SWIFT: Covering Key Consumer Security Controls

SWIFT is a global provider of secure financial messaging services that connects thousands of banks, financial institutions and corporations all over the world. However, it does not monitor or control the messages that users send through its system. So, all issues with privacy and compliance with SWIFT security controls rest with the financial institutions handling them, and their competent international and national authorities.

The SWIFT Customer Security Controls Framework describes a set of both mandatory and advisory security controls for all SWIFT customers. Here is a quick overview how LogSentinel SIEM  can help all kinds of financial institutions achieve compliance and cover both the mandatory and advisory requirements. 

Mapping between SWIFT Customer Security Controls Framework 1.0 and LogSentinel SIEM Functionalities

# Requirement LogSentinel SIEM
Functionalities 
11.2 Operating System Privileged
Account Control (Mandatory) 
 
 

Control Objective: Restrict and
control the allocation and usage of administrator level operating system
accounts.

In-scope components:
•Secure zone: administrator-level operating system accounts

Risk Drivers: 
•Deletion of logs and forensic evidence
•Excess privilege or access
•Lack of traceability
•Unauthorised system changes 

LogSentinel SIEM utilizes the blockchain technology and stores the logs for every single action in a private blockchain, including the logs tracking the usage of administrator-level operating system accounts. Thus, it ensures that the logs are not modified, altered or deleted. Also, there is no opportunity for an attacker to use the privileges of the administrator-level account as part of an attack.

In order to prevent deletion of logs and forensic evidence, excess privilege of access, and unauthorized system changes (especially from administrators and users with PAM rights), LogSentinel SIEM supports the option
to flag certain log entries as critical and directly push them to external sources as well, which includes: qualified trust service provider, Ethereum, emails to stakeholders. The data pushed is hash (actorId:action), which is meaningless out of context (e.g. hash (254:LOGIN), but can later be used to determine the actual user by attempting to find a hash match for all privileged user IDs. The uid-to-employee mapping can be stored as an audit trail entry as well as externally.

LogSentinel SIEM has a built-in anomaly detection that monitors all accesses and actions of the administrator-level accounts.  In case of an abusive usage of the
administrator-level accounts, LogSentinel SIEM sends an alert to the relevant stake holders to take immediate countermeasures.

22.1 Internal Data Flow Security
(Mandatory) 
 
 

Control Objective: Ensure the
confidentiality, integrity, and authenticity of data flows between local
SWIFTrelated applications and their link to the operator PC. 

In-scope components:
•Operator PC (or jump server)
•SWIFT-related infrastructure components

Risk Drivers: 
•Loss of sensitive data confidentiality
•Loss of sensitive data integrity
•Unauthenticated system traffic 

LogSentinel SIEM provides complete data confidentiality, integrity, and authenticity for all information stored
within the solution, leveraging a permissioned blockchain technology. The chain is subject to complete verification every 12 hours, or at other configurable intervals. Internal verification mechanisms also exist, as follows:

• Pushing hashes, representing the complete state of all data to external stakeholders via e-mails or text message.
• Pushing hashes, representing the complete
state of all data to a public blockchain (e.g. Bitcoin, Ethereum or any other).
• Pushing hashes, representing the complete
state of all data to a publicly verifiable source
such as Twitter.

LogSentinel SIEM ensures that it is technically impossible to breach data integrity, confidentiality and authenticity without detection.

32.4 A Back-office Data Flow
Security (Advisory)
 
 

Control Objective: Ensure the
confidentiality, integrity, and mutual authenticity of data flows between
back office (or middleware) applications and connecting SWIFT infrastructure
components.

In-scope components:
•Data exchange layer: flows of financial transactions

Risk Drivers: 
•Loss of sensitive data confidentiality
•Loss of sensitive data integrity •Unauthenticated system traffic 

LogSentinel SIEM protects the confidentiality, integrity, and authenticity of data by cryptographic means based on blockchain.

It ensures that it is technically impossible to breach data integrity, confidentiality and authenticity without detection. 

42.6A Operator Session
Confidentiality and Integrity (Advisory)
 
 

Control Objective: Protect the
confidentiality and integrity of interactive operator sessions connecting to
the local SWIFT infrastructure.

