10 Security Technologies Gaining From Data Breach Hysteria

Credit Card Breach Parade Fuels IT Security Growth

The litany of data breaches has prompted a greater interest in data and network security products, but solution providers said they are careful to not sell on hysteria. Larger retailers conduct serious planning and analysis to minimize impact to operations. Selling into retail may also require dealing with franchise owners that have different requirements, budgets and IT know-how. Merchants are going to want to conduct a risk assessment and prioritize the areas that need the most attention while taking into account the available spend, said Doug Close, vice president of security at Chicago-based solution provider Sayers Group. An emerging group of new endpoint security technologies look promising, Close said, but businesses need to identify the security products already in place and determine whether they are properly configured and implemented. Solution providers CRN interviewed said these trending technologies are coming up in security discussions with clients.

Security Information Event Management Systems

Security information event management systems pull in log and event data and correlate the information to identify suspicious activity. If a retailer was feeding all of its systems into a SIEM and had it configured properly with customized rules, the system could detect suspicious activity and alert someone on the IT team to investigate. A credit card breach could be detected and contained faster, solution providers said. PCI-DSS requires large merchants to conduct a daily review of logs. Many merchants are overburdened and not looking close enough to uncover suspicious activity, said Brian DiPaolo, director of the assessment and compliance practice at Houston-based Accudata System. Struggling merchants are increasingly turning to managed security services providers to proactively cull through logs, DiPaolo.

Wireless Security

Solution providers said their networking vendors partners are marketing secure wireless gear as part of retail-specific packages that tie wireless access points, carrier 3G and 4G wireless WAN extenders with network security appliances and a management console for the system administrator. Solution providers said the sales engagement addresses PCI compliance and security but also can improve customer engagement and improve business operations. Security pros in the payment industry told CRN that best practices dictate that wireless network connectivity should never be connected to PoS systems or back-end payment infrastructure.

Network Recording Appliances

Network recording appliances from RSA-Netwitness and Blue Coat-Solera Networks take traditional SIEM systems to the next level, by acting like a Tivo system, recording all network packets. The platforms are powerful enough to correlate network packets and netflow with endpoint and logs to uncover suspicious activity that may signal an advanced threat. Solution providers told CRN that the gear is becoming user friendly with automated analysis capabilities and search queries. Adoption of the appliances has remained primarily in large enterprises that have the budget and the skilled IT talent to proactively identify threats.

Point-To-Point Encryption (P2P)

To be completely effective against memory scraping malware associated with many of the latest retail breaches, point-to-point encryption must include an encrypted hardware terminal, according to solution providers. Two qualified security assessors (QSAs) who conduct PCI assessments told CRN that Target and Home Depot had hardware that supported encryption at the time a card is swiped, but the capability wasn't turned on. P2P encryption is no panacea, said Accudata's DiPaolo. Implementation problems and configuration issues could provide a weak point for attackers, he said.

Tokenization

Tokenization eliminates credit card numbers from merchant systems by replacing the 16-digit number with a random string of letters and numbers called a token. If a token is stolen, a criminal has no way to mathematically reverse the number without the algorithm. An in-house tokenization system still requires merchants to store sensitive credit card numbers in a hardened security module, but solution providers told CRN the process is increasingly being outsourced to services that secure the payment information and tokenization server within their environment. Merchants receive a token with the last four digits of a payment card intact to satisfy back-end systems. By outsourcing the tokenization server to a payment processor, a merchant can reduce the scope of a PCI assessment.

Data Loss Prevention

Once malware is on a payment terminal it will intermittently transmit data to a remote server. Solution providers said a properly implemented data loss prevention or secure Web gateway can review outgoing traffic, including encrypted traffic to identify cardholder data being sent to remote servers. The platforms are designed to automatically block the traffic once it is identified and alert an administrator to blocked transmissions for further investigation.

Virtualization

Hypervisors from VMware, Citrix and Microsoft are essentially virtualized operation systems. They must be maintained, patched and secured like any other operating system. Virtualizing the cardholder environment could make it more difficult for criminals and force them to move on to another target. But solution providers told CRN that the technology can sometimes give retailers a false sense of security. Virtualization is no panacea. It must be properly implemented and secured. Qualified security assessors will review whether the hypervisor management environment is on its own network segment, separated from other networks. A proper implementation will separate payment terminal virtual machines from non-payment virtual machines.

POS System Process Monitoring

Far too many small and midsize merchants run POS software on Windows-based PCs containing other applications and a big killer is that many of those systems are connected to the Internet, said Tom Arnold, cofounder and principal at San Jose, Calif.-based PSC. Arnold's company specializes in payment industry security incident investigations and compliance assessments. Point-of-sale systems, he said, should be used solely for POS system software and be completely locked down. Layered security begins with antivirus, but a new wave of security software uses agents to monitor subtle system process and suspend those that are suspicious. Others monitor system configuration for changes. Whitelisting software can restrict applications and monitor system file behavior.

Unified Threat Management

Midsize merchants can implement a unified threat management UTM appliance to safeguard properly segmented payment environments. A UTM provides typical security gateway features, such as antivirus and content filtering. It should be able to detect rogue access points connected to the network and it gives an IT administrator a dashboard to ensure policy control across the cardholder data environment. It also has intrusion prevention system capabilities to scan network traffic for vulnerability exploits. Higher end models should pack more power providing enough bandwidth when additional security features are turned on. It can also be integrated with an SSL VPN to protect data transmissions.