Control Definition
Control Objective: Detect and contain anomalous network activity into and within the local or remote SWIFT environment.
In-scope components:
- network (data exchange layer reaching the SWIFT-related components and inside the secure zone)
- remote (hosted or operated by a third party, or both) virtualisation platform supporting the user SWIFT environment
Risk Drivers:
- undetected anomalies or suspicious activity
Implementation Guidance
Control Statement:
Intrusion detection is implemented to detect unauthorised network access and anomalous activity.
Control Context:
Intrusion detection systems are most commonly implemented on a network (NIDS) 39 – establishing a baseline for normal operations and sending notifications when abnormal activity on the network is detected. As an operational network becomes more complex (for example, systems communicating to many destinations, internet access), so will the intrusion detection capability needed to perform adequate detection. Therefore, simplifying network behaviour is a helpful enabler for simpler and more effective intrusion detection solutions.
Host intrusion detection systems (HIDS) are intended to protect the individual system on which they are implemented and to detect network packets on its network interfaces, similar to the way an NIDS operates.
Intrusion detection systems (NIDS or HIDS) often combine signature- and anomaly-based detection methods. Some systems can respond to any detected intrusion (for example, terminating the connection).
Endpoint detection and response (EDR) is an emerging technology that addresses the need for continuous monitoring and response to advanced threats by detecting suspicious activities and (traces of) other problems on hosts, and on endpoints. This technology is more frequently combined with endpoint protection platform (EPP) that operates at the device level.
Implementation Guidelines:
The implementation guidelines are common methods to apply the relevant control. The guidelines are a helpful way to begin an assessment, but should never be considered as an "audit checklist" as each user’s implementation may vary. Therefore, in cases where some implementation guidelines elements are not present or partially covered, mitigations as well as particular environment specificities must be considered to properly assess the overall compliance adherence level (as per the suggested guidelines
or as per the alternatives).
- The intrusion detection system is configured to detect anomalous activity within the secure zone and at the boundary of the secure zone. This can be achieved through NIDS, HIDS, or both depending on the network configuration. (For example, large VLAN would better benefit from NIDS; isolated island separating systems may benefit from HIDS. The EDR solution can also be considered.
- Network activity to be tracked for intrusion detection analysis may include:
- Inbound and outbound connections during non-business hours
- Unexpected connections from the secure zone towards other systems within or outside of the perimeter of the SWIFT or customer secure zone
- Unexpected port or protocol use (for example, P2P)
- The system has a repeatable process to regularly update known intrusion signatures.
- If an intrusion is detected, then an alarm is raised and, if the tool permits, a defence mechanism is triggered manually or automatically.
- Detected intrusions are managed through the standard incident response process.
Optional Enhancement:
- Intrusion detection systems can inspect encrypted flows.
Considerations for alternative implementations:
Institutions with a high level of security information and event management (SIEM) maturity within their organisation may consider extending, as stated in control 6.4, their SIEM for real-time analysis of network and systems intrusion.
