Most guidance simply tells enterprises which standards apply. SANS Compliance Map provides the specific section references to help ensure you get compliance AND security.
Wall 1.1
pCI/dSS 6.3.6 6.3.7 6.6 SOX A12.8 GlbA 16CFR Part 314.4(b) & (2) FISmA RA-5 SC-18 SA-11 SI-2 ISO 27001/27002 12.4.1 12.4.3 12.5
Wall 2.6
Wall 1.2
pCI/dSS 4.2 Requirement 5 SOX A13.2 DS5.9 DS5.10 DS5.11 GlbA 16CFR Part 314.4, (b) & (3) HIpAA 164.308(a)(1) 164.308(a)(6) FISmA AC-4 SC-7 SI-3 SI-8 ISO 27001/27002 10.6.2 10.8.4 10.10.1 10.10.2 11.4.6 15.1.5
Wall 4.3
pCI/dSS 11.3 SOX A13.3 GlbA 16 CFR Part 314.4 (c) HIpAA 164.308(a)(8) FISmA RA-5 SI-2 ISO 27001/27002 12.6 15.2.2
Wall 6.1
Wall 4.4
pCI/dSS 6.3 SOX A12.4 GlbA 16CFR Part 314.4(b) & (2) HIpAA 164.303(a)(1)(i) FISmA RA-5 SA-11 SI-2 ISO 27001/27002 12.6 15.2.2
Wall 2.7
Wall 1.3
pCI/dSS 6.3.7 SOX A12.7 A12.8 DS7 HIpAA 164.308(a)(3) FISmA SA-11 SI-2 ISO 27001/27002 6.1.8 8.2.1-2
pCI/dSS 6.6 SOX A13.2 DS5.10 GlbA 16CFR Part 314.4(b) & (3) HIpAA 164.308(a)(1) 164.308(a)(6) FISmA AC-4 SC-7 ISO 27001/27002 10.6.2 10.10.1 10.10.2
Wall 3.1
Wall 2.1
pCI/dSS 10.6 11.4 SOX A13.2 DS5.10 GlbA 16CFR Part 314.4(b) & (3) HIpAA 164.306(a)(2) 164.308(a)(1) 164.308(a)(6)42 FISmA SI-4 AC-2 ISO 27001/27002 10.6.2 10.10.1 10.10.2 10.10.4 15.1.5
pCI/dSS Requirement 5 10.6 SOX DS5.9 GlbA 16CFR Part 314.4 (b) & (3) HIpAA 164.306(a)(2) 164.312(a)(1) 164.308(a)(1),(2) & (6) 164.310(c) FISmA SI-3 SI-8 SC-18 AC-2 ISO 27001/27002 11.7.1 11.7.2
Wall 3.2
Wall 2.2
pCI/dSS 11.1 SOX A13.2 DS5.10 GlbA 16CFR Part 314.4(b) & (3) HIpAA 164.308(a)(1) 164.308(a)(6) FISmA AC-18 ISO 27001/27002 Same as Wall 2.1
SOX A13.2 DS5.3 DS5.4 DS5.10 GlbA 16CFR Part 314.4(b) & (3) HIpAA 164.306(a)(2) 164.308(a)(1),(2) and (6), 164.312(a)(1) and (d) FISmA SI-4 AC-3 AC-4 AC-17 ISO 27001/27002 10.6.2 10.10.1 10.10.2 15.1.5
pCI/dSS 2.2 6.1 6.3.1 SOX A13.3 DS9 HIpAA 164.308(a)(1) 164.310(b) & (c) FISmA CA-7 CM-1-4 CM-6 CP-10 Wall 6.2 SOX A13.2 DS11.2 DS11.4 DS11.6 PL-3 SA-4 SA-10 SI-2 HIpAA 164.310(d)(1) 164.312 (a)(2)(iv) ISO 27001/27002 10.4.2 10.10.1 FISmA MP-4 MP-6 12.4.1 12.5.3 12.5.2 12.6.1 ISO 27001/27002 8.3.2 10.7.2 Wall 5.1 10.10.1 11.7.1 12.4.2 15.3.1 pCI/dSS 8.5 10.1 Wall 6.3 SOX DS5.3 DS5.4 pCI/dSS All sections SOX DS7 DS8 HIpAA 164.312(a)(1) and (d) HIpAA 164.308(a)(3) FISmA AT-3 FISmA AC-3 AC-17 AU-3 IA-2 ISO 27001/27002 6.1.8 8.2.1 8.2.2 IA-4 IA-5 ISO 27001/27002 10.9 10.10.1 Wall 6.4 11.2.3 11.5.2 pCI/dSS 12.6 SOX DS7 DS8 GlbA 16CFR Part 314.4 (b) & (1) Wall 5.2 HIpAA 164.308(a)(5) pCI/dSS Requirement 3 SOX A13.2 DS5.8 DS11.2 DS11.4 FISmA AT-2 AT-4 ISO 27001/27002 8.2.2 DS11.6 DS13.4 GlbA 16CFR Part 314.4(b) & (2) HIpAA 164.310(d)(1) 164.312(a)(2)(iv) FISmA AC-3 CP-9 MP-4 ISO 27001/27002 10.5.1 11.7.1 12.3.1 12.3.2 15.1.6
pCI/dSS 10.1-2 10.5-6 10.7 SOX DS5.5 DS13.3 GlbA 16CFR Part 314.4(b) & (2) HIpAA 164.308(a)(5) 164.312(b) FISmA SI-4 SI-11 AC-7-8 AC-11 AC-13 AU-2-4 IA-2 ISO 27001/27002 10.10 11.5.2 11.5.4 12.2.1 12.2.4 12.4.2 12.6.1 13.2.3 15.1.3 15.3.1
For hands-on courses covering how to make many of these technologies effective, see www.sans.org
Too many organizations try to get compliant and then figure out how to get secure. Constantly evolving threats drive the need for a layered approach to security. Constantly growing regulatory requirements create the need for compliance. Dont spend your money twice. The SANS WhatWorks program lets you learn from actual users of security products. Start your search at www.sans.org/whatworks to see which tools keep your organization secure and help you meet compliance standards at the same time.
