Addressing the MAS TRM with Privileged Access Management

How BeyondTrust can help you meet 12 key mitigation strategies

WHITEPAPER

Table of Contents

Introduction .............................................................................................................................................. 3 The BeyondTrust Privileged Access Management Platform .................................................. 4

BeyondTrust Privileged Access Management Solutions ....................................................... 5 BeyondTrust Solutions Mapped to the MAS Guidelines........................................................... 7

4.1 Information System Assets .................................................................................................. 7 4.2 Risk Identification .................................................................................................................. 8 4.3 Risk Assessment…………………………………………………………………………………………….8 4.4 Risk Treatment ........................................................................................................................ 8 4.5 Risk Monitoring and Reporting ......................................................................................... 8 6.2 Security Requirements and Testing ................................................................................. 9 9.1 Data Loss Prevention ............................................................................................................. 9 9.3 Networks and Security Configuration Management .................................................. 9 9.4 Vulnerability Assessment and Penetration Testing ................................................... 9 9.5 Patch Management .............................................................................................................. 10 9.6 Security Monitoring ............................................................................................................ 10 11.2 Privileged Access Management ...................................................................................... 10

BeyondTrust MAS Guideline Matrix ............................................................................................. 11 ABOUT BEYONDTRUST ..................................................................................................................... 12

Introduction The Monetary Authority of Singapore (MAS) was founded in 1971 to oversee various monetary functions associated with financial and banking institutions. Throughout the years, their guidelines have been revised to manage emerging technologies and the evolving threat landscape. In June 2013, the MAS created a new set of guidelines for Internet Banking and Technology Risk Management (IBTRM). This addendum mandated certain requirements for Technology Risk Management (TRM) and also contained a set of guidelines (TRM Guidelines) and errata notices (TRM Notices). These guidelines continue to receive revisions and clarifications, but are still anchored by the original TRM guidelines, and most relevant to financial services institutions and all third parties that service them. The TRM Guidelines are statements of industry best practices that financial institutions (FIs) and organization that offer services to the industry are expected to adhere to. While this guidance is not legally binding, it is used by the MAS in risk assessment audits of FIs. These TRM Guidelines are outlined in 14 sections:

1. Introduction 2. Applicability of the Guidelines 3. Oversight of Technology Risks 4. Technology Risk Management Framework* 5. Management of IT Outsourcing Risks 6. Acquisition and Development of Information Systems* 7. IT Service Management 8. Systems Reliability, Availability & Recoverability 9. Operational Infrastructure Security Management* 10. Data Centres Protection & Controls 11. Access Control* 12. Online Financial Services 13. Payment Card Security 14. IT Audit

* Addressed by BeyondTrust Privileged Access Management Solutions

This guidance promotes the adoption of sound security and operational practices for managing technology used by FIs, including:

• Asset Discovery and Risk Assessment • Vulnerability and Configuration Scanning • Risk Prioritisation and Remediation

• Privileged Account Management

BeyondTrust supports each of these four practice areas. The remainder of this whitepaper provides a detailed mapping of BeyondTrust solutions to the applicable sections of the MAS TRM Guidelines.

The BeyondTrust Privileged Access Management Platform BeyondTrust provides an integrated suite of software solutions used by information technology professionals and security experts to collaboratively:

• Reduce user-based risk and mitigate threats to information technology assets • Address security exposures and vulnerabilities across large, diverse environments • Comply with internal, industry, and government mandates

Available in software, hardware, and virtual appliance formats, the BeyondTrust Privileged Access Management (PAM) Platform provides visibility and control over all privileged accounts, assets, and users. By uniting the broadest set of privileged security capabilities, the platform simplifies deployments, reduces costs, improves usability, and reduces privilege risks.

