How Imperva SecureSphere Helps Address TRM Guidelines for ...

PRODUCT WHITE OVERVIEW PAPERImperva SecureSphereAddressing the Monetary Authority of Singapore’sTechnology Risk ManagementWhat’s New in the Technology Risk Management Guidelines of theMonetary Authority of Singapore?In June 2013, the Monetary Authority of Singapore (MAS) published newTechnology Risk Management (TRM) Guidelines which supersede the previouslypublished “Internet Banking Technology Risk Management (IBTRM) v3” Guidelines.The new TRM Guidelines have an even stronger regional and global impact thanthe previous guidelines, due to a new set of twelve legally binding “Notices”.The TRM Guidelines involve substantial changes from the IBTRM Guidelines.In fact, PWC 1 reported that 64% of the TRM Guidelines are new requirements.This is because, in part, that the guidelines extend coverage to all IT systems, asopposed to just internet-facing systems. Furthermore, the new guidelines applyto all financial institutions, not just banks. Financial institutions are now requiredto adopt risk management principles and security practices to address the TRMGuidelines. MAS 2 indicated that significant changes have been made in thefollowing areas:• Data Centers Protection and Controls• Mobile Banking and Payment Security• Payment Card System and ATM Security• Combating Cyber Threats• Customer Protection and Education1. Technology Risk Management Are you ready? PWC2. 20 June 2012 Technology Risk Management Guidelines Consultation Paper

While the TRM Guidelines themselves do not have any legal implications, the twelve newNotices of the TRM Guidelines do. Monetary Authority of Singapore considers Notices tobe regulatory instruments 3 . MAS takes breaches seriously, stating that “The approach inwhich MAS treats a breach to the Notice will be consistent with that for other breachesof regulations.” 4 While each Notice is different, and is designated for a different type offinancial institution, all Notices focus on the following components:• Establish a framework and process to identify critical systems• Provide high availability of critical systems• Establish and meet Recovery Time Objective (RTO) for critical systems• Report on incidents with specific timeframes• Deploy IT controls to protect customer informationBecause the new Notices of the TRM Guidelines take effect on July 1, 2014, it is importantthat all financial institutions conducting business in Singapore plan on meeting TRMcompliance by that deadline.Addressing the TRM Guideline RequirementsBecause the TRM Guidelines now have broader impact, legal implications, and a firmcompliance deadline, non-compliance with the TRM by financial institutions couldbe costly and damaging to an intuition’s reputation. To help fulfill TRM requirements,Monetary Authority of Singapore provided a TRM Checklist to guide financial institutionsin their compliance efforts.The TRM Checklist is comprehensive and contains over two hundred items that cover themany different attack vectors associated with security threats. While the checklist helpscreate a multi-layered defense strategy to protect financial systems and assets, financialorganizations can be challenged by the volume and depth of the requirements. Thecomplicated nature of security threats makes it difficult to meet many checklist itemswithout the use of proper security tools and solutions.To help organizations address the demands of the TRM, Imperva provides automatedsolutions that meet or exceed key TRM requirements. The included matrix identifiesImperva products that fully or partially address TRM Checklist Items.3. Classification of Instruments Issued by MAS, http://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Classification-of-Instruments-Issued-by-MAS.aspx4. Response to Consultation Paper TRM Notice MAS2

MAS TRM Checklist Items Imperva Products AddressTRMSectionTRM Excerpts WAF IncapsulaWAFDAS DAM DBF URMD FAM FFW URMF SharePoint DSM4.2.4 Risk Monitoring ◦ ◦4.3.1 Risk Assessment ◦4.3.3 Risk Assessment ◦4.4.3 Risk Management ◦4.5.1 Risk Management ◦4.5.2 Risk Management ◦5.1.6 Vendor Monitoring ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦6.2.4 Vulnerability Assessment ◦6.2.5 Vendor Monitoring ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦6.3.3 Security Controls Review ◦ ◦6.3.4 Compliance Review ◦ ◦7.1.1 Change Monitoring ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦7.1.3 Risk Assessment ◦7.1.7 Log And Audit Trails ◦ ◦ ◦ ◦ ◦ ◦7.2.3 Risk Assessment ◦7.2.4 Segregation of Duties ◦ ◦ ◦ ◦ ◦7.3.3 Security Monitoring ◦ ◦ ◦ ◦ ◦ ◦7.3.12 Incident Analysis ◦ ◦ ◦ ◦7.4.2 Rights Management ◦ ◦7.4.4 Incident Analysis ◦ ◦ ◦ ◦ ◦ ◦9.0.1Datacenter SecuritySolutions• • • • • • • • • • •9.0.2Datacenter SecuritySolutions• • • • • • • • • • •9.1.1 Data Security Solutions • • • • • • • • •9.1.2 Data at Rest Protection ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦9.1.6 Access Control ◦ ◦ ◦ ◦ ◦9.3.1 Security Settings Review ◦9.4.1 Vulnerability Assessment ◦9.4.2 Vulnerability Assessment ◦9.5.1 Patching ◦ ◦ ◦ ◦9.6.1 Security Monitoring ◦ ◦ ◦ ◦ ◦ ◦• Fully addresses ◦ Partially addresses3