In-scope components:
•Operator PC (or jump server): sessions to operating system
•Operator PC (or jump server): sessions to interface applications in the
secure zone
•Secure zone: session to SWIFT-related applications and operating systems
from dedicated operator PCs

Risk Drivers: 
•Loss of operational confidentiality
•Loss of operational integrity 

LogSentinel SIEM provides functionalities for storing logs of all events or activity in the IT systems including the operator sessions connecting to the local SWIFT infrastructure.

LogSentinel SIEM ensures complete data integrity and confidentiality for all information stored within the solution by utilizing blockchain technology.

LogSentinel SIEM provides secure audit trail that stores information about who did what and when. And all of that data can be reviewed through the intuitive dashboard.

55.1 Logical Access Control
(Mandatory) 
 
 

Control Objective: Enforce the
security principles of need-to-know access, least privilege, and segregation
of duties for operator accounts.

In-scope components:
•All operator accounts (for example, operating systems, applications)

Risk Drivers: 
•Excess privilege or access
•Segregation of duty violations
•Unauthorised access

LogSentinel SIEM provides functionalities for storing logs of all events or activity in the IT systems.
It can monitor all operator accounts and their level of access to reduce the possibility of malicious activities.

Anomalous detection functionalities can be used to comprehensively monitor for unusual behavior in system activity.

LogSentinel SIEM has an intuitive dashboard that allows to drill down to specific timeframe, users or actions.

65.4A Physical and Logical
Password Storage (Advisory) 
 
 

Control Objective: Protect
physically and logically recorded passwords.

In-scope components: Accounts and passwords defined on the following
components:
•Operator PC (or jump server): operating system
•Operator PC (or jump server): interactive user session  
•Secure zone: all applications, operating systems, and network components

•SWIFTNet Online Operations Manager and swift.com

Risk Drivers: 
•Password theft 

LogSentinel SIEM can log:
– the access to the recorded password storage;
– which account’s password was accessed;
– who accessed it;
– qualified timestamp of the actions for better traceability. 

All of these logs will be stored in an unmodifiable way based on the blockchain technology. Thus, LogSentinel SIEM guarantees that only authorized people have accessed the passwords.  

76.3 Database Integrity (Mandatory)   
 

Control Objective: Ensure the
integrity of the database records for the SWIFT messaging interface.

In-scope components:
•Databases for messaging interface products

Risk Drivers: 
•Loss of sensitive data integrity 

LogSentinel SIEM can store and monitor all logs related to database changes and modification. The logs can’t
be deleted or modified, which ensures full integrity of the database records.
The log monitoring is protected by blockchain technology and performs automated verification checks to guarantee database records integrity. All events are displayed in its dashboard for easy monitoring and management.  

The anomaly detection module sends immediate alerts in case of identified security event to prevent against unexpected modification of records stored within the database.

86.4 Logging and Monitoring
(Mandatory) 
 
 

Control Objective: Record
security events and detect anomalous actions and operations within the local
SWIFT environment.

In-scope components:
•Data exchange layer: network
•Operator PC (or jump server): operating system
•Secure zone: connector
•Secure zone: GUI to the messaging and communication interface
•Secure zone: all server applications and operating systems
•Secure zone: network
•Secure zone: database

Risk Drivers: 
•Lack of traceability
•Undetected anomalies or suspicious activity 

LogSentinel SIEM logs every user or system event, storing the logs in a private blockchain and displaying them in its dashboard for easy monitoring and management.

LogSentinel SIEM has built-in capabilities for detecting anomalous behavior.
In case of any modification attempt, the relevant stake holders will be notified. The sophisticated LogSentinel SIEM rules engine can combine more than one rule, including more than one event log type, detecting various types of anomalies in the very beginning

On top of that, the following event logs can be stored in one place,
ensuring data integrity and anomaly activity detection:
– database logs
– network logs
– Server applications/ operating systems
– OS logs
– Data exchange logs
– Connectors
– GUI logs 

The financial sector is heavily regulated and apart from the SWIFT security controls, we have previously showed you how LogSentinel SIEM can help you also cover compliance with other crucial regulations such as the new PSD2 requirements and the General Data Protection Regulation, for example. 

In case you would like to get compliance out of the way, talk to us today and let us help you protect not just your messaging processes but all your sensitive data across all the systems in your organisation.

REQUEST DEMO
Like this article? Share it with your network!