BeyondTrust solutions enable your organisation to adopt best practices for operations and security, while addressing key mandates outlined by the MAS. Unified PAM Solutions that Reduce Risks and Enable Productivity BeyondInsight is a centralised management and analytics console that spans across BeyondTrust products, providing unified management and reporting for BeyondTrust PAM solutions. With BeyondInsight, IT and security teams have a single, contextual lens through which to view user and asset risk. This clear, consolidated risk profile enables proactive, joint decision-making, while ensuring that daily operations are guided by common risk reduction goals. Platform Capabilities

• Asset & Account Discovery – Automatically discover and manage all privileged accounts and assets in your organisation

• Threat & Vulnerability Intelligence – Identify high-risk users and assets by teaming behavioural analytics and vulnerability data with security intelligence from best-of-breed security solutions

• Reporting & Connectors – Understand and communicate risk with more than 280 privilege and vulnerability reports, and share security data via a wide range of connectors for best-of-breed security solutions

• Policy & Action Response – Be alerted to in-progress attacks and automatically mitigate threats in real-time

BeyondTrust Privileged Access Management Solutions With BeyondTrust’s PAM solutions, you can completely manage and audit privileged access to your organisation’s infrastructure, while building fine-grained, context-aware security access policies for all assets. Easily configured for separate security zones, BeyondTrust solutions enable you to apply appropriate levels of security to multiple applications sharing the same physical or virtual infrastructure. When implemented as a part of a MAS TRM Guideline initiative, BeyondTrust PAM solutions allow your organisation to adhere to the principle of least privilege (PoLP), a fundamental security tenet. PoLP dictates that organisations grant each user only the minimum access and privileges necessary to complete legitimate tasks. BeyondTrust makes it easy to establish a layered defence of least-privilege policies, procedures, auditing, and technical controls with the following solutions:

BeyondTrust Solution

Description

BeyondInsight (BI)

BeyondInsight (BI) enables large-scale distributed vulnerability assessment, remediation, privileged access management, as well as password injection into secure remote access sessions. The solution offers all the vulnerability assessment capabilities of the BeyondTrust Network Security Scanner, plus centralised management, reporting, analytics and other BI platform capabilities. With BI for Privileged Access Management, customers have centralised reporting, auditing, session playback, and monitoring over users and administrators across disparate and heterogeneous infrastructures. BI provides the unique capability of seeing privileged password and session management, endpoint privilege management, and secure remote access in a single pane of glass, and can be deployed to meet operational silo requirements or merged for a holistic view of all security and operational data.

Vulnerability Management (VM)

BeyondTrust Vulnerability Management is designed to discover, profile, and assess all assets deployed on an organisation’s network. Customers can efficiently identify, prioritise, and remediate vulnerabilities, such as missing patches and configuration weaknesses. The solution provides in-depth technical as well as executive reports. When used with the BeyondTrust Platform, the solution delivers a comprehensive view of enterprise-wide network security.

Endpoint Privilege Management (EPM)

BeyondTrust Endpoint Privilege Management enforces least privilege and eliminates admin rights across Windows, Unix, Linux, MacOS, network, IoT, ICS, and SCADA devices. Organisations can remove admin rights from desktop users, and also tightly manage privileged access on servers (including eliminating root access), while empowering both IT and non-IT workers to securely do their jobs. The solution monitors and logs all privileged sessions in real-time, providing a thorough compliance trail. EPM can also centralise authentication for Unix, Linux, and MacOS, by extending Kerberos authentication and single sign-on capabilities across platforms into Microsoft’s Active Directory.

Password Safe (PS)

Password Safe (PS) is a hardened appliance for privileged password management across an organisation’s dynamic IT infrastructure. It can be configured as a physical or virtual appliance, with no difference in functionality. PS provides automated management of highly privileged accounts, such as shared administrative accounts, application accounts, and local administrative accounts, across nearly all IP-enabled devices. Additionally, request, approval, and retrieval workflow functionality are included for end-user access of managed privileged accounts. It also includes audit-ready logging and reporting capabilities.

Privileged Remote Access (PRA)

BeyondTrust Privileged Remote Access (PRA) provides visibility and control over third-party vendor access and internal remote access, enabling organisations to extend access to important assets, but without compromising security. The solution enables you to secure, manage, and audit remote privileged access without a VPN, helping you eliminate dangerous cyberattack pathways.