You can hear users talk about how this product actually works by visiting www.sans.org/whatworks Users of this vendors products have described their successes at SANS WhatWorks Summits This chart shows where the products below help you meet specific sections of each compliance mandate.
For full information on best practices in application security, see www.sans-ssi.org 1.3 Application Security Skills Assessment & Certification
Application security managers can ensure that programmers are able to identify and eliminate common security flaws from code by using assessment tools and having outsourced programmers prove their knowledge through certification.
Assessment of Secure Coding Skills through online measurement in Java, C, and .NET (SANS GSSP Assessments) Certification of Secure Coding Skills in Java, C, and .NET (SANS GSSP Certifications)
Wall 6.5
Wall 5.3
pCI/dSS 10.2 12.9 A.1.4* SOX DS7 HIpAA 164.308(a)(1) & (a)(6) FISmA IR-7 ISO 27001/27002 13.2.1, 13.2.3 *Shared Hosting Providers Only
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
pCI/dSS 10.5.5 11.5 12.9.5 SOX DS5.5 GlbA 16CFR Part 314.4(b) & (3) Wall 2.3 HIpAA 164.312(e)(1) pCI/dSS 11.4 FISmA AC-19 CP-9 SI-1 SI-7 SOX A13.2 DS5.5 DS5.10 ISO 27001/27002 12.3 12.5.1 GlbA 16CFR Part 314.4(b) & (3) HIpAA 164.308(a)(1) 164.308(a)(6)42 12.5.3 15.3 FISmA IR-4, SI-4 Wall 3.4 ISO 27001/27002 Same as Wall 2.1 pCI/dSS 2.2 SOX A13.2 Wall 2.4 HIpAA 164.308(a)(1) 164.310(c) pCI/dSS Requirements 1 & 5 FISmA CA-7 CM-1 CM-2 CM-3 SOX A13.2 DS5.9 DS5.10 CM-4 CM-6 CP-10 PL-3 SA-4 GlbA 16CFR Part 314.4(b) & (3) ISO 27001/27002 10.4.2 10.10.1 HIpAA 164.308(a)(1) 164.308(a)(6)42 164.308(a)(5) Wall 4.1 FISmA AC-4 SC-7 SI-3 SI-8 pCI/dSS 11.2 SOX A13.3 ISO 27001/27002 10.4 10.6.2 GlbA 16CFR 3.4.4(c) 10.10.1 10.10.2 10.10.4 11.4.5 HIpAA 164.308(a)(8) 11.6 11.7.1 12.5.5 12.6.1 15.1.5 FISmA RA-5
Wall 3.3
pCI/dSS Requirement 3 SOX A13.2 DS5.8 DS11.2 DS11.4 DS11.6 DS13.4 GlbA CFR Part 314.4(b) & (2) HIpAA 164.310(d)(1) 164.312(a)(2)(iv) FISmA AC-3 CP-9 MP-4 ISO 27001/27002 10.5 12.3.1 12.3.2 15.1.6
Wall 6.6
pCI/dSS All sections SOX PO9 DS5.2 DS7 ME3 ME4 HIpAA 164.306(a)(4) 164.306(c)(1) 164.308(a)(1) FISmA IR-7 ISO 27001/27002 15 Compliance
Wall 5.4
Wall 6.7
pCI/dSS Requirements 3 & 4 SOX DS13.4 HIpAA 164.310(d)(1) 164.312(a)(2)(iv) FISmA SI-4 AU-2 ISO 27001/27002 12.5.4 15.1.5
pCI/dSS 12.9.1 SOX A13.2 DS4 DS11 HIpAA 164.308(a)(7)(i) FISmA CP-1 through CP-9 ISO 27001/27002 7.1.1 9.1.4 10.2.1 10.5.1 14
These tools monitor traffic to and from wireless networks, detect misconfigured or unauthorized access points and provide reporting and analysis for compliance.
