Insider Threat Management

How Proofpoint Helps Meet SWIFT Customer Security Control Requirements

Share with your network!

In March 2017, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) published the first version of the Customer Security Controls Framework. The SWIFT CSC was created as a direct response to the rising cybersecurity threats that can impact the confidentiality and integrity of transactions between financial institutions. The SWIFT community, which is comprised of more than 11,000 members across the globe, must now adhere to a set of mandatory and advisory requirements – enforcement and inspection of which went into effect on January 1, 2018.

Reminiscent of when VISA, Mastercard, American Express, Discover, and the JCB came together to form the Payment Card Industry Data Security Standard (PCI DSS), the SWIFT CSC broadly lays out technical controls to secure an organisation’s SWIFT environment.

Since the release of the framework, many of our customers have reached out, interested to know how they can leverage Proofpoint’s insider threat management platform to meet the mandatory and advisory requirements laid out by the SWIFT CSC.

7 Objectives of SWIFT CSC

  1. Restrict Internet Access and Protect Critical Systems from General IT Environment
  2. Reduce Attack Surface and Vulnerabilities
  3. Physically Secure the Environment
  4. Prevent Compromise of Credentials
  5. Manage Identities and Segregate Privileges
  6. Detect Anomalous Activity to Systems or Transaction Records
  7. Plan for Incident Response and Information Sharing

These 7 categories hold 16 mandatory and 11 advisory requirements, which are organised into subdivided sections ranging from regulated Internet usage to SWIFT operator vetting and control.

How Proofpoint Helps Organisations Comply with SWIFT CSC

1.1 SWIFT Environment protection (Mandatory)

  • As with other restricted and secured environments, Proofpoint ITM monitors access to and from the segregated secure zone of SWIFT infrastructure. Client’s local A1 and A2 SWIFT architecture is typically protected by a layer of Bastion Access Servers. Proofpoint ITM monitors the use of these jump boxes by Operators to detect access to the SWIFT infrastructure.

1.2 Operating System Privileged Account Control (Mandatory)

  • It is almost impossible and most times impractical to eliminate Administrator-level accounts in the organisation. Proofpoint takes the approach, if you can’t eliminate – supervise. Use Proofpoint ITM to detect creation of local accounts that may bypass existing controls and to review actions performed by Enterprise Admin groups, Domain Admin groups, and Local Administrator groups.
  • Log not just access but every action performed by a privileged operator account.

2.6A Operator Compromise of Credentials (Advisory)

  • It is advised to monitor Operator PCs or Jump Servers for loss of operational confidentiality and loss of operational integrity. Proofpoint ITM makes it effortless to detect all interactive sessions and alert on inactivity, unauthorised login times, and restricted actions.

2.8A Critical Activity outsourcing (Advisory)

  • SWIFT CSC suggests any outsourced activities must be protected with the same standard of care as the originating organisation. Proofpoint ITM risk scores vendor activity when 3rd party contractors (such as external IT providers), make changes to an organisation’s SWIFT environment. Proofpoint’s 3rd party monitoring capability ensures risky behaviour is flagged, SLAs and NDAs are upkept, and vendors do not abuse the privileges they are granted.

5.1 Logical Access Control (Mandatory)

  • Use Proofpoint ITM to identify excess privilege or access, ensure unauthorised access is documented, and all operator account access is logged. SWIFT CSC makes it mandatory that only operators (defined as end users and administrators) should have access to the environment. Proofpoint endpoint service will detect shared account usage, block unauthorised attempts to access a server, and notify operators of policy violations.
  • Pull reports for account review and document break-glass scenarios for emergency access.

5.3A Personnel Vetting Process (Advisory)

  • All employees, contractors, and staff with access to SWIFT-related systems must undergo a vetting process upon onboarding and periodically throughout their operation of SWIFT systems. As a technical extension of the administrative onboarding process, organisations use Proofpoint to validate staff members operating SWIFT infrastructure are qualified, trustworthy, and follow proper security procedures.

6.4 Logging and Monitoring (Mandatory)

  • Leverage the Proofpoint insider threat management platform to detect anomalies or suspicious activity performed by trusted operators and compromised accounts. Proofpoint ITM makes it simple to collect command line history, messaging and communication interfaces, Internet access, file movement, and even privilege escalation. Whether an operator intends to deploy a logic bomb, or an outside adversary begins querying a database for transaction information, Proofpoint ITM can detect infractions and generate a simple report that does not require IT to business translation.

7.2 Security Training and Awareness (Mandatory)

  • Notify operators of security best practices through technical notifications. Proofpoint ITM pops up a message to an end user with advisory information such as password policies, acceptable use restrictions, or proper procedures thus ensuring the security training is continuous and practical.

If you are a SWIFT client looking for a simple way to meet the mandatory and advisory requirements, schedule a free, personalised demo to learn more about how Proofpoint supports our customers in complying with the SWIFT Customer Security Controls Framework.