Auditor

BeyondTrust Auditor is available for Active Directory, Exchange, and File Systems and provides centralised auditing, before and after values for audited changes, and streamlined reporting of changes at a micro and macro level. A single change to any of these services can endanger an organisation by impacting productivity, creating security risks and potentially impacting compliance. Auditor allows for reporting and monitoring of these changes, as well as full backup and recovery in real-time.

BeyondTrust Solutions Mapped to the MAS Guidelines Based on the 14 Sections outlined in the MAS TRM Guidelines, BeyondTrust solutions map to 12 key subsections within each requirement. Below is a listing of each of these requirements, descriptions, and the BeyondTrust technology that satisfies the specification.

4.1 Information System Assets (BI, VM, EPM, PS, PRA, Auditor)

• 4.1.1 Information system assets should be adequately protected from unauthorized access, misuse, or fraudulent modification, insertion, deletion, substitution, suppression or disclosure.

• 4.1.2 The Financial Institution should establish a clear policy on information system asset protection. Criticality of information system assets should be identified and ascertained in order to develop appropriate plans to protect them.

4.2 Risk Identification (BI, VM, EPM)

• 4.2.1 Risk identification entails the determination of the threats and vulnerabilities to the FI’s IT environment, which comprises the internal and external networks, hardware, software, applications, systems interfaces, operations and human elements.

• 4.2.3 Security threats, such as those manifested in denial of service attacks, internal sabotage and malware infestation, could cause severe harm and disruption to the operations of an FI with consequential losses for all parties affected. The FI should be vigilant in monitoring such mutating and growing risks, as it is a crucial step in the risk containment exercise.

4.3 Risk Assessment (BI, VM, EPM)

• 4.3.1 Following risk identification, the FI should perform an analysis and quantification of the potential impact and consequences of these risks on the overall business and operations.

• 4.3.3 The FI should develop a threat and vulnerability matrix to assess the impact of the threat to its IT environment. The matrix will also assist the FI in prioritizing IT risks.

4.4 Risk Treatment (BI, VM, EPM)

• 4.4.1 For each type of risk identified, the FI should develop and implement risk mitigation and control strategies that are consistent with the value of the information system assets and the level of risk tolerance.

• 4.4.3 FI should give priority to threat and vulnerability pairings with high risk ranking which could cause significant harm or impact to the FI’s operations.

4.5 Risk Monitoring and Reporting (BI, VM, EPM, Auditor)

• 4.5.1 The FI should maintain a risk register which facilitates the monitoring and reporting of risks. Risks of the highest severity should be accorded top priority and monitored closely with regular reporting on the actions that have been taken to mitigate them.

• 4.5.2 To facilitate risk reporting to management, the FI should develop IT risk metrics to highlight systems, processes or infrastructure that have the highest

risk exposure.

6.2 Security Requirements and Testing (BI, VM, EPM, PRA, Auditor, PS)

• 6.2.1 The FI should clearly specify security requirements relating to system access control, authentication, transaction authorization, data integrity, system activity logging, audit trail, security event tracking, and exception handling in the early phase of system development or acquisition. The FI should also perform a compliance check on the FI’s security standards against the relevant statutory requirements.

• 6.2.4 The FI should conduct penetration testing prior to the commissioning of a new system that offers internet accessibility and open network interfaces. The FI should also perform vulnerability scanning of external and internal network components that support the new system.

9.1 Data Loss Prevention (BI, VM, EPM, PS, PRA)

• 9.1.6 Confidential information stored on IT systems, servers and databases should be encrypted and protected through strong access controls, bearing in mind the principle of “least privilege”.

9.3 Networks and Security Configuration Management

(BI, VM, EPM, Auditor)

• 9.3.1 The FI should establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices and enterprise mobile devices within the IT environment.

• 9.3.3 The FI should deploy anti-virus software to servers, if applicable, and workstations.

• 9.3.4 The FI should install network security devices, such as firewalls as well as intrusion detection and prevention systems

9.4 Vulnerability Assessment and Penetration Testing (BI, VM, EPM)

• 9.4.1 The FI should conduct VAs regularly to detect security vulnerabilities in the IT environment.

• 9.4.2 The FI should deploy a combination of automated tools and manual techniques to perform a comprehensive VA. For web-based external facing systems, the scope of VA should include common web vulnerabilities such as SQL injection and cross-site scripting.

