MAS TRM Guidelines

by David Schwalenberg
July 2, 2014

The Monetary Authority of Singapore (MAS) published new Technology Risk Management (TRM) Guidelines in June 2013. The MAS TRM Guidelines dashboard provides a high level overview of information relevant to specific sections in the TRM Guidelines.

The Tenable suite of products can assist an organization in meeting the TRM Guidelines. SecurityCenter provides a single console to administer continuous active scanning, passive detection, log analysis, vulnerability management, and compliance testing across an organization. SecurityCenter’s highly customizable dashboards and reports can be fine-tuned to deliver the most advanced analysis of cybersecurity risks. SecurityCenter Continuous View (SC CV) detects emerging threats through real-time discovery of resources, new systems, unexpected or unusual connections, and relationships between devices; this allows organizations to improve cybersecurity threat mitigation by integrating vulnerability and threat management into one package.

Note that this dashboard relies on PVS detections being forwarded to the LCE. Make sure that the PVS is configured to send syslog messages to the LCE: in Configuration > PVS Settings > Syslog, include the LCE host (with port 514) in the Realtime Syslog Server List. The LCE listens for syslog messages by default.

For additional explanation of this dashboard, along with the applicable sections of the MAS TRM Guidelines and additional dashboards and reports that can provide more detailed information, see SecurityCenter Dashboard for the Monetary Authority of Singapore’s Technology Risk Management Guidelines.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category Compliance & Configuration Assessment, and then selecting tag trmg. The dashboard requirements are:

  • SecurityCenter 4.8
  • Nessus 5.2.6
  • LCE 4.2.2
  • PVS 4.0.2
  • LCE Client - Tenable NetFlow Monitor

Listed below are the included components: 

  • Vulnerability Top Ten - Top 10 Remediations - This table displays the top 10 remediations for the network. For each remediation, the risk reduction for the network if the remediation is implemented is shown, along with the number of hosts affected. The list is sorted so that the highest risk reduction is at the top of the list. Implementing the remediations will decrease the vulnerability of the network.
  • Vulnerability Top Ten - Top 10 Exploitable Vulnerabilities - This table displays the top 10 exploitable vulnerabilities on the network. The list is sorted so that the most critical vulnerability is at the top of the list. For each vulnerability, the severity and the number of hosts affected is shown.
  • Vulnerability Top Ten - Top 10 Most Vulnerable Hosts - This table displays the 10 hosts on the network that have the greatest number of exploitable critical and high severity vulnerabilities. The list is sorted so that the most vulnerable host is at the top of the list. For each host, a bar graph of its critical and high severity vulnerabilities are shown.
  • Track Mitigation Progress - Vulnerability Summary by Severity - SecurityCenter records when vulnerabilities are discovered, when patches are issued, and when vulnerabilities are mitigated. This component assists in tracking vulnerability mitigations. The matrix presents vulnerability summary information by severity. In the matrix, the row with purple is critical severity vulnerability information, the row with red is high severity, the row with orange is medium severity, and the row with blue is low severity. The Mitigated column displays the total number of mitigated vulnerabilities. The Unmitigated column displays the total number of vulnerabilities that have not yet been mitigated. The Exploitable column displays the percentage of those unmitigated vulnerabilities that are known to be exploitable. The Patch Available column displays the percentage of the unmitigated, exploitable vulnerabilities that have had a patch available for more than 30 days. Ideally, both of these percentages should be 0%, because all exploitable vulnerabilities and all vulnerabilities with patches available should have been mitigated already. The Exploitable Hosts column displays the number of hosts on the network that have unmitigated, exploitable vulnerabilities.
  • Track Mitigation Progress - Ticket Status Summary - SecurityCenter includes an integrated ticketing and alerting system; this table presents a status summary of tickets. Tickets are a means by which tasks are assigned to users to perform important actions such as vulnerability or event remediation. Tickets can be created both manually and automatically by a predefined set of conditions through the alerting functionality. Integration with any existing third-party ticketing systems is also supported, typically via e-mail integration. When the SecurityCenter ticketing system is used to track the vulnerability mitigation process, this component can assist in tracking mitigation progress.
  • Detect Changes - Changes in Last 72 Hours - This component can assist in maintaining up-to-date inventories and detecting changes. The matrix presents indicators for network changes detected in the last 72 hours. Each indicator is based on one or more Log Correlation Engine (LCE) events; the indicator is highlighted yellow if the event occurred in the last 72 hours. Any changes should be investigated to determine if they are authorized. More information can be obtained on these events (such as change details, time, and IP address) by clicking on the specific indicator and viewing the raw syslog.
  • Monitor Security Solutions - Activity in Last 72 Hours - This component assists in monitoring security solutions. The matrix presents activity indicators for various security solutions: Firewall, IDS, Antivirus, Antispam, and Anti-scanning. This component assumes that if log events were received in the last 72 hours from a particular technology, then that technology is active on the network, so the indicator is highlighted green. Further investigation is warranted if a protection technology should be active, but no events are being received.
  • Detect Suspicious Activity - Warnings in Last 72 Hours - This matrix presents warning indicators for potentially suspicious network activity detected in the last 72 hours. Each indicator is based on one or more Log Correlation Engine (LCE) events; the indicator is highlighted red if the event occurred in the last 72 hours. Any warnings should be further investigated. More information can be obtained on these events (such as details, time, and IP address) by clicking on the specific indicator and viewing the raw syslog.
  • Compliance Summary - Check Result Ratio - This component provides a ratio view of systems that have been checked for a variety of compliance standards. The ratio bar provides a visual of the number of compliance checks that have either passed, failed, or that require some manual verification.