1      Introduction

This case study overviews how Smarttech’s Managed SIEM supports the National Bank of Kuwait’s audit and security requirements by ingesting CyberArk Privileged Cloud logs and monitoring those logs to alert the Bank of important CyberArk administration events. 

2      Customer Profile

Since its incorporation in 1952 as Kuwait’s first indigenous bank and the first shareholding company in the entire Gulf region, NBK has been known as ‘The Bank You Know and Trust’. Thanks to the recognized excellence of its very stable management along with its unequivocal strategy, consistent profitability, high asset quality, and strong capitalization, NBK, throughout the years, succeeded in building an advanced banking institution that offers a full spectrum of innovative financial and investment services and solutions to individual, corporate and institutional clients. NBK enjoys a dominant market share with a large and ever-expanding local and regional clientele. NBK also boasts Kuwait’s largest overseas branch network spanning many of the world’s financial and business centers.

3      Customer Needs

NBK has implemented CyberArk’s Privileged Account Management solution to secure high-value administrative access credentials.  These credentials are maintained in a CyberArk password vault and safe where the vault database natively encrypts data at rest using an encryption key stored in a Hardware Security Module (HSM). This includes the underlying storage of the database clusters, its automated backups, read replicas and snapshot. Administrators never have knowledge of the password. The passwords to these credentials are regularly rotated. When a NBK administrator is granted access to use these passwords, the runtime sessions are proxied and recorded on a keystroke basis and time-stamped providing tamper-resistant audits.

An internal Bank audit discovered that the CyberArk log files generated by the Privileged Account Manager solution were not being collected and managed by the Bank’s Security Operations Center, i.e. Smarttech SIEM. The Bank had to address this security issue with a solution.

4     Solution Provided by CTI

CTI Global undertook the API integration project to securely transfer CyberArk security logs into the Bank’s Smarttech Managed SIEM solution. The specific events we are logging are documented in Attachment A. 

5     Benefits to Customer

Once the event logs are ingested by Smarttech’s Managed SIEM solution, a multitude of security analytics can be enabled. As noted in the diagram below. The Bank can now apply Advanced Threat & Vulnerability management to this data. This capability not only satisfies GRC audit requirements. These capabilities improved the Bank’s security posture for the most important administrative accounts.

6     Conclusion

CTI Global is a certified CyberArk delivery partner. Our many years of CyberArk technical expertise allows CTI Global to add programmatic extensions to CyberArk’s (PAM) solutions, either on-prem or cloud-based, to address unique security use cases. In this case, to satisfy an audit requirement. The next page provides a list of events that we capture from CyberArk and ingest into a Smarttech-managed SIEM for real-time, 24/7, security event monitoring. 

Attachment A: Available CyberArk Security Event Codes

CyberArk PAM has a large number of action codes that can be used to monitor different behaviors. For general monitoring, we recommend monitoring the action codes listed in the table below.