Compliance Solu.ons with a Budget in Mind

Similar documents

S N O R T I D S B L A S T C O U R S E

Security Onion. Peel Back the Layers of Your Network in Minutes. Doug Burks

USE HONEYPOTS TO KNOW YOUR ENEMIES

NETWORK SECURITY. Scott Hand. Melanie Rich-Wittrig. Enrique Jimenez

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

OSSEC & OSSIM Unified Open Source Security. san8ago@alienvault.com

Defending Against Web App A0acks Using ModSecurity. Jason Wood Principal Security Consultant Secure Ideas

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Missing the Obvious: Network Security Monitoring for ICS

BEGINNER S GUIDE to. Open Source Intrusion Detection Tools.

Berkley Packet Filters and Open Source Tools. a tranched approach to packet capture analysis at today s network speeds

Project Artillery Active Honeypotting. Dave Kennedy Founder, Principal Security Consultant

Open Source Security Tool Overview

Measurably reducing risk through collaboration, consensus & practical security management CIS Security Benchmarks 1

THE FIRST UNIFIED DATABASE SECURITY SOLUTION. Product Overview Security. Auditing. Caching. Masking.

NETWORK DEVICE SECURITY AUDITING

Network Security Monitoring

CRYPTUS DIPLOMA IN IT SECURITY

CloudPassage Halo Technical Overview

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

IBM. Vulnerability scanning and best practices

What happens when you use nmap or a fuzzer on an ICS?

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

Securing and Accelerating Databases In Minutes using GreenSQL

Security Power Tools

Two-Factor Authentication Basics for Linux. Pat Barron Western PA Linux Users Group

Vulnerability Assessment Lab

Security Information Management

How To Protect A Web Application From Attack From A Trusted Environment

PZVM1 Administration Guide. V1.1 February 2014 Alain Ganuchaud. Page 1/27

Vormetric Data Security

CloudPassage Halo Technical Overview

A CrossTec Corporation. Instructional Setup Guide. Activeworx Security Center Quick Install Guide

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Introduction to Web Application Firewalls. Dustin Anders

System Specification. Author: CMU Team

Network Security Monitoring

Pervade Software. Use Case PCI Technical Controls. PCI- DSS Requirements

9 Free Vulnerability Scanners + 1 Useful GPO Tool

How To Protect A Network From Attack From A Hacker (Hbss)

DenyAll Detect. Technical documentation 07/27/2015

An Econocom Group company. Your partner in the transi4on towards Mobile IT

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Where can I install GFI EventsManager on my network?

Measurably reducing risk through collaboration, consensus & practical security management CIS Security Benchmarks 1

Secret Server Qualys Integration Guide

Defending Computer Networks Lecture 7: Port Scanning. Stuart Staniford Adjunct Professor of Computer Science

Implementing a secure high visited web site by using of Open Source softwares. S.Dawood Sajjadi Maryam Tanha. University Putra Malaysia (UPM)

Exporting IBM i Data to Syslog

Passing PCI Compliance How to Address the Application Security Mandates

encription IT Security and Forensic Services

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

ENTERPRISE LINUX SECURITY ADMINISTRATION

Enterprise Network Deployment, 10,000 25,000 Users

Overview of SOTI.

CONTENTS. PCI DSS Compliance Guide

Integrated Performance Monitoring

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

True in Depth Security through Next Generation SIEM. Ray Menard Senior Principal Security Consultant Q1 Labs

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Simphony v2 Antivirus Recommendations

Building a Security Operations Center Lessons Learned. active threat protection

owncloud Architecture Overview

Palo Alto Networks Cyber Security Platform for the Software Defined Data center. Zekeriya Eskiocak Security Consultant Palo Alto Networks

Manage a Firewall Using your Plesk Control Panel Contents

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Comodo Web Application Firewall Software Version 2.11

Course Title: Course Description: Course Key Objective: Fee & Duration:

DDOS Mi'ga'on in RedIRIS. SIG- ISM. Vienna

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

INSTALLATION OF BLOGGING PLATFORM

Using Nessus In Web Application Vulnerability Assessments

PCI DSS 3.0 Compliance

Continuous Network Monitoring for the New IT Landscape. March 16, 2015 (Revision 4)

MatriXay Database Vulnerability Scanner V3.0

Very Large Enterprise Network Deployment, 25,000+ Users

LogLogic. Application Security Use Case: PCI Compliance. Jaime D Anna Sr Dir of Product Strategy, TIBCO Software

WordPress Security Scan Configuration

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

System Security Guide for Snare Server v7.0

MySQL Security: Best Practices

Transcription:

Compliance Solu.ons with a Budget in Mind complex, expensive PCI requirements tools to aid in mee7ng these requirements These tools will cost you exactly

Open Source / Free Caveats May require more technical exper.se Not covered under any SLA At the mercy of the developer group Ac7ve development may slow Support may be harder to source Can have more features, but may be less polished May at any point be bought by a for- profit organiza7on May be more secure, and will most likely have deeper source code review

The Requirements for Today 6.6: Web applica.on firewall 8.3: Two- factor authen7ca7on 10.2.(2, 3, 4, 5, 6, 7): Audi7ng, logging, monitoring cardholder data access 10.5.(2, 3, 5, 6): Log security (who watches the watchers)- > 11.2.1: Internal vulnerability scanning 11.4: Intrusion detec7on / preven7on 11.5: File integrity monitoring

The interwebs: the least trusted network PCI- DSS Requirement 6.6

The interwebs: the least trusted network PCI- DSS Requirement 6.6 mod_security Open- source but owned by corporate en7ty Works on all three major webservers IIS, apache, nginx Signature (rule) based Commercial rules/support available Most widely deployed

The interwebs: the least trusted network WebKnight Open- source Works on IIS / Windows only Operates as an ISAPI filter (low- overhead) Filter based Rules do not require frequent upda7ng Can catch unknown asacks Historically well maintained

The interwebs: the least trusted network naxsi (Nginx An7 Xss Sql Injec7on) Open- source OWASP project Works on nginx only Filter based Looks for unusual characters in raw requests White list based on learning- mode ini7aliza7on Also works out of the box

Installing NAXSI user@webserver$ sudo ap7tude install nginx- naxsi

Installing NAXSI

NAXSI Demo

Your phone: Not just for angry birds anymore PCI DSS Requirement 8.3 Two- factor authen7ca7on using google- authen.cator Works on ios, Android and even blackberry Uses industry standard TOTP and HOTP codes PAM (pluggable authen7ca7on module) for GNU Linux / SSH access Key provisioning via QR code Requires mobile security policy / BYOD may increase complexity Hardware tokens / FOBs are available

google- authen.cator DEMO

The Bane of Malware FIM PCI DSS Requirement 10.2.x, 10.3.x, 10.5, 10.6, 11.5 OSSEC Open Source SECurity Host based intrusion detec7on with log analysis, file integrity monitoring, aler7ng, ac7ve response Works on Windows, GNU Linux, most *nix, ESX, MacOSX Supports network devices via syslog DB monitoring for MySQL, PostgreSQL (Oracle, MSSQL coming soon) Can also monitor individual applica7on logs Generates reports and alerts based on logged behavior Owned by corporate en7ty Ac7ve development Configura7on is very simple

Find them before they do, your vulnerabili.es PCI DSS Requirement 11.2.1 OpenVAS Fork of the last open- source Nessus Signature based vulnerability scanner Two op7ons for signatures OpenVAS community (free) Network Vulnerability Tests (NVTs) 33k tests as of Dec 2013 Greenbone Security Feed Commercial NVTs with SLA Vulnerability tracking built- in

One Tool to Rule Them All PCI DSS Requirement - many Security Onion Linux distro based on ubuntu Many open- source tools baked- in Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many others Tools pre- configured to play nicely This is huge Ac7ve development No corporate entanglements (yet) Also means no SLA s available Incorporate other tools presented in this talk OSSEC, NAXSI, OpenVAS Can be used as the heart of your Security Opera7ons Center (SOC)

Security Onion DEMO show all tools from this demo integrated and showing alerts Demo other features of included so`ware

References Naxsi OWASP Page: hsps://www.owasp.org/index.php/owasp_naxsi_project Source: hsps://github.com/nbs- system/naxsi Webknight hsp://www.aqtronix.com/?pageid=99 mod_security hsp://www.modsecurity.org/ Google- authen7cator Source / Docs: hsps://code.google.com/p/google- authen7cator/ Play Store: hsps://play.google.com/store/apps/details?id=com.google.android.apps.authen7cator2&hl=en OSSEC hsp://www.ossec.net/ OpenVAS hsp://www.openvas.org/ Security Onion Docs / Blog: hsp://blog.securityonion.net/ Docs / wiki: hsps://code.google.com/p/securityonion/wiki/installa7on PCI- DSS hsps://www.pcisecuritystandards.org/security_standards/documents.php?agreements=pcidss&associa7on=pcidss

Contact Erich Ficker Email: erich@aerissecure.com TwiSer: @eficker LinkedIN: hsp://www.linkedin.com/in/eficker