• 9.4.3 The FI should establish a process to remedy issues identified in VAs and

perform subsequent validation of the remediation to validate that gaps are fully addressed.

• 9.4.4 The FI should carry out penetration tests in order to conduct an in-depth evaluation of the security posture of the system through simulations of actual attacks on the system. The FI should conduct penetration tests on internet-facing systems at least annually.

9.5 Patch Management (BI, VM)

• 9.5.1 The FI should establish and ensure that the patch management procedures include the identification, categorization and prioritization of security patches. To implement security patches in a timely manner, the FI should establish the implementation time frame for each category of security patches.

9.6 Security Monitoring (BI, VM, EPM, Auditor, PS, PRA)

• 9.6.3 The FI should implement security monitoring tools which enable the detection of changes to critical IT resources such as databases, system or data files and programs, to facilitate the identification of unauthorized changes.

• 9.6.4 The FI should perform real-time monitoring of security events for critical systems and applications, to facilitate the prompt detection of malicious activities on these systems and applications.

• 9.6.5 The FI should regularly review security logs of systems, applications, and network devices for anomalies.

11.2 Privileged Access Management (BI, VM, EPM, PS, PRA)

• 11.2.3 The FI should closely supervise staff with elevated system access entitlements and have all their system activities logged and reviewed as they have the knowledge and resources to circumvent systems controls and security procedures. The FI should adopt the following controls and security practices:

a. Implement strong authentication mechanisms such as two-factor

authentication for privileged users; b. Institute strong controls over remote access by privileged users; c. Restrict the number of privileged users; d. Grant privileged access on a “need-to-have” basis; e. Maintain audit logging of system activities performed by privileged users; f. Disallow privileged users from accessing systems logs in which their

activities are being captured; g. Review privileged users’ activities on a timely basis;

h. Prohibit sharing of privileged accounts; i. Disallow vendors and contractors from gaining privileged access to

systems without close supervision and monitoring; and j. Protect backup data from unauthorized access.

BeyondTrust MAS Guideline Matrix BeyondTrust's unified solutions offer the industry’s broadest set of privileged access management capabilities with a flexible design that simplifies integrations, enhances user productivity, and maximizes IT and security investments. When properly deployed and configured, the BeyondTrust solution either fully meets or augments the following MAS TRM Guidelines:

MONETARY AUTHORITY OF SINGAPORE (MAS) TECH NICAL

RISK MANAGEMENT (TRM) GUIDELINES

B

EY

ON

DIN

SIG

HT

VU

LN

ER

AB

ILIT

Y

MA

NA

GE

ME

NT

E

ND

PO

INT

PR

IVIL

EG

E

MA

NA

GE

ME

NT

P

AS

SWO

RD

SA

FE

AU

DIT

OR

P

RIV

ILE

GE

D R

EM

OT

E

AC

CE

SS

4.1 Information System Assets

4.2 Risk Identification 4.3 Risk Assessment 4.4 Risk Treatment 4.5 Risk Monitoring and Reporting 6.2 Security Requirements and Testing 9.1 Data Loss Prevention 9.3 Networks and Security Configuration Management

9.4 Vulnerability Assessment and Penetration Testing

9.5 Patch Management 9.6 Security Monitoring 11.2 Privileged Access Management

V2019_04_ENG

ABOUT BEYONDTRUST BeyondTrust is the worldwide leader in Privileged Access Management, offering the most seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access. Our extensible platform empowers organisations to easily scale privilege security as threats evolve across endpoint, server, cloud, DevOps, and network device environments. BeyondTrust unifies the industry’s broadest set of privileged access capabilities with centralised management, reporting, and analytics, enabling leaders to take decisive and informed actions to defeat attackers. Our holistic platform stands out for its flexible design that simplifies integrations, enhances user productivity, and maximises IT and security investments. BeyondTrust gives organisations the visibility and control they need to reduce risk, achieve compliance objectives, and boost operational performance. We are trusted by 20,000 customers, including half of the Fortune 500, and a global partner network. Learn more at www.beyondtrust.com