Organizations have until January 2015 to meet the new requirements of the PCI Data Security Standard version 3.0. Businesses need to ensure that compliance is cyclical and proactive rather than a report pulled together just before the auditor arrives. How can a business protect its infrastructure and data on multiple levels? This article discusses strategies that can help organizations more easily achieve and maintain PCI compliance.
Achieving compliance with more stringent, dynamic, and overlapping governmental and industry regulations requires that your enterprise:
- Protect business-critical corporate information; most notably, personally identifiable information (PII).
- Maintain control over and ensure visibility into corporate information assets, from servers to widely distributed and mobile endpoints.
- Communicate your security policies and procedures with employees and partners.
These mandates are essentially the same requirements for an effective security posture. Yet, it has been shown time and again that passing compliance audits is no guarantee you are secure, whether from internal breaches (unintentional or planned malfeasance) or external attacks, such as the APT.
It falls substantially to an increasingly strapped IT department to ensure the enterprise can meet its regulatory compliance goals, as well as detect and stop threats to enterprise information.
By focusing on driving risk out of the equation and taking a more proactive and, where appropriate, automated approach to security, IT can fulfill both missions more efficiently: achieve compliance, better protect corporate information, and help meet the financial goals of the enterprise.
Compliance controls don’t make a security posture
Given that compliance and security share similar mandates, you’d expect considerable overlap in enterprise compliance and security initiatives. In actual practice, organizations continue to focus on, and budget for, meeting specific compliance controls, whereas it may be more challenging to obtain funding for new security initiatives. Frequently, initiatives to meet and pass compliance audits are crafted and maintained by teams separate from enterprise security.
Say you’ve addressed the requirements for a specific compliance regulation by deploying some basic security technology. To help satisfy PCI DSS requirements, you’ve installed encryption software and simple access controls. You may pass a PCI DSS audit, but you have not achieved an effective enterprise security posture.
Today’s advanced attacks are designed to work around these defenses—knowledge that those designing compliance strategies may not possess and may not be held accountable for in the long run. The two realms need to coordinate.
Does the company’s security posture monitor where and when encryption software is actually running? And what steps have been taken to prevent access and authorization controls from being hijacked, a common technique of the advanced attack? Valuable data and business systems remain vulnerable and, if compromised, may result in significant damages (lost business, notification requirements, penalties and fines, damage to brand, etc.).
Reactive security is no match for advanced attacks
Those responsible for designing security strategies may feel they are adequately protecting the data and systems to meet compliance regulations by using tools such as AV software and HIPS.
These tools, designed to react to known malware, are no match for the cybercriminal groups who design and implement highly advanced attacks (such the APT). Sometimes the motive is profit based (e.g., intellectual property to gain a competitive advantage or theft of PII for resale). In other cases the motive could be political: damage and disruption of business continuity in aid of hacktivist causes.
Advanced attacks are highly customized to specific systems and the very data that are supposed to be the most closely regulated, from credit card data and other PII to valuable corporate IP and access control systems.
Advanced malware targeting these valuable assets is not going to be found on any blacklist used by AV software. Recent studies showed advanced threats achieve a 76 percent penetration rate, even when AV is up to date and fully functional. Traditional AV relies on ever-larger downloaded libraries, the maintenance of which has proven to be a burden, and a continuing weak link in enterprise security. Similarly, HIPS attack-analysis information is shallow: It doesn’t reveal where malware executables were spawned or where else in the system they may reside, nor does it assess the impact on your network and correlate attack information across all of your systems.
The bottom line is that a security posture relying on reactive tools like these cannot detect and stop the advanced attack before it can execute—nor can it provide the intelligence needed to be proactive against future related attacks.
Security and compliance converge in a trust-based environment
A trust-based security strategy designed around driving risk out of enterprise systems and processes is best positioned to defend against even the most advanced attacks and, in so doing, also can achieve many compliance goals in a way that is both demonstrable and cost-effective.
In a trust-based security environment, only trusted software is allowed to run, as opposed to searching for and protecting against known malware. In a trust-based model, any exceptions to an organization’s information processes and system policies are automatically detected and stopped through continuous monitoring and automatic incidence response.
Continuous monitoring enables organizations to demonstrate that compliance measures have been put into place and are functioning. Automation built into the environment and growing threat intelligence over time helps mitigate escalating compliance costs moving forward. Automation of many preventative “manual” operations, e.g., patches and AV library upgrades, decreases the risks of human error, missing potential threats, or even introducing new vulnerabilities.
Continuous monitoring in a trust-based model makes it virtually impossible for an advanced attack to penetrate your environment no matter where the assets reside: endpoints and servers, virtual and physical. No executable is allowed to run that is not explicitly approved or accounted for via a trusted source (determined by corporate policy). Automatic reporting based on system-continuous monitoring helps ensure and document that employees are working within the corporate security policies—and serve as auditable proof that the policies have been consumed.
When choosing the right solution for your business to ensure compliance and security, don’t rely on outdated methods that can’t stop today’s advanced threats. Choose products from vendors that allow only trusted software to run in your environment so you can be confident that your data is protected and you will pass any compliance audit.