Transcription
THE DEFINITIVE GUIDE TOFILE INTEGRITY MONITORINGFile Integrity Monitoring (FIM) is a solution to a complicated problem,but the solution itself doesn’t have to be complicated. With the rightmethodology and solution, you can easily install, configure andmanage the integrity of your systems.
THE DEFINITIVE GUIDE TO FILE INTEGRITY MONITORINGContentsFile Integrity MonitoringWhat is File Integrity Monitoring (FIM)?. 3Do I need FIM? . 3How FIM Works . 3File Integrity Monitoring Methodologies. 4What Should I Monitor?. 5Can a FIM Solution Take Action When a Change is Detected?. 5FIM and its Relationship to Security Information and Event Managers (SIEM). 6Do File Integrity Monitoring Solutions Provide Me With Reporting?. 6Can Other IT Systems/Applications Be Monitored with FIM?. 6Compliance Drivers for FIMPayment Card Industry Digital Security Standard (PCI-DSS) . 7NIST 800-53 System And Information Integrity (SI) Guidelines . 7Center for Internet Security (CIS) Critical Security Controls. 8NERC-CIP. 8Moving Beyond FIM to System Integrity Assurance. 9Bringing Integrity to Your Environment (Not Just Files). 9System Integrity Assurance. 10Key Questions for EvaluationQuestions .112
THE DEFINITIVE GUIDE TO FILE INTEGRITY MONITORINGFile Integrity MonitoringWhat is File Integrity Monitoring(FIM)?File Integrity Monitoring is an IT security technologywhich is used to detect changes in an organization’sIT environment by making comparisons against aknown state.Do I Need FIM?Beyond the fact that you’re required to have FIM in placefor various compliance drivers such as PCI-DSS, yoursystem security is significantly weaker if you can’t readilyidentify and deal with IT security threats. Without FIMyou’re vulnerable to external threats such as malware aswell as unknown, internally made changes, which cancompromise your security posture.Most companies find that file integrity monitoring isextremely useful for ensuring the security of their dataand systems. By being able to quickly detect changes,you can quickly respond to threats that can lead toa data breach or take down your critical IT systems.With the sharp rise in zero-day malware, and advancedpersistent threats, many traditional IT security toolsare simply not able to offer any sort of protection.Because FIM tools are able to “see” all changes thatare happening, file integrity monitoring is a very valuableasset to have as part of your IT security defenses. Fileintegrity monitoring is required to achieve compliancewith numerous regulations as part of a comprehensive ITsecurity strategy.THE CIMTRAK SOLUTIONAn advanced integrity solution, CimTrak utilizesinnovative technology, maximizing file integritymonitoring performance and providing a robustfeature-set, all while being simple and easy to use.This provides organizations that utilize CimTrak witha superior ROI and lower total cost of ownershipversus other solutions.What can be monitored with a file integritymonitoring solution?FIM solutions vary in exactly what all they can monitor,but most advanced solutions can detect changeson a wide variety of items typically found in your ITenvironment including:» Files» Applications» Windows Registry» Drivers» Installed Software» Services» Local Users and GroupsWhat types of changes are Detected?Advanced FIM tools will monitor for any type of changeincluding additions, deletions, and modifications.How FIM WorksAll file integrity monitoring products are essentiallycomparison tools that keep track of cryptographichashes of files at different points in time. Hashes areused because they provide a unique “fingerprint” ofeach file and they can be easily analyzed since theyare simply a string of characters. When a file is alteredin some way, the hash for that given file changes toa unique new value. A strong hash provides absolutecertainty, or non-repudiation, that a file has indeedchanged. Integrity checking products use varioushash algorithms, along with other file parameters,as a basis for proof that a file has, or has not beenaltered. However, file integrity monitoring productsdiffer drastically in speed, performance impact, andcapabilities in how they accomplish these steps.3THE CIMTRAK SOLUTIONCimTrak goes beyond basic change detection(add/modify/delete) to monitor file reads (opens)in order to monitor if file have been viewed oraccessed. This capability is critical for files whichmay contain sensitive or classified information.Further, when monitoring files, CimTrak not onlymonitors file contents, but file attributes as well.Other solutions don’t, which leaves a gaping hole inyour change detection abilities.
