Logging and monitoring

The SWIFT infrastructure components in the secure zone must be able to log any abnormal system behavior (for example, multiple failed login attempts and authentication errors). Overall goals for logging and monitoring are:

  • Implement logging of security-relevant activities and configure alarms for suspicious security events.
  • Implement monitoring of security events in logs and for monitoring of other data (for example, real-time business activities through the GUI), and establish a plan to treat reported alarms.
Capabilities that may be considered to implement these goals:
  • Logging:
    • Logging capabilities are implemented to detect abnormal usage within the secure zone as well as any attempts to undermine the effectiveness of controls within the secure zone.
    • Messaging interface audit logs are retained for no less than 12 months and are sufficiently protected from an enterprise administrator-level compromise (for example, log files are transferred to a separate system with different system administrator credentials).
    • Operator workstation, firewall and database audit logs are retained for no less than 31 days.
    • Minimum logs to be recorded include:
      • Command line history for privileged operating system accounts on servers
      • Messaging and communication interface application and operating system logs that include details of abnormal system behavior (for example, multiple failed log-in attempts, authentication errors, changes to user groups)
      • Firewall log files
      • Database log files
  • Monitoring:
    • Procedures are in place to identify suspicious log-in activities into any privileged operating system or application account.
    • Monitoring processes are in place to review server, application and database monitoring data either daily via human reviews or via automated monitoring with alerting.
    • Monitoring processes are in place to review network monitoring data on a regular basis.
    • Unusual or suspicious activity is reported for further investigation to the appropriate security team.
  • FTM SWIFT features to consider:
    • Message Audit: Messages exchanged by the messaging interfaces (FIN, InterAct and FileAct) are logged in the Message Audit data. For more information see Managing audit data.
    • Command Audit: Recording of commands for various services can be enabled through the "Command Audit" of the related service. For more information see Recording audit data for operation and administration service commands.
    • User Audit: User activities in the DNI_SYSADM and DNI_SECADM services are logged in the User Audit data. For more information see Managing audit data.
    • RMA history data: Relationship management actions are recorded in the RMA history data views. For more information see Viewing history data from the RMA.
    • MER history data: Message history is stored in the ComIbmDni folder of the MQRFH2 in each business message. The actions performed can be displayed in the MER message history view. For more information see History view and Message history.
    • FTM SWIFT web applications: FTM SWIFT web applications perform a CSRF detection. In the IBM WebSphere Application Server log, look for messages such as the following: 
      CsrfGuard W  potential cross-site request forgery (CSRF) attack thwarted