All organisations that accept and process customer payment cards are challenged to maintain and demonstrate compliance with the latest PCI Data Security Standard (DSS), known as version 3.0. However, those organisations deploying endpoint security based on detecting known malware— known in the industry as a ‘negative’ solution—have a huge blind spot, because once the malware is detected on the network, the damage has already been done.
Alternatively, trust-based security approaches—or ‘positive’ solutions—work by only permitting pre-authorised programs and files to execute. Positive security solutions are widely recognised by businesses worldwide as the best practice for locking down and protecting point-of-sale (PoS) systems, kiosks, servers and remote desktops/ laptops from advanced, previously undetected threats. This article explores the key distinctions between traditional security solutions (most notably antivirus) and modern solutions for protecting endpoints from advanced threats, and how a trust-based approach can advance both compliance and security.
PCI DSS 3.0—Is A Renewed Call for Antivirus Enough?
On the heels of several major breaches at leading retailers in late 2013, the PCI Security Standards Council (PCI SSC) officially released their version 3.0 compliance standards. The effective date of version 3.0 was January 1, 2014, but existing PCI DSS 2.0-compliant vendors have until January 1, 2015 to move to the new standard. Many of the changes in version 3.0 are simply clarifications to version 2.0 requirements, such as requirement #5, which states that companies accepting payment cards must ensure that antivirus solutions are actively running on any systems handling, processing or storing personally identifiable information (PII).
However, the problem with antivirus solutions is it has become easy for attackers with advanced programming capabilities to write custom viruses that evade traditional antivirus. An example is the so-called ‘zero-day’ attack, which exploits previously unknown vulnerabilities and leaves IT teams with no time to effectively respond.
Compliance Does Not Equal Security
Having antivirus systems in place may help companies pass compliance audits and avoid heavy fines. But antivirus solutions do not guarantee security against advanced, previously unknown types of attacks, and the costs of a breach involving this type of attack—including lost revenues, customers and brand damage—can be much higher. The reality is, advanced attacks are highly customised to the specific systems and very data that are supposed to be the most closely regulated - from credit card data and other PII to valuable corporate IP and access control systems.
When it comes to ensuring security, compliance with industry standards will only get organisations so far. Negative security approaches, such as the reactive tactics deployed by traditional antivirus solutions, are no match for today’s advanced attacks. Recent studies have shown that advanced threats achieve a 76 percent penetration rate, even when antivirus software is up-to-date and fully functional.
The Trust-Based Model: The Key to Achieving Compliance and Security
Rather than traditional antivirus, the key to protecting against advanced threats is continuous monitoring in a trust-based model where only trusted software is allowed to run. Any exceptions to an organisation’s information processes and system policies are automatically detected and stopped in advance of executing.
This model makes it virtually impossible for an advanced attack to penetrate an environment - no matter where the information assets may reside: endpoints and servers, virtual and physical. No executable is allowed to run that is not explicitly approved or accounted for via a trusted source (determined by corporate policy).
This approach can also help organisations demonstrate that compliance measures have been put into place and are functioning, helping to mitigate the time, effort and resources involved in proving compliance. For example, automatic reporting helps ensure and document that employees are working within the corporate security policies—and serves as auditable proof of compliance. In addition, a trust-based model can help organisations proactively enhance their security, by accumulating critical threat intelligence and identifying trends. And, by automating many preventative ‘manual’ operations, such as including patches and antivirus library upgrades, trust-based solutions can decrease the risks of human error and the likelihood that a threat will be missed.
Leveraging the Trust-Based Approach to Support Industry Best Practices
A trust-based model is where compliance and security effectively converge. When deployed as a basis for the following best practices, trust-based solutions provide a valuable foundation for time- and resource-constrained IT teams that need to maximise their security efforts while reducing compliance costs and risks. Here are 9 ways organisations can ensure compliance with PCI DSS version 3.0:
- Understand what’s in and out of scope: Organisations need to control the costs and administrative burden of the PCI compliance validation process. One way to accomplish this is to segment infrastructure according to various relevant compliance metrics. This helps organisations more easily determine which infrastructure segments are of immediate interest within the scope of PCI compliance and streamline the processes associated with audit and data collection.
