SWIFT Customer Security Controls Compliance: An Application-Centric Approach to Cybersecurity
In April 2017, SWIFT, the global member-owned cooperative and the world’s leading provider of secure financial messaging services, published security guidelines and are presently assisting all members to attest to their ability to comply with these guidelines.
SWIFT’s messaging services are trusted and used by more than 11,000 financial institutions in more than 200 countries and territories around the world. In 2016, the SWIFT network handled over 6.5 billion FIN messages. SWIFT is requiring its customers to ensure that their SWIFT infrastructure and messaging interface is secure, and that each customer will engage in attesting to the 27 controls of the “SWIFT Customer Security Programme (CSP)”. These new controls imposed by SWIFT represent an inflection point for the industry, in that a cooperative is mandating a set of security guidelines for participation in their network, which must be met by all member organisations using the service.
The controls mandated by SWIFT cause a potential issue for CISOs in that they require an application-centric view of cybersecurity, focusing on protection of the SWIFT application and services. Today, most cybersecurity efforts take a network-centric approach and focus on perimeter and endpoint protection as well as traditional micro-segmentation. These traditional approaches to cybersecurity create a single point of failure (penetration) and are not enough to meet the SWIFT mandate, which requires a much deeper control of the application ecosystem.
The Solution – Comprehensive Application Protection
To meet the SWIFT mandate organisations must go beyond traditional network-centric cybersecurity approaches and take an application-centric view of security. Achieving Comprehensive Application Protection requires a different approach centered on a three-step process.
1. Setting the “Good Known State”
The first step in protecting any application is creating a secure baseline or “Good Known State”. This requires an accurate and current understanding the systems that make up the application, including their configuration, and then ensuring all systems are up to date and optimally configured to minimize the threat surface area. Assessing the application current state via an Application Hardening Scorecard, evaluating system configurations and understanding potential vulnerabilities based on an industry-standard criteria (such as NIST or OWASP), will identify potential security gaps and the configuration changes required to ensure systems are in a secure state. Good security also requires confirming that systems are maintained and up to date. By understanding patching levels and comparing server configurations to corporate standards, organisations can quickly and easily identify potential vulnerabilities, correct them and create a “Good Known State” for the application. This first step is key not only to meeting the SWIFT mandate, but applies to protecting all other mission-critical applications in the environment.
2. Application Behaviour Analysis
While traditional micro-segmentation techniques enable network segmentation of environments, locations and applications, they stop well short of comprehensive application protection. Application Behaviour Analysis compares current application behaviour to the baseline “Good Known State”. This comparison provides many layers of protection beyond traditional segmentation, uncovering deviations from the approved behaviour of the application. Parameters verified in this effort include network, process, identity, operating system, performance and time, effectively validating the approved who, what, where and when of the application behaviour. This analysis will enable identification of potential anomalous behaviour, even occurring across allowed network segments/pathways, ensuring that only the correct software and processes are being run by the correct identity, from approved locations at the approved time.
3. Automated Response System
Once a potential threat is detected, organisations need to react quickly. Having a customised, preprogrammed response to potential threats is critical to avoiding theft or malicious activity resulting from a breach. An Automated Response System can be setup to take a predefined action based on the specific identified threat. Responses can vary from immediate quarantine of the servers, to stopping a process, ending a user session, or simply providing an alert. With a flexible Automated Response System, customised responses to anomalous behaviour can be automatically executed, immediately addressing the threat.
Meeting SWIFT Compliance
Effectively meeting the SWIFT mandate requires organisations to change their approach to cybersecurity and take an application perspective. The steps outlined above are a great starting point towards Comprehensive Application Protection and meeting the SWIFT CSP mandate.
CIX Software (Partner to Brookcourt Solutions) provides solutions which enable CISO’s to meet the SWIFT CSP Mandate and protect their critical applications. This solution is called BUSHIDO which addresses 14 of the 15 technical mandatory and advisory application controls in the SWIFT requirements.