None of this would have had anything to do with PCI (nobody gives a shit about PCI; the worst shops in the world, the proprietors of the largest breaches, have had no trouble getting PCI certified and keeping certification after their breaches). At much smaller company sizes than this, insurance requires you to retain forensics/incident response firms. There's a variety of ways they could do that cheaply. They brought in the IR firm with the best reputation in the industry (now that Google owns Mandiant), at what I'm assuming are nosebleed rates, because they want to be perceived as taking this as seriously as they seem to be.
It's a very good writeup, as these things go. Cloudflare is huge. An ancillary system of theirs got popped as sequelae to the Okta breach. They reimaged every machine in their fleet and burned all their secrets. People are going to find ways to snipe at them, because that's fun to do, but none of those people are likely to handle an incident like this better.
I am not a Cloudflare customer (technically, I am a competitor). But my estimation of them went up (I won't say by how much) after reading this writeup.
Yeah at best PCI is somewhat hard to get at first, but after that it's basically only good, or less shady, corporations that bother keeping up compliance or make sure that they follow the guidelines at every step. Shady/troubled operators don't, and to an extent don't have to really be afraid of losing said certification unless they just go fully rogue.
Ah I think I'm just not used to those then, I hated the whole checklist busywork that we had to do even though we were barely related to the sales infra. But yeah, it was a bit like soc2 in that regard. Is there any certification that isn't just checklist "auditing"? That involves actual monitoring or something? Not sure if that's even possible
PCI is the most checklist framework around. SOC 2 can be a checklist audit, depending on how much effort your internal compliance team puts into it. I've never had SOC 2 be really a checklist in the way PCI is. SOC 2 requires you to design and write your own controls and scope in or out different aspects of the business. SOC 2 does include monitoring and stuff like that.
The difference really is point in time vs period over time audits. PCI is a point in time audit, SOC 2 is a period over time audit. So for SOC 2 you do need monitoring controls, and then they test that control over the entire period (often 6-12 months). So you are monitoring the control effectiveness over a longer period of time with SOC 2. And even PCI has some period over time controls you need to demonstrate.
From the outside all compliance will seem like checkboxes to most people once controls are established. Because really the goal for most of the business is to make sure the control they interact with doesn't break, and the compliance team will likely give a list of things that the business can't afford to have broken. Which does seem like a checklist similar to PCI. But really, only PCI is straight up a checklist, as you don't really get to decide your controls.
PCI DSS does require periodical review of lots of elements, and I believe daily log reviews (which let’s face it no one does outside of very big firms with dedicated security teams and fancy SIEM tools).
But everyone here is missing the point of it, it's not to make sure you never get breached it's to ensure forensics exist that cannot be tampered with.
Separation of concerns to keep any single party from within the company from doing anything fraudulent or for an attacker to cover any tracks.
It's not intended at all to be any kind of security by itself outside of the damage an employee can do. Bad code exists and PCI will do nothing to prevent this, because that's not the purpose of the compliance.
> nobody gives a shit about PCI; the worst shops in the world, the proprietors of the largest breaches, have had no trouble getting PCI certified and keeping certification after their breaches
IMO it’s more a risk reward trade off. I know some companies are paying relative peanuts in non-compliance fines rather than spend money on some semblance of security which they may still not be compliant with and have to pay the fines anyway…
It's a very good writeup, as these things go. Cloudflare is huge. An ancillary system of theirs got popped as sequelae to the Okta breach. They reimaged every machine in their fleet and burned all their secrets. People are going to find ways to snipe at them, because that's fun to do, but none of those people are likely to handle an incident like this better.
I am not a Cloudflare customer (technically, I am a competitor). But my estimation of them went up (I won't say by how much) after reading this writeup.