Corero Enables Much More Than 'Check Box' PCI DSS Compliance
With the explosive growth of eCommerce on the Internet, criminals moved online to steal insecure consumer information records. Credit card companies, quick to recognize the threat, created PCI DSS, a highly prescriptive blueprint for securing credit cardholder data and a strong foundation for a sound information security program.
PCI requirements can be fulfilled based on the combination of sound policy and the support of automated tools that enable compliance, secure critical customer information and mitigate business risk posed by cyber crime.
PCI DSS requires companies to protect cardholder data. Essentially, that means the primary account number (PAN) and cardholder name, service code and expiration date if stored in conjunction with card numbers (as they must typically to be of practical business use).
The Criminal Threat
Criminals have been stealing this information since merchants took carbon copy imprints of cards on manual devices. Today, automated and/or targeted attacks can harvest millions of credit card records stored in backend databases, sell them on international Internet black markets or purchasing valuable consumer products.
PCI DSS impacts companies across the business spectrum: retailers, service providers, health care organizations, financial services institutions, universities - most organizations that handle credit card transactions and are responsible for the security of their data.
The record is alarming. From the early massive breaches of tens of millions of credit and debit card numbers from Heartland Payment Systems and TJX to more recent examples, such as breaches at Sony PlayStation Network and Citigroup, businesses have been damaged and their customers victimized. PCI DSS is more than a compliance obligation; it is an effort to establish a framework for secure commerce and customer protection.
The matter goes well beyond compliance. The cost of information breaches is staggering. The Ponemon Institute reports that the average total cost of a single data breach was more than $7.2 million in 2010. These breaches do significant, sometimes irreparable harm to the business brand and undermine customer confidence.
Cyber attackers have access to some of the smartest people and sophisticated, clever attack tools and malware. In many respects, they appear to have the upper hand in the continuous battle against security countermeasures. Attackers employ armies of infected computers (known as bots or zombies) in botnets that launch massive, automated attacks that scan enterprises for vulnerabilities and exploit them, usually to steal information.
Large and smaller companies alike require the best possible security solutions, for PCI DSS compliance and to effectively reduce risk and protect their business from unacceptable and unnecessary losses.
Intrusion Prevention Requirement
The PCI DSS standard requirement 11.4 requires companies to "use network intrusion detection systems and/or intrusion prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises. IDS/IPS engines, baselines, and signatures must be kept up to date."
Companies have to do more than deploy IDS somewhere in the network to comply with this requirement. They must deploy intrusion prevention system (IPS) and/or IDS technology at the perimeter of the cardholder data environment as well as critical points inside of the cardholder data environment itself. As shown below, organizations today are deploying inline network IPS as follows:
- eCommerce defense
- Internet perimeter defense
- Point-of-sale perimeter defense
- Partner perimeter defense
- Department defense
- Cardholder data perimeter defense
The need for this type of protection has never been greater. The 2011 Verizon Data Breach Report, which analyzes some 800 breach investigations by Verizon and the U.S. Secret Service, found that nine out of 10 breaches involved external agents (a 22% increase over the 2010 report), indicating a continued, even growing need for protection against outside attacks. Half the attacks involved some type of malware (an 11% increase), again underscoring the need for improved defenses on the network.
A top-notch IPS solution can stop violations of card holder data access policies and other attacks. This decreases the need for scarce security resources to chase after potential attacks by wading through possibly millions of events and to repair the damage successful data theft may have caused.
Corero's Intrusion Prevention System
In order to support PCI DSS compliance and protect the business against attack, Corero's IPS addresses critical information security issues, such as:
- Undesired access to credit card data and other customer information
- Malware used in the theft of sensitive information
- Denial-of-service attacks that can cripple online resources, rendering them effectively useless to customers
"Corero's IPS provides member banks, payment processors and merchants with the ability to comply with the letter of the specific PCI DSS requirement," says the CIO of a large insurance provider, "while helping them to reinforce other goals of the PCI DSS program, such as 'build and maintain a secure network,' 'protect cardholder data,' 'implement strong access control measures,' and 'regularly monitor and test networks.'"
Corero Network Security delivers the most comprehensive, most effective intrusion prevention available, detecting and blocking both known and unknown attacks without impacting network performance. Corero's IPS is a transparent, in-line security appliance that provides unmatched intrusion detection capabilities through a unique combination of protocol behavior analysis supplemented by signature-based detection.
Corero's IPS is remarkable for the lowest latency and highest reliability of any IPS on the market. Multiple appliances can be deployed in ProtectionCluster mode, which simultaneously dramatically boosts performance and provides high availability in the very unlikely event of appliance failure.
IPS Controller software provides central management of multiple Corero IPS appliances, allowing customers to administer policy, updates and granular control in distributed environments.
Corero's IPS:
- Enables regulatory compliance through protection of confidential data
- Stops remote exploits of critical vulnerabilities
- Keeps spyware, viruses, botnet programs and other malware out of the network
- Thwarts advanced hybrid and application-level attacks
- Protects VoIP infrastructure
- Blocks DDoS and other botnet-based attacks
- Prevents undesired access
- Proactively protects against threats while patches are being tested and deployed
- Improves security posture through acceptable application usage enforcement
- Reduces IT hours devoted to fixing/remediating systems infected by viruses, botnets and malware
- Reduces downtime and impairment of business systems and websites from DDoS attacks and botnet threats
Superior Technology
Corero's IPS uses a state-of-the-art, multi-tiered architecture that couples our industry-proven protocol validation modules (PVM) with data validation modules (DVM) that inspect file content regardless of the protocol over which the files are being transported. This approach requires fewer filters which means we can deliver new protection more quickly while dramatically reducing the incidence of false positives compared to other IPS technologies.
Corero's IPS provides Three Dimensional Protection (3DP), combining deep packet inspection and analysis to prevent intrusions, stateful firewall filtering to protect against unauthorized access and DDoS defense. The solution is built on the redoubtable Core Platform provides the power, extensibility and flexibility that distinguish Corero's and DDoS Defense (DDS) products in the market. This platform, comprising a powerful Tilera 64-core processor and the CoreOS, is the foundation on which Corero developers and engineers have built and continue to build out a cohesive and integrated suite of network security products.
Corero's Network Security Analyzer (NSA) provides security event management, flexible reporting for both simple and complex, distributed environments in which multiple IPS appliances are deployed, compliance audit lifecycle management, real-time alerting, enterprise-wide IPS security intelligence, and forensics and investigative root cause analysis. Corero's IPS also supports leading SIEM solutions, so events from Corero's solutions can be seamlessly integrated into enterprise security information management processes.
Corero's IPS provides the reporting and logging functionality needed to prove that PCI DSS requirements are being met with regards to Requirement 11.4.
Unmatched Service
Corero customers are assured they have the latest protection through Corero's Threat Update Service, which provides automated updates against the latest threats to their organizations. Each update includes detailed information about the new threats and recommendations that allow enterprises to make informed decisions about applying the updates in their unique IT environments.
Dedicated to making our customers' successes our success, Corero offers an integrated solution of technology, services and support to protect the business in a hostile environment with minimal management overhead and minimal impact on productivity and network performance.
Corero's IPS will help an organization adhere to and exceed the PCI DSS standard and dramatically improve its security posture with minimal impact on precious corporate resources.
