Prudential Standard CPS 234: How Exabeam Aligns With the Australian Financial Standard

The prudential standard CPS 234 by the Australian Prudential Regulation Authorities (APRA) is a clear set of guidelines that have been provided for APRA-regulated entities to build resilient organizations to combat information security incidents and cybersecurity attacks. This article will give a high-level overview of the requirements included in APRA’s prudential standard CPS 234. We also provide insights into how Exabeam’s user and entity behavior analytics (UEBA) capabilities align with the standard by using machine learning to identify unusual patterns of behavior instigated by a malicious insider, compromised user, or a compromised asset and gives administrators visibility into access to sensitive data, unsuccessful access or login attempts and other cyber intrusions. 

In this article:

• Overview of CPS 234
• What is the CPS 234 standard?
• How Exabeam serves the standard
• Meet and exceed compliance with Exabeam

Overview of CPS 234

The Australian Prudential Regulation Authority (APRA) was established by the Australian Government in 1998  and is an independent organization accountable to the Australian Parliament that supervises financial institutions. As stated on its website:

“The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding $6.5 trillion in assets for Australian depositors, policyholders and superannuation fund members.” 

What is the CPS 234 standard?

The intent and purpose of the APRA CPS 234 is to “shore up APRA-regulated entities’ resilience against information security incidents (including cyberattacks), and their ability to respond swiftly and effectively in the event of a breach.” 

APRA’s CPS 234 standard (combined with the associated Practice Guide CPG 234) specifically calls out a range of cybersecurity capabilities required by APRA-regulated entities. These include the ability of the organization’s security solution to:

• Monitor controls for timely detection of compromises to information security
• Establish a baseline of normal activity by profiling users to detect anomalous activity that may indicate a security threat
• Log and alert when access to sensitive data or unsuccessful logon attempts to identify potential unauthorized access
• Monitor users with privileged access appropriately to match the heightened risks involved
• Align monitoring processes and tools with evolving threats and contemporary industry practices
• Implement appropriate security tools to enable timely detection
• Detect information security incidents quickly to minimize the impact of an information security compromise
• Prohibit sharing of accounts and passwords with the possible exception of generic accounts, where prohibiting sharing of accounts and passwords is unavoidable due to technology constraints
• Audit logging and monitoring of access to information assets by all users
• Detect unauthorized access by using logs, security information and event management (SIEM), security cameras, intrusion detection solutions (IDS), integrity change detection solutions, event analysis and escalation procedures

How Exabeam serves the standard

With cyberattacks becoming more complex and harder to detect, correlation rules often are unable to find the attacks because they lack context or miss incidents they’ve never seen and generate numerous false positives. Correlation rules also require significant maintenance and manual labor to provide insights. All of this contributes to analyst alert fatigue. Exabeam’s UEBA security solution automatically detects the behaviors indicative of a potential threat and provides real-time, actionable insight into anomalous behavior in an organization’s environment that warrants investigation or response. These capabilities are aligned with the requirements of APRA’s CPS 234 standard which details a range of cybersecurity capabilities required by entities that are regulated by APRA. 

Out of the box, Exabeam provides 10 use cases that support this requirement including:

1. Compromised User Credentials

User account credentials are critical to an organization, and for that reason, stolen credentials remain a key entry point for data breaches, according to the Verizon 2021 Data Breach Investigations Report. Legacy security tools are unable to detect and identify unauthorized access allowing the attacker to access sensitive data or internal resources.

2. Privileged-user Compromise

A privileged user has authorized access to critical resources, such as a database with 

customer information, a user-rights management system, or an authentication system. 

When a threat actor obtains privileged-user credentials, the attack can proceed directly to those high-value assets undetected. A UEBA solution can monitor suspicious activity by ex-employees or contractors, and identify human errors in dealing with or detecting who has access to sensitive data.

3. Executive Assets Monitoring

Millions of dollars are stolen each year through wire transfers initiated by successful webmail schemes that trick company executives into approving these transfers. Adversaries also access sensitive financial and planning data in the unfortunate event a  CEO or CFO loses their laptop. An effective UEBA solution will automatically build asset and behavior models that identify executive systems and monitor them for unusual access and usage.

4. Compromised System/Host/Device Detection

It is common for attackers to take control of systems, hosts or devices within an organizational network, and carry out attacks stealthily for a long period. A UEBA solution can monitor several vectors, including user accounts, servers, network devices, non-trusted communication sources, insecure protocols, and anti-virus/malware monitoring to detect protection disablement or removal or offer status of threat updates.

5. Insider Access Abuse

Insider threat is difficult to detect because the threat actor appears to be a legitimate and trusted user. Unfortunately, their behavior doesn’t set off alerts in most legacy security tools. A UEBA solution detects when a user’s activity falls outside of their normal behavioral baseline. Some UEBA techniques include detecting logins at unusual hours, at an unusual frequency, or accessing unusual data or systems.

6. Detecting Lateral Movement 

Lateral movement entails a threat actor systematically moving through a network in search of sensitive data and assets. Often the attack begins when a low-level employee’s account is compromised after which the threat actor probes other assets for vulnerabilities with the goal to switch accounts, machines and, IP addresses, moving undetected throughout the organization. Once the attacker secures administrative privileges lateral movement can be extremely difficult to detect by legacy security tools because the attack is scattered across the IT environment, and spread among different credentials, IP addresses, and machines. The unrelated events all appear to be normal. A UEBA solution uses behavioral analysis to connect the dots between “unrelated” activities and stop these attacks.

7. Data Exfiltration Detection

Data exfiltration is defined as sensitive data that is illicitly transferred outside an organization. It can happen manually when a user transfers data over the internet or copies it to a physical device and moves it outside the premises of an organization. Automatic exfiltration of assets may occur when local systems are infected by malware. In this scenario, the UEBA solution detects network traffic to command and control centers and identifies infected systems transmitting data to unauthorized parties. 

8. Account Lockouts

An account lockout is a security feature that protects an account from anyone or anything trying to guess the username and password. After an unsuccessful login exceeds a set parameter of permitted attempts the account is locked out. In some cases, the user must contact an administrator to have their credentials reinstated. Investigating and responding to each request can be time-consuming and a UEBA can automate the risk assessment process and quickly provide a verdict on account risk.

9. Service Account Misuse

Service accounts are often used in place of a normal system account to run specific application services. These accounts are set up to improve security and to limit losses if it is compromised. But security tools typically provide limited or no visibility into service accounts. This limitation is counterintuitive because service accounts have high privileges, making them high-value targets for attackers. By employing behavioral analytics capabilities, a UEBA solution can automatically identify service accounts and flag any abnormal behavior within them.

10. Security Alert Investigation

Using legacy tools for security alert investigation is a tedious process. Alerts consist of arcane data in raw log files that are difficult to understand for even seasoned security analysts. The investigation requires manual correlation of numerous log files, interpreting meaning, manually culling ancillary data sources for clues, and spending time trying to determine the root cause of an alert incident. UEBA can significantly improve the productivity of SOC analysts when paired with a modern security information and event management solution by using machine-built timelines for effective threat hunting.

Meet and exceed compliance with Exabeam

In summary, Exabeam’s UEBA machine learning capabilities enable organizations to meet and exceed their regulatory compliance defined by CPS 234 by automating the heavy lifting required to rapidly identify compromise and potential breach. By reducing the time to investigate, Exabeam provides security analysts with the insights they need to mitigate threats quickly and effectively. To find out more about how Exabeam can help your security needs, read our white paper about Smart Timelines, a unique process Exabeam uses to translate IT and security logs into actionable insights for analysts to better investigate and respond to incidents.