THE DEFINITIVE GUIDE TO FILE INTEGRITY MONITORINGWhat about routine or expected changes? Arethose detected and alerted on too?This is a common question about file integritymonitoring. The answer is that the vast majority of allFIM solutions detect and alert on all changes, causingunwanted “noise” that users need to sift through inorder to find the changes that are truly unexpected, andtherefore should be investigated.THE CIMTRAK SOLUTIONCimTrak is the only file integrity monitoring solutionthat offers an integrated change ticketing systemto allow users to plan and reconcile changes. WhileCimTrak will still detect all changes, so as to have acomplete audit trail, and alerting will be suppressed forplanned changes. Further, unexpected changes arehighlighted within the CimTrak Management Console,thus making it simple to focus attention changes thatare truly critical to examine.Will file integrity monitoring affect my systemperformance?The short answer is that with the right FIM solution, theresources needed to detect changes on your systemsare extremely minimal. File integrity monitoring neednot be intrusive and should run transparently in thebackground. To better understand this concept, it isimportant to understand the different types of monitoringthat various file integrity monitoring solutions utilize.File Integrity MonitoringMethodologiesYears ago, poll-based file integrity monitoring solutionswere an IT professional’s only choice. Even today, manyopen-source and even some commercially availablesolutions still use a poll-based methodology. Polling afile for changes means that a file is checked at certaintime intervals. Poll-based file integrity monitoring is theleast efficient way to monitor files for changes. Thisis because it places a sudden load on the monitoredsystem when the polling time is reached. When polling,all of the monitored files must be hashed and then thehash compared with the existing hash from the last pollinterval. In contrast, the new generation of continuous4file integrity monitoring technologies such as CimTrakcan detect changes on most operating systems in realtime all while running quietly in the background.The newer, more advanced real-time methodology, doesexactly what the name suggests. It detects changes theinstant that they occur.Operating at the kernel level, real-time file integritymonitoring intercepts file changes from the operatingsystem itself. This allows detection of only the watchedfiles that are changed by the operating system, andallows changes to be captured at the moment theyoccur. This intelligent change detection methodologyuses minimal system resources so that CPU cycles anddisk I/O remain low. This advanced methodology alsoprovides greater accuracy and other forensic informationthat is not possible through polling.Real-time change detection provides a distinctadvantage over poll-based solutions. Today, threats toIT infrastructures abound. Further, organizations storea large amount of data on IT systems and rely on themfor almost every aspect of their business. Unexpectedor unknown changes can be catastrophic and causeloss of income and reputation. Therefore, every secondmatters when it comes to change detection. Bydetecting changes instantly, IT security personnel can bequickly alerted to changes that are malicious, can cripplecritical business functions or lead to a data breach.THE CIMTRAK SOLUTIONCimTrak was a pioneer in real-time integrity monitoring,becoming the first FIM product commercially availablethat offered this incredible new technology.It is important to note that all FIM tools that are labeled“real-time” do not necessarily detect changes themillisecond they happen. Some solution vendorsdeceptively claim they offer real-time monitoringwhen in reality, files are simply being polled quickly.This approximates real-time, but differentiates fromCimTrak’s “Truly Real Time ” methodology. CimTrakaccomplishes Truly Real Time monitoring viaproprietary technology that is simply unavailable inother solutions.
THE DEFINITIVE GUIDE TO FILE INTEGRITY MONITORINGWhat Should I Monitor?Every environment is unique, so there is not a onesize fits all when it comes to file integrity monitoring.Monitoring everything, like your entire c: drive isn’tpractical and leads to nothing but tons of false positives.For this reason, it is important to be methodical whenthinking about what to monitor. One of the first thingsthat you should do before deploying a tool is to sitdown and consider which items are critical to yourorganization, and what items would be beneficial tomonitor. Some files and parts of an operating systemchange constantly, so monitoring those would not yieldany valuable data.Things to consider:» What files/data is most critical to my organization?» Where is a likely spot that malware or other maliciousitems would attach?» What are the greatest areas of risk in my ITenvironment?Better FIM tools provide base operating systemtemplates, which monitor your underlying critical systemfiles for changes. These templates are usually based onaccepted security standards and will specifically excludefiles that cause false positives.THE CIMTRAK SOLUTIONCimTrak makes it simple for users to select exactlywhat they need to monitor. With built in OS templates,and the ability