Prudential Standard CPS 234: How Exabeam Aligns With the New Australian Financial Standard
With the launch of the new prudential standard CPS 234 by the Australian Prudential Regulation Authorities (APRA), a clear set of guidelines have been provided for APRA-regulated entities to build resilient organizations to combat information security incidents and cyber security attacks. This blog post will cover a high-level overview of the some of the requirements included in APRA’s prudential standard CPS 234. We also provide insights into how Exabeam’s user and entity behavior analytics (UEBA) capabilities align with the new standard by using machine learning to identify unusual patterns of behavior instigated by a malicious insider, compromised user or a compromised asset and gives administrators visibility into access to sensitive data, unsuccessful access or logon attempts and other cyber intrusions.
Overview of CPS 234
The Australian Prudential Regulation Authority (APRA) was established by the Australian Government in 1998 and is an independent organization accountable to the Australian Parliament that supervises financial institutions. As stated on its website:
“The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding $6.5 trillion in assets for Australian depositors, policyholders and superannuation fund members.”
What is the CPS 234 standard?
The stated intent and purpose of the APRA CPS 234 is as follows:
“The new Prudential Standard CPS 234 Information Security will shore up APRA-regulated entities’ resilience against information security incidents (including cyber-attacks), and their ability to respond swiftly and effectively in the event of a breach.”
APRA’s CPS 234 standard (combined with the associated Practice Guide CPG 234) specifically calls out a range of cyber security capabilities required by APRA-regulated entities. These include the ability of the organization’s security solution to:
- Monitor controls for timely detection of compromises to information security
- Establish a baseline of normal activity by profiling users to detect anomalous activity that may indicate a security threat
- Log and alert when access to sensitive data or unsuccessful logon attempts to identify potential unauthorized access
- Monitor users with privileged access appropriately to match the heightened risks involved
- Align monitoring processes and tools with evolving threats and contemporary industry practices
- Implement appropriate security tools to enable timely detection
- Detect information security incidents quickly to minimize the impact of an information security compromise
- Prohibit sharing of accounts and passwords with the possible exception of generic accounts, where prohibiting sharing of accounts and passwords is unavoidable due to technology constraints
- Audit logging and monitoring of access to information assets by all users
- Detect unauthorized access by using logs, security information and event management (SIEM), security cameras, intrusion detection solutions (IDS), integrity change detection solutions, event analysis and escalation procedures
How Exabeam serves the standard
With cyber attacks becoming more complex and harder to detect, correlation rules often are unable to find the attacks because they lack context or miss incidents they’ve never seen and generate numerous false positives. Correlation rules also require significant maintenance and manual labor to provide insights. All of this contributes to analyst alert fatigue. Exabeam’s UEBA security solution automatically detects the behaviors indicative of a potential threat and provides real-time, actionable insight into anomalous behavior in an organization’s environment that warrants investigation or response. These capabilities are aligned with the requirements of APRA’s CPS 234 standard which details a range of cyber security capabilities required by entities that are regulated by APRA.
Out of the box, Exabeam provides 10 use cases that support this requirement including:
- Compromised User Credentials
User account credentials are critical to an organization, and for that reason stolen credentials remain the number one vector for data breaches, according to the Verizon 2018 Data Breach Investigations Report (p.8). Legacy security tools are unable to detect and identify unauthorized access allowing the attacker to access sensitive data or internal resources.
- Privileged-user Compromise
A privileged user has authorized access to critical resources, such as a database with customer information, a user-rights management system, or an authentication system. When a threat actor obtains privileged-user credentials, the attack can proceed directly to those high-value assets undetected. A UEBA solution can monitor suspicious activity by ex-employees or contractors, and identify human errors dealing with or detecting who has access to sensitive data.
- Executive Assets Monitoring
Millions of dollars are stolen each year through wire transfers initiated by successful webmail schemes that trick company executives into approving these transfers. When a CEO or CFO loses their laptop adversaries access sensitive financial and planning data. An effective UEBA solution will automatically build asset and behavior models that identify executive systems and monitor them for unusual access and usage.
- Compromised System/Host/Device Detection
It is common for attackers to take control of systems, hosts or devices within an organizational network, and carry out attacks stealthily for a long period. A UEBA solution can monitor several vectors, including user accounts, servers, network devices, non-trusted communication sources, insecure protocols, and anti-virus/malware monitoring to detect protection disablement or removal, or status of threat updates.
- Insider Access Abuse
Insider threat is difficult to detect because the threat actor appears to be a legitimate and trusted user and their behavior doesn’t set off alerts in most legacy security tools. A UEBA solution is able to detect when a user’s activity falls outside of their normal behavioral baseline. Some UEBA techniques include detecting logins at unusual hours, at an unusual frequency, or accessing unusual data or systems.
- Detecting Lateral Movement
Lateral movement entails a threat actor systematically moving through a network in search of sensitive data and assets. Often the attack begins when a low-level employee’s account is compromised after which the threat actor probes other assets for vulnerabilities with the goal to switch accounts, machines and IP addresses. Once the attacker secures administrative privileges lateral movement can be extremely difficult to detect by legacy security tools because the attack is scattered across the IT environment, spread among different credentials, IP addresses and machines. The unrelated events all appear to be normal. A UEBA solution uses behavioral analysis to connect the dots between “unrelated” activity and stops these attacks.
- Data Exfiltration Detection
Data exfiltration is defined as sensitive data that is illicitly transferred outside an organization. It can happen manually when a user transfers data over the internet or copies it to a physical device and moves it outside the premises of an organization. Automatic exfiltration of assets may occur when local systems are infected by malware. In this situation a UEBA solution detects network traffic to command and control centers and identifies infected systems transmitting data to unauthorized parties.
- Account Lockouts
An account lockout is a security feature that protects an account from anyone or anything trying to guess the username and password. After an unsuccessful login exceeds a set parameter of permitted attempts the account is locked out. In some cases, the user must contact an administrator to have their credentials reinstated. Responding to each request can be time consuming and a UEBA can automate the risk assessment process and quickly provide a verdict on account risk.
- Service Account Misuse
A service account is used in place of a normal system account to run specific application services. Service accounts are set up to improve security, the rationale being if it is compromised, losses will be limited. But security tools typically provide limited or no visibility into service accounts. This limitation is counterintuitive because service accounts have high privileges and are high-value targets for attackers. By employing its behavioral analytics capabilities, a UEBA solution can automatically identify service accounts and flag any abnormal behavior within them.
- Security Alert Investigation
Using legacy tools for security alert investigation is a tedious process. Alerts consist of arcane data in raw log files that are difficult to understand for even seasoned security analysts. The investigation requires manual correlation of numerous log files, interpreting meaning, manually culling ancillary data sources for clues, and spending time trying to determine the root cause of an alert incident. UEBA can significantly improve the productivity of SOC analysts when paired with a modern security information and event management solution by using machine-built timelines for effective threat hunting.
In summary, Exabeam’s machine learning capabilities enable organizations to meet and exceed their regulatory compliance defined by CPS 234 by automating the heavy lifting required to rapidly identify compromise and potential breach. By reducing the time to investigate, Exabeam provides security analysts with the insights they need to mitigate threats quickly and effectively. To find out more about how Exabeam can help your security needs, read our white paper about Smart Timelines, a unique process Exabeam uses to translate IT and security logs into actionable insights for analysts to better investigate and respond to incidents.