- 100 percent detection during the entire transactional process: Organisations should be able to detect transactional data point infractions in real time and stop anything from being introduced into their infrastructure that is outside of known software. This helps ensure that transactional data is protected at every stage in the process.
- Defense in depth: To meet PCI compliance requirements and ensure complete security of the enterprise, organisations need a “defense-in-depth” strategy to protect their infrastructure on multiple levels and close every window of opportunity to exploit POS machines, store systems, workstations and servers. Defense in depth is like a home security system that deploys both a door sensor and a motion sensor to catch an intruder entering directly through the door or the window. As with defense in depth, the strength of this system is that if one mechanism doesn’t catch the threat, the other one will. For these reasons, trust-based security solutions work best when deployed across multiple layers of enterprise endpoints.
- Extend the life of critical systems: Often, organisations cannot upgrade or pay for extended support after an operating systems’ end of life. There may be critical applications that won’t run on the newer operating system, or perhaps existing hardware can’t run it, or perhaps the organisation cannot afford to pay the high cost of out-of-band support. By implementing a trust-based security model, organisations can stay compliant in any end-of-life situation by getting protection from zero-day and other attacks on all servers and endpoints.
- Eliminate constant scanning in order to take back processing power: By moving to a trust-based security model comprising real-time sensors, cloud-based software reputation services and continuous monitoring, organisations can eliminate antivirus scans, which frees up processing power. In this way, performance issues for endpoints are avoided.
- Gain visibility and build measurable business intelligence around enterprise assets: By understanding and having visibility into real-time file asset inventory information, organisations can build intelligence around all of their file assets, including their prevalence, trust rating, threat, and inherited vulnerabilities. Having this high level of visibility enhances the ability to report on any asset at audit time or during pre-compliance assessment and security intelligence gathering. Anything that is deemed untrustworthy of running in the enterprise can simply be sifted out.
- Include individual file rights and approvals in trust metrics: By maintaining continuous, real-time file integrity monitoring and control, organisations can protect their critical configuration files from unauthorised changes and meet file integrity monitoring and audit trail rules. They can also better identify all suspected vulnerabilities, which helps guide smarter penetration testing.
- Protect what matters most with change control: Organisations need a full audit trail of all significant PCI data and the surrounding events associated with any attempted file alterations so auditors can quickly assess an organisation’s compliance stance and produce the necessary reporting for compliance validation. With a negative security solution, the amount of changes to be monitored can represent a significant administrative burden. On the other hand, a positive security solution reduces changes to critical assets, reducing the administrative burden of compliance pre-assessment data gathering. By stopping the opportunities to change critical assets, companies can narrow the scope and track only the compelling changes to in-scope PCI-affected assets.
- Enforce and track the consumption of security policy: One way to ensure compliance across the enterprise is to put a mechanism in place that guarantees the distribution and consumption of the security policy. By implementing a solution that provides full control through policy at the endpoint, security administrators can enforce the consumption of the security policy and also track compliance to the policy in real time.
No organisation wants to be a target of an advanced threat. But the reality of today’s modern threat landscape is that each and every company that accepts and processes customer payment cards is virtually guaranteed to become the target of advanced threats.
However, compliance with the latest PCI security standards does not mean an organisation is secure. PCI compliance is only the first step in ensuring a strong security framework for all the systems that store, transmit or process critical data. Companies need to ensure they are protecting their systems adequately, while maintaining control over the risks and costs surrounding compliance and security. Fortunately, trust-based security approaches provide a valuable framework as well as a foundation for several strategies that can go a long way in ensuring both compliance and security.
By Christopher Strand, Senior Director, Compliance, Bit9