Motorola AirDefense AirMagnet Enterprise AirTight Networks SpectraGuard Aruba RFprotect Kismet (Free)
Wall 5.5
pCI/dSS Requirement 3 SOX DS13.4 HIpAA 164.310(d)(1) 164.312(a)(2)(iv) FISmA AC-3 CP-9 MP-4 ISO 27001/27002 15.1.2
Enterprise applications and Traditional firewalls do not look inside the packets but collaboration systems increasrely on information in the packet headers: ports, source ingly use HTTP as the underlying protocol. Secure Web Gateways and destination addresses, and protocol state. Next provide inbound filtering of generation firewalls incorporate traditional firewall functionality with IPS and Web security gateways (anti- malware and spyware, as well as malware such as viruses, worms, spyware, etc.). They outbound URL blocking and other forms of policy enforcement. also support techniques for applying security policy Secure Computing Webwasher regardless of which port or protocol is used.
CheckPoint VPN-1 Juniper SSG, ISG & NetScreen McAfee VirusScan Enterprise Symantec Endpoint Protection Kaspersky Open Space Security Cisco ASA Fortinet Fortigate BlueCoat ProxySG Websense Web Security Gateway Cisco IronPort
2.6 Secure Messaging Gateways 2.7 Web Application Firewalls 2.8 Managed Security Services and Anti-Spam Tools These appliances and software packages MSS ensure that trained eyes are watchSpam continues to waste productive time for millions of increasingly angry Internet users. Secure email gateways block inbound spam as well as viruses, worms and other malicious executables and can enforce outbound policy control as well for email and instant messages.
Secure Computing SecureMail Websense Email Security Cisco IronPort Symantec BrightMail Barracuda Spam Firewall MailWasher (free)
should be used in addition to strong application development security processes, particularly Web application pen testing and intense training of Web app developers. WAFs can be standalone appliances or can be incorporated into other network elements such as Application Delivery Controllers.
Imperva SecureSphere Citrix Application Firewall F5 Big-IP Application Security Manager ModSecurity (free)
ing the firewalls, IPS and IDS systems, Web security gateways and even the logs from inside systems. They provide rapid analysis and quick notification. More advanced services provide automated vulnerability scanning services, give early warning, and help determine when and where to act to protect against new vulnerabilities and exploits.
BT Counterpane MSS Verisign MSS SecureWorks MSS Symantec MSS
Wall 5.6
Wall 2.5
pCI/dSS Requirement 5 SOX A13.2 DS5.9 DS5.10 GlbA 16CFR Part 314.4 (b) & (3) HIpAA 164.308(a)(1) 164.308(a)(6) FISmA AC-4 SC-7 SI-3 ISO 27001/27002 Same as Wall 2.1
Wall 4.2
pCI/dSS 11.2 6.6 SOX A13.3 GlbA 16CFR Part 314.4(c) HIpAA 164.308(a)(8) FISmA RA-5 SI-2 ISO 27001/27002 12.6 15.2.2
pCI/dSS Requirement 4 8.3 SOX A13.2 DS5.8 DS5.10 DS5.11 GlbA 16CFR Part 314.4(b) & (2) HIpAA 164.312(e)(1) 164.312(a)(2)(iv) FISmA AC-3 AC-17 SC-23 SC-7 SC-9 ISO 27001/27002 10.6.2 11.4.2 11.7.1 12.3.1 12.3.2 15.1.6
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Checks for unauthorized changes to files. When any computer connects to the corporate Tripwire Enterprise nCircle CCM File network, NAC determines if the computer is known Integrity Monitor Configuresoft Enterprise to the network, who is using it, and verifies secure Configuration Manager (ECM) AIDE (free) configurations and patch levels. NAC should also Samhain (free) Compliance Mandates: determine if malicious software is present on an endpoint. Personal computers that do not meet the enterprise standards can be denied access until 3.4 Application Control and Configuration their configurations have been corrected. Hardening Tools StillSecure Safe Access Tests security configurations for variance from McAfee NAC standards and enforces security policy against Cisco NAC Appliance applications that are not trusted.
InfoExpress CyberGatekeeper Symantec Network Access Control Mirage Networks Mirage NAC Configuresoft Enterprise Configuration Manager (ECM) HP Business Service Automation solutions BMC Configuration Automation
These tools discover vulnerabilities and monitor the organizations progression eliminating the vulnerabilities that are found.
