PCI Compliance Network Segmentation & Scanning

Reduce your PCI DSS scope and minimize the impact to critical assets by leveraging network segmentation and scanning.

When assessing current regulatory compliance status or developing a plan to become PCI DSS compliant, many users are left with more questions than answers. The key to success is consolidating critical security controls and simplifying the entire compliance process so that it becomes automatic and routine. To do this, you need a security platform with built-in data sources, threat intelligence, and a comprehensive reporting engine that evolves as compliance standards change.

AlienVault Unified Security Management (USM) alleviates the headaches normally associated with PCI compliance segmentation and scanning by providing an intuitive platform that simplifies that process. The asset discovery and network topography data that AlienVault USM retrieves can help greatly when planning and implementing PCI network segmentation and compliance.

Built-in Asset Discovery

  • Discover new assets via both active and passive scanning
  • Identify operating systems and software
  • Schedule network scans easily to simplify continuous compliance

Comprehensive Vulnerability
Assessment Scans

  • Scan assets regularly for vulnerabilities
  • Easily report on the most serious vulnerabilities, their impact to you, and steps to remediate

AlienVault USM™ Architecture that is Conducive
to PCI Compliance Segmentation

  • Deploy AlienVault USM in your environment, adhering to PCI compliance regardless of network segmentation
  • Encrypt communication between AlienVault USM components allowing for internetwork PCI compliant communication

Built-in Asset Discovery

To properly secure your environment, you need to know what assets are on your network, including servers, network devices, and applications. You also need to know how they are distributed throughout your network and understand which of these assets are the most sensitive. Answering these questions quickly and efficiently requires regular network scans to identify new assets as well as changes to existing ones. This is a core component of achieving PCI compliance and can help when instituting PCI network segmentation in your cardholder data environment and reducing your scope.

AlienVault USM performs regular network scans, discovering new assets as well as changes to them. Active asset scanning returns valuable information about your assets such as operating systems, running services, and installed software packages. Passive network monitoring provides a lighter touch and can identify operating system types, available ports, IP/MAC address associations, and basic network topography.

AlienVault USM also includes an intuitive asset discovery interface, giving you control over how thorough and frequent the scans are, and avoiding impact to sensitive systems. AlienVault USM makes it easy to schedule future network scans or set them to run on a recurring basis. That way, the scanning process becomes routine and makes achieving PCI network segmentation and continuous compliance even easier.

Comprehensive Vulnerability Assessment Scans

PCI DSS compliance (req. 11.2) requires that you perform network vulnerability scans at least annually as well as after any significant change in the network. Since most networks are not static, you will likely need more frequent scanning. The built-in asset scanning capability allows you to quickly identify and remediate issues as your environment evolves and you discover new vulnerabilities.

To prepare for an audit and satisfy the PCI requirements , you not only have to perform these network scans but also provide documentation detailing the results. The key to achieving PCI compliance is having an intuitive reporting platform with audit-ready reports that are updated as requirements change. The AlienVault USM reporting engine, in addition to an easy to use scheduling interface, will save any organization with limited IT resources time and money.

AlienVault USM provides a vulnerability assessment capability that makes the network scanning process easier, rather than adding to your frustration or workload. Many solutions require weeks or months of configuration and tuning to effectively assess your networks for vulnerabilities. AlienVault USM, however, is built specifically for IT teams with limited resources, and can be deployed and begin scanning your assets for vulnerabilities in under an hour.

To ensure that you stay on schedule and satisfy the PCI requirements or your internal policy, AlienVault USM includes a robust interface that makes scheduling upcoming scans easy. In addition, you can create custom scanning profiles to control the intensity of the penetrative tests performed. This allows you to automate the compliance scanning of your entire environment while limiting any undue stress or affecting the availability of any cardholder-related and other sensitive assets.

USM™ Architecture that is Conducive to Segmentation and Overall Compliance

While segmenting networks that deal with your cardholder data from the rest of your environment is not a requirement of PCI DSS, it is highly recommend by PCI as it is a very effective security measure to help reduce the overall risk to an organization. PCI network segmentation minimizes access to sensitive areas of your environment and makes it more difficult for attackers to gain access. Since segmenting your network’s cardholder data environment (CDE) often involves aggregating physical equipment into fewer locations, it provides more visibility and control of systems that house your sensitive data.

Segmentation of your network’s CDE reduces the cost and complexity of a PCI compliance audit, in addition to adding extra security. When your network is ‘flat’ with no segmentation whatsoever, it means that your entire environment is in scope of a PCI DSS assessment. This means that you will spend more time and money achieving compliance as well as maintaining it. The lack of PCI network segmentation could also result in a more costly and time-consuming PCI assessment due to the need to evaluate every system in your network against the PCI DSS standards.

AlienVault’s Unified Security Management (USM) platform was made to exist in cardholder environments, with its flexible architecture and secure transmission of data across its components. To conserve management costs as well as bandwidth, you can centrally locate your AlienVault USM server with sensors and data loggers deployed throughout your environment. You can also utilize AlienVault USM’s federation capabilities and deploy standalone AlienVault USM instances in various locations that can report back to a master AlienVault USM server.

The benefit of this approach means that as the AlienVault USM deployment communicates across segmented networks, your non-CDE systems and data remain out of scope for any PCI compliance assessment. This keeps costs down, reduces headaches associated with looming audits, and keeps your customer’s sensitive payment information safe.