to easily drill down into the file structure,you can quickly get back to business. What’s more, isthat with the built in regular expression include/excludefunction, specific files types can be included or excludedfrom monitoring, making for quick policy definition and asignificant reduction in the number of false-positives.CIMTRAK PROVIDES DEEPSITUATIONAL AWARENESSKnowing that a file change occurred in your ITenvironment is of little value without more information.In addition to letting you know what contents andattributes of a file have changed, CimTrak provides you aside-by-side comparison of files and highlights the exactlines that have changed. This prevents the tedious taskof searching through a file to determine that exact spotwhere a change occurred.5Further, CimTrak gives you other valuable change data,including who made the change, where the changeoriginated, and what process was used to make thechange. This data is immensely helpful in determiningwhether changes are routine or potentially malicious.Many file integrity monitoring solutions do not providethis added layer of insight into changes, whichgreatly limits the value of the solution. Not only willvaluable time be wasted trying to pinpoint changesand determine whether the change represents a risk,but an organization’s security posture could also benegatively affected.Can a FIM Solution Take ActionWhen a Change is Detected?Most FIM products can generate an e-mail alert upondetection of a change, while more advanced solutionscan send syslog output to a syslog server or securityinformation and event manager (SIEM) which isdiscussed later in this guide.THE CIMTRAK SOLUTIONCimTrak offers e-mail alerting as well as being ableto output syslog to a syslog server or SIEM solution.What differentiates CimTrak from any other FIM tool isits ability to go beyond those capabilities to truly offerproactive protection from changes that are maliciousor can cause critical system downtime.CimTrak offers users the ability to block changesat the system level. Utilizing CimTrak’s proprietarytechnology, changes are completely prevented fromoccurring. Another mode of operation allows users toinstantaneously reverse changes. It does this withoutrelying on any outside system or application. Theseadvanced capabilities are built right into the CimTraksolution and offer users unprecedented securityfor critical files and configurations. These featuresare especially useful for ensuring the protection ofunpatchable systems or devices that should notchange outside of a change window such as POSsystems or ATM machines.
THE DEFINITIVE GUIDE TO FILE INTEGRITY MONITORINGFIM and its Relationship toSecurity Information and EventManagers (SIEM)As more and more firms deploy them, what role FIMplays with regards to Security Information and EventManagers (SIEM) tools is often a question that ITand security personnel ask. The answer is that it is acomplementary technology, helping SIEM’s do their jobbetter by receiving system, application, and file changedata directly from the file integrity monitoring tool itself.File integrity monitoring tools provide real, actionabledata about changes that have occurred. This allows theSIEM to combine critical change information with otherdata streams, allowing for enhanced event analysis andcorrelation. This benefits the enterprise by learning aboutsecurity events more quickly, and being able to providebetter context surrounding those events. What’s more,alerts raised by a SIEM can be traced back to the FIMtool, which can provide all of the forensic data (who,what, when, how) for the event, allowing for quick andsimple root-cause analysis.Not all file integrity monitoring tools can interact witha SIEM or interact with them seamlessly. If you arerunning a SIEM solution or plan to do so in the future, itis important to inquire whether your FIM tool is capableof interaction, and if so, how complex the configurationprocedure is.THE CIMTRAK SOLUTIONCimTrak simply integrates with any SIEM solutionand offers custom syslog output in a wide variety offormats requested by SIEM solutions. Some of theSIEM solutions that CimTrak integrates with include:» HP ArcSight» IBM QRadar» McAfee Enterprise Security Manager» RSA Security Analytics» Splunk» Many othersDo File Integrity MonitoringSolutions Provide Me WithReporting?Most FIM products will offer some type of reportingcapability, but solutions vary in the number and depthof these reports. Advanced FIM solutions offer amultitude of reports which give you detail on changesat a high level (entire system) down to very granularlevels of detail (change(s) to a single file) as well as theability to schedule report generation. This allows youto create reports that meet the needs of different reportviewers, everyone from high-level managersto auditors.THE CIMTRAK SOLUTIONCimTrak offers a complete report generation engine,which produces numerous types of reports to meet theneeds of the report viewer. CimTrak can generate reportson demand or via a report scheduler.Can Other IT Systems/ApplicationsBe Monitored With FIM?File Integrity Monitoring is somewhat of a misnomer inthat advanced FIM tools go beyond simply being able tomonitor files and items closely related to them. A bettername would be “System Integrity Monitoring.” Otheritems can often be monitored such as:» Network Device Configurations» Active Directory/LDAP Object Settings» Database Schemas» Log FilesAdvanced FIM tools can monitor more than files, whichprovides users a holistic solution for their IT security andcan often allow the combination of a number of toolsinto a single solution. This greatly simplifies workflowand often results in cost savings as well.THE CIMTRAK SOLUTIONCimTrak strives to be a single solution for organizationsthat can “detect change across the enterprise.” With theability to detect changes on much more than simply files,CimTrak has your entire IT environment covered.6
