Have you ever stopped to consider all of the components that comprise a working automobile? Even a cursory examination reveals more parts than might be considered when we turn the ignition key. However, many of these components are useless when detached from the full product. A steering wheel without a car is not exactly an efficient mode of transportation.
However, when multiple entities work together in tandem, the result can be a thing of beauty. Of course, beauty is in the eye of the beholder. The individual pieces and parts become more than the sum of the various bits when orchestrated properly. For example, combining File Integrity Monitoring (FIM) with Secure Configuration Management, aka Policy Management. The two play off each other quite well, with the end result being, again, that thing of beauty. Not only am I able to detect change in an environment, change which could ripple out into a security event, I'm also able to understand & manage the security posture of my platforms. Measuring a platform against a published security benchmark to determine how compliant the platform is against the benchmark fits so very well right next to FIM.
In a recent webcast, I shared some of the features that make FIM a vital part of exceptional security practice.
What is FIM?
File integrity monitoring is an internal control or process that performs the act of validating the current state of a monitored element against a known good baseline. The comparison method often involves calculating a known cryptographic checksum of the file's original state and comparing it with the calculated checksum of the current state of the file.
Other file attributes may also be used to monitor integrity. Generally, the act of performing file integrity monitoring is automated using internal controls such as an application or process. Such monitoring can be performed randomly, at a defined polling interval, or in real-time.
Integrity is Foundational
Every incident starts with a change. In recent history, we had an incident occur that had global impact. If we take a look at other data exfiltration events, they all trace back to integrity monitoring failures. Integrity is one of the foundational elements of security.
There are No False Positives
When it comes to monitoring a change to an endpoint, there are no false positives. This may seem like a heck of a statement, but when you are monitoring against a cryptographic value or other attributes (including content), even the slightest deviation is a valid change & that change is detected and processed according to local policy and procedure.
The concept of a false positive doesn't exist in this context. This monitoring is important because an integrity event can move an environment out of compliance. To state that another way, if something changes and it affects my compliance score, that will subsequently affect my security posture.
As FIM has evolved, other technologies have evolved along with it. This provides the ability to gather context about change. The ability to correlate log data brings context where there previously was none. This is good.
Don't Create a Needle Hunt
It's important to consider what to monitor in your environment, as integrity monitoring can be noisy. Change happens - a lot. Many changes occur regularly simply due to the nature of computing. Trying to reconcile a specific change can end up like looking for a specific needle in a stack of needles. There are products on the market that require auditing to be enabled in order to gather the desired data. Sometimes, it's serious auditing. Anyone who has enabled C2 database auditing or object access monitoring across a large number of files and directories on a Windows server knows the challenge of reconciling changes.
Checkbox FIM helps us get over the low bar, as in I am required to have FIM in my environment - period. For the most part, reconciliation lies outside the reach of checkbox solutions. Trying to match a change against any given change management process can be daunting. As in really, really difficult. Do we monitor everything? In theory, it sounds great. In practice, this would be silly. Now where is that needle?
The Importance of Being Judicious
How do we decide what to monitor? What falls under the umbrella of a change audit? There has to be a line of demarcation that satisfies all stakeholders, from the application teams, the security teams, and the operational and governance teams. Someone has to take responsibility, and the product that is being used to monitor a given environment must have the capability & extensibility to enable that.
The product that you're utilizing must be able to enable your internal policies. The monitoring time window also has to be considered. That includes how often the monitored elements are checked for change? Again, internal policies and procedures will provide this guidance. Should real-time be used for the really important data? Not only yes, but heck yes.
Security Beyond Compliance
Compliance can be broader than an internal policy or procedure, which I need to be compliant with. Requirements such as regular backups, account reconciliations, and database maintenance can all be part of the compliance criteria. The reports created for all these events should be designed to meet the needs of an auditor. If you can, give the auditor a report saying, here's my environment, and here's my compliance footprint. Advanced monitoring and control provide the ability to go beyond compliance requirements.
Integrity management across the ecosystem, across the environment, and not just an endpoint and files, is a great place to build from. When a change occurs, it is recorded along with all the metadata and context surrounding it. The forensic data enables efficient, immediate remediation. "I wonder why Bob made that specific change to the Oracle DB startup file?"
Fastidious Monitoring
Every incident starts with a change. That's why file integrity monitoring is so important. FIM can mean the difference between resilience and compounded crises. We have to approach integrity with a mindset of security first. Integrity monitoring for files is where FIM began; integrity monitoring for "other" is where we are heading. What is most important is that you use the solution for meeting both compliance and security.
Whether you are seeking a full solution, such as Fortra's Tripwire Enterprise, or a single component, such as the File Integrity Monitoring, your security will take a leap forward. To find out more, visit us here.