Monitoring and Logging Privileged AccessSecureSphere delivers an automated and scalable monitoring and auditing solution fordatabases, file servers, and SharePoint platforms. SecureSphere monitors and audits allaccess to sensitive data, and enables financial institutions to demonstrate compliancewith TRM requirements through automated processes, audit analysis, and detailedcustomizable reports.Ensuring the Integrity of Audit LogsSecureSphere provides a tamper-proof audit log, which is stored on a hardened appliance.Users, including those with privileged access, cannot alter the content of the audit log. Thisprevents attempts to conceal any malicious activities.Conducting Regular Reviews of Audit LogsSecureSphere supports regular reviews of the audit logs through detailed audit reports andanalysis views. Predefined reports provide a starting point and help address the specificaudit requirements of TRM, while customization supports unique technical and businessneeds. Real-time alerts and audit analytic tools enable efficient and comprehensive forensicinvestigations and incident response.Prohibiting the Sharing of Privileged System AccountsSecureSphere can uniquely identify the end-user behind the activity, as well as the sourceIP address, host name, and more. Universal User Tracking ensures that access policies areapplied, based on the real user, even if the user identity is masked by “connection pooling,”or by logging into a shared-privileged account.Protecting Data from Unauthorized AccessSecureSphere can block or quarantine users who violate access policies. SecureSpherewill also identify behavior that deviates from normal access patterns and alert (or block)suspicious activities that may indicate privilege abuse.Using SecureSphere to Cost Effectively Complywith TRM RequirementsFinancial institutions struggle with protecting massive quantities of customer informationgoverned by compliance requirements such as the Monetary Authority of SingaporeTechnology Risk Management Guidelines. As mentioned earlier, the most commonapproaches organizations take to meet compliance requirements are to utilize nativetools and to manually fix application vulnerabilities. Organizations initially see these “doit-yourself”approaches as a simple and cost effective route to compliance. The reality is,financial institutions using these approaches discover later that they are both inefficientand ineffective when it comes to meeting compliance and security requirements.SecureSphere enables financial institutions to significantly reduce their operationalcosts, while simultaneously achieving even higher levels of security. With SecureSphere,financial institutions can be assured that they can meet compliance requirements in a costeffective manner, and their data and applications will be protected from both known andunknown attacks.8

Cutting Data Security Operational CostMeeting TRM requirements can be an expensive undertaking without the right strategicapproach. Financial institutions that rely on native capabilities built into their operatingsystems, file systems, and databases end up with a manual, inefficient, and partial solutionto compliance requirements. Native audit mechanisms bring hidden IT infrastructurerequirements, very high initial and operational costs, and significant impact to application,database, and file server performance.SecureSphere automates manual processes with core capabilities that include activitymonitoring and auditing, user rights management, and automated business policyenforcement. These capabilities transform time-consuming, error-prone managementtasks into efficient processes, and allow financial institutions to cost-effectively meet datacompliance requirements.Cutting Application Security CostWeb application attacks can result in devastating data breaches and applicationdowntime, costing companies millions of dollars in fines, brand damage, and customerturnover. Almost all enterprises have deployed network firewalls to protect their networkinfrastructure and their users. Most enterprises have also provisioned an intrusionprevention system (IPS) or a next generation firewall to detect intrusions and to controluser access to applications. While these products may include a handful of web attacksignatures, since they do not learn web application structure or usage, they cannoteffectively stop web attacks.SecureSphere not only provides value by eliminating web-based data breaches anddowntime, it can also lower application development costs by avoiding costly emergencyfix and test cycles. Organizations that attempt to manually fix vulnerabilities must dealwith expensive code-fix cycles when the vulnerabilities are discovered. In some cases,vulnerabilities can go unpatched for months until the appropriate fixes can be developedand deployed on production systems.SecureSphere’s Virtual Patching eliminates emergency fix and test cycles by instantlyremediating vulnerabilities. This closes the window of exposure by allowing organizationsto protect themselves from threats until they have the opportunity to patch thevulnerabilities—the shorter the window of exposure, the less likely that vulnerabilities willbe exploited. SecureSphere Virtual Patching brings operational cost savings by allowingorganizations to patch on a schedule that works for them, rather than being forced to patchimmediately, which can be disruptive to normal operations.9

Imperva SecureSphere Business Security SuiteSecureSphere is the market leading solution for business security. SecureSphere providescomprehensive, integrated application security and data security to prevent data breaches,streamline regulatory compliance, and establish a repeatable process for data risk management.Database Security PRODUCTSDatabase Activity MonitoringFull auditing and visibility into database data usageDatabase FirewallActivity monitoring and real-time protection for critical databasesDiscovery and Assessment ServerVulnerability assessment, configuration management, and data classification for databasesUser Rights Management for DatabasesReview and manage user access rights to sensitive databasesADC InsightsPre-packaged reports and rules for SAP, Oracle EBS, and PeopleSoft compliance and securityFile Security PRODUCTSFile Activity MonitoringFull auditing and visibility into file data usageFile FirewallActivity monitoring and protection for critical file dataSecureSphere for SharePointVisibility and analysis of SharePoint access rights and data usage, and protection againstWeb‐based threatsDirectory Services MonitoringAudit, alert, and report on changes made in Microsoft Active DirectoryUser Rights Management for FilesReview and manage user access rights to sensitive filesWeb Application Security PRODUCTSWeb Application FirewallAccurate, automated protection against online threatsThreatRadar Reputation ServicesLeverage reputation data to stop malicious users and automated attacksThreatRadar Fraud PreventionStop fraud malware and account takeover quickly and easilywww.imperva.com© Copyright 2013, Imperva. All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders.WP-TRM-0713.1