THE DEFINITIVE GUIDE TO FILE INTEGRITY MONITORINGCompliance Drivers For FIMPayment Card Industry Digital SecurityStandard (PCI-DSS)The Payment Card Industry Digital Security Standards(PCI-DSS) was the first compliance standard to requirefile integrity monitoring of critical systems that handlepayment card data. Section 11.5 specifically requiresfile integrity monitoring be implemented to check files inthe PCI environment and section 10.5.5 requires FIM tomonitor changes to logs. Given the extremely sensitivenature of payment card data, the ability to ensurethe integrity and security of systems that handle it isextremely critical.“10.5.5 Use file-integrity monitoring or change-detectionsoftware on logs to ensure that existing log data cannotbe changed without generating alerts (although new databeing added should not cause an alert).”“11.5 Deploy a change-detection mechanism (for example,file-integrity monitoring tools) to alert personnel tounauthorized modification (including changes, additions,and deletions) of critical system files, configuration files, orcontent files; and configure the software to perform criticalfile comparisons at least weekly.”THE CIMTRAK SOLUTIONCimTrak allows you to fully meet PCI-DSS requirements10.5.5 and 11.5 as well as assisting with many others.CimTrak’s built in templates makes configurationfast and easy. The CimTrak PCI Compliance Modulealso automates the checking of critical operatingsystem configurations to ensure compliance with PCIrequirements. Organizations around the globe trustCimTrak to help them meet PCI-DSS requirements.NIST 800-53 SYSTEM And Information Integrity(SI) GuidelinesNIST 800-53 “Recommended Security Controls forFederal Information Systems and Organizations” lays outa framework for U.S. government agencies to safeguardIT systems. While it was developed for governmentuse, it can be applied to any organization as “bestpractice” guidelines. For this reason, many commercialorganizations also adopt the framework. SI-7 of thestandard specifically discuss the need for integritymonitoring while SI-3 and SI-4 also benefit from a FIMsolution. All of these sections deal with monitoring theIT environment for changes, which could affect securityand compromise sensitive information.SI-7“Software, Firmware, and Information IntegrityControl: The organization employs integrity verificationtools to detect unauthorized changes to [Assignment:organization-defined software, firmware, andinformation].Supplemental Guidance: Unauthorized changesto software, firmware, and information can occurdue to errors or malicious activity (e.g., tampering).Software includes, for example, operating systems(with key internal components such as kernels, drivers),middleware, and applications. Firmware includes,for example, the Basic Input Output System (BIOS).Information includes metadata such as security attributesassociated with information. State-of-the-practiceintegrity- checking mechanisms (e.g., parity checks,cyclical redundancy checks, cryptographic hashes) andassociated tools can automatically monitor the integrityof information systems and hosted applications. Relatedcontrols: SA-12, SC-8, SC-13, SI-3.”THE CIMTRAK SOLUTIONCimTrak is utilized by government agencies and otherorganizations that follow the 800-53 standards fortheir IT security program. By monitoring for changesto critical systems and applications and reporting onthat information in real-time, human errors or othermalicious activity that can cause disastrous systemdowntime or lead to a data breach.7
THE DEFINITIVE GUIDE TO FILE INTEGRITY MONITORINGCenter For Internet Security (CIS) CriticalSecurity ControlsCritical Security Control #3, Secure Configurationsfor Hardware and Software also calls for file integritymonitoring to be implemented. CIS Control #3discusses how deploying file integrity monitoringcan detect security threats and notify appropriatepersonnel in a timely manner. Requirement 3.5 requiresa file integrity checking tool be placed on systems tomonitor the security of the operating system as wellas applications.CSC 3, SECTION 3.5“Use file integrity checking tools to ensure that criticalsystem files (including sensitive system and applicationexecutables, libraries, and configurations) have notbeen altered. The reporting system should: have theability to account for routine and expected changes;highlight and alert on unusual or unexpected alterations;show the history of configuration changes over time andidentify who made the change (including the originallogged-in account in the event of a user ID switch,such as with the su or sudo command). These integritychecks should