QualysGuard Sourcefire RNA McAfee Foundstone Foundscan nCircle IP360 SAINT Scanner Rapid7 Nexpose
Core Security Core IMPACT Microsoft SMS and WSUS (free) Shavlik Security Suite Metasploit (free) HP Business Services Automation solutions SAINT Corp. SAINT Exploit
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
SANS is the most trusted and by far the largest source for information security training certification and research in the world.
6.6 Governance, Risk & Compliance Mgt. Tools 6.7 Disaster Recovery and Business Continuity GLB, FISMA, SOX, PCI, Basel, DITSCAP, DIACAP, and HIPAA
each generate enormous documentation burdens for companies, universities, and/or government agencies. GRCM tools help automate creation of necessary reports, support the update and dissemination of security policy, and provide consolidated means for tracking disparate compliance efforts.
Polivec EGS CA GRC Manager Archer Technologies SmartSuite Framework Configuresoft Enterprise Config. Manager (ECM)
Bad things happen flooding, cyber attacks, bombs. Being ready to respond means having alternative sites with data and systems ready; it also means testing those recovery capabilities.
VMware Infrastructure 3 NetApp MetroCluster Symantec BackupExec HP Business Continuity & Availability Solutions
www.sans.org/whatworks
Principal Editor on Compliance Standards and Tools: Dave Shackleford, Configuresoft Contributors: Tanya Baccam, David Hoelzer, and James Tarala
Sybase Afaria Heidi Eraser RIM Blackberry Enterprise Server Dariks Boot & Nuke (free)
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
Compliance Mandates:
...and the SANS courses that help you advance. Go to www.sans.org for a full listing of courses.
How to Be Successful Tips from the Experts
InfoSec Crime Investigator/Forensics Expert
This expert always thinks there is more to learn and actively seeks out new learning opportunities. Tips: Attend training, conferences, and summits that focus on the methodologies used. Stay abreast of the latest attack methodologies. Stay ahead of the curve on the latest forensic and incident response methodologies. Be familiar with techniques that enable you to quickly analyze malware found on your network using reverse engineering, network analysis, and digital forensics. -Rob Lee, Forensic/Incident Response Faculty, SANS Principal Consultant, Mandiant INC.
The 20 coolest careers were selected by over 1,000 information technology and network security specialists who responded to a SANS survey. For a more complete picture and advice on how to make it, go to www.sans.org/20coolestcareers.
and Systems
Defensible Apps
#3 Forensics Analyst
SEC508 SEC610
SANS courses are hands-down the best security courses in the industry. The theory part is among the best, but the teachers practical knowledge
DEV544: Secure Coding in .NET: Developing Defensible Apps DEV545: Secure Coding in PHP: Developing Defensible Apps DEV548: Secure Coding in C: Developing Defensible Apps
Information Security
#5 Security Architect
SEC501
MGT404: Fundamentals of Information Security Policy MGT414: SANS +S Training Program for the CISSP Certification Exam MGT504: Hacking for Managers
Malware Analyst
Three suggestions for becoming a good one: Recognize your strengths and weaknesses. A skilled malware analyst possesses expertise in programming AND system and network administration. Build on your strengths, and develop a plan for expanding your expertise in weaker areas. Stay abreast of the threat landscape. Research new threats by reading blogs, books, and papers that discuss malware analysis techniques. Attend conferences where you can brainstorm and learn from other malware analysts. Contribute to the malware research community. Share your insights and suggestions with other analysts via mailing lists, blogs, web forums, and conferences. You will not only contribute to the communitys skill set, but also interact with peers who can share their perspectives and help you become the analyst you want to be. -Lenny Zeltser, www.zeltser.com
Knowledge Compression
#6 Malware Analyst
SEC5610 SEC709
cake is the hands-on sessions. I have read about the tools before, the course has given me the knowledge and confidence to use them.
SEC401: SANS Security Essentials Bootcamp Style SEC427: Browser Forensics SEC501: Advanced Security Essentials Enterprise Defender
#8 Security Analyst
SEC501 SEC503 SEC560
SEC502: Perimeter Protection In-Depth SEC503: Intrusion Detection In-Depth SEC504: Hacker Techniques, Exploits, and Incident Handling SEC508: Computer Forensics, Investigation, and Response SEC542: Web App Penetration Testing & Ethical Hacking SEC560: Network Penetration Testing & Ethical Hacking SEC610: Reverse-Engineer Malware:
www.configuresoft.com
www.core.com
www.ironport.com
www.mxlogic.com
www.netwitness.com
www.qualys.com
www.sensage.com
www.sourcefire.com
www.splunk.com
www.tenable.com
Finding and Stopping the Most Elusive Threats Using Investigator Freeware