solutions. This includes compromises of accounts with Pass the Hash, Pass the Ticket, Forged PAC, Over Pass the Hash, uses of credential spraying techniques and many more which aren’t detected by a traditional solutions
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
- Preempt continuously assesses risk of the organization as well as for individual users and entities. Preempt automatically classifies entities in the network based on role, use and many other parameters which allow the organization map the critical assets and set policy on them. Preempt also enables setting human authorizers for accounts – this means that when authorized account try to access specific environment the approval process can be automated and authorization must be granted explicitly.
This blog provides a short overview of how the Preempt Platform can support PCI DSS 3.2 compliance. If you have questions or would like to learn more about specific sections of the standard, requirements and controls, we encourage you to contact us and we can have you speak with one of our experts.
Posted by Heather Howland on February 9, 2018 1:21 AM