identify suspicious system alterationssuch as: owner and permissions changes to files ordirectories; the use of alternate data streams whichcould be used to hide malicious activities; and theintroduction of extra files into key system areas (whichcould indicate malicious payloads left by attackersor additional files inappropriately added during batchdistribution processes).”THE CIMTRAK SOLUTIONOrganizations following the best practice, CriticalSecurity Controls requirements, use CimTrak to meetsection 3.5 as well as other requirements such as9.3, which discusses monitoring open ports as wellas 11.3; monitoring for configuration changes onnetwork devices.8NERC-CIPSection 010 of the North American Energy ReliabilityCouncil’s Critical Infrastructure Protection standardrequires that configuration changes to power gridsystems be detected. This is commonly done by usinga file integrity monitoring tool to develop as baselinefrom which deviations are noted and alerted upon.CIP – 0101.1 The configuration change managementprocesses are intended to prevent unauthorizedmodifications to BES Cyber Systems.Develop a baseline configuration, individually or bygroup, which shall include the following items:1.1.1. Operating system(s) (including version) orfirmware where no independent operating systemexists;1.1.2. Any commercially available or open-sourceapplication software (including version) intentionallyinstalled;1.1.3. Any custom software installed;1.1.4. Any logical network accessible ports; and1.1.5. Any security patches applied.1.2 Authorize and document changes that deviatefrom the existing baseline configuration.1.3 For a change that deviates from the existingbaseline configuration, update the baselineconfiguration as necessary within 30 calendar days ofcompleting the change.THE CIMTRAK SOLUTIONYou can find CimTrak deployed by energy companiesthroughout the United States and Canada, monitoringtheir critical cyber infrastructure including servers,workstation, and network devices for changes thatcould disrupt power generation or transmission.
THE DEFINITIVE GUIDE TO FILE INTEGRITY MONITORINGMoving Beyond FIM to SystemIntegrity AssuranceAs more and more firms deploy them, To date, traditionalFIM tools and solutions have been unsuccessful in theirobjective of providing any form of integrity at all. In fact,the acronym of FIM is very misleading as there is no“Integrity” in the detection of change. It’s all the collectivefunctionality that surrounds the trigger of change thatenables you to achieve a desired state of trust andconfidence through integrity management.If FIM tools did what they were supposed to, they wouldhelp cybersecurity teams identify and prevent mostattacks—at least those that rely on file changes or access.But, as most security professionals already know, FIMtools don’t do what they are meant to do. Here’s why:» Noise - A typical ‘FIM’ tool simply monitors files forchange and produces alerts—lots of alerts. Theyproduce so many alerts they have become ‘shelfware’for most cybersecurity teams.» Lack of Context - Typical ‘FIM’ tools provide a massivelist of changes without any context or distinction. Thislist is too large to triage, so cybersecurity teams ignorethese change alerts.» Too Resource Intensive - Most FIM tools identify changeby completing daily polling scans of all files in an ITenvironment. This process is hugely resource-intensive,so it usually happens overnight. While it would be morevaluable to scan the environment continuously, this issimply impossible, as it would interfere with other IToperations.THE CIMTRAK SOLUTIONCimTrak assesses an infrastructure’s risks andvulnerabilities network hardening by scanningyour environment. Receive a real-time view of howsystem configuration compares with your chosenframework.CimTrak’s continuous compliance solution providesthe necessary guidance to fix and remediatefailed compliance scans. Minimizing risk andvulnerabilities in real-time drastically reduces the riskof security breaches and improves the ability to passcompliance audits.9Bringing Integrity to YourEnvironment (Not Just Files)Integrity is the accuracy and completeness of datathroughout its entire life cycle. That means no matter whatservice, device, or user accesses, stores, processes,transmits, or receives data, it remains accurate andcomplete. For this to be possible, four things are needed:1. An authoritative baseline of what data should look like.2. A way to identify and protect data from unauthorizedchange.3. A way to roll back unauthorized changes not blockedat the source.4. A way to verify that controls 1 – 3 are in place andworking correctly.Notice we’re talking about data, not just files. To haveintegrity, you need to protect all of the data in yourenvironment—including data held in configuration files,network devices, users, groups, policies, active directories,database schemas, hypervisors, container orchestrations,cloud configurations and more THE CIMTRAK SOLUTIONWorking From A Trusted BaselineWorking From A Trusted Baseline includes allof the assets, file hashes, configuration settings,etc, allowed to exist in an environment. CimTrakleverages best practices from authoritative sourceslike CIS Benchmarks and DISA STIGs to establish aknown and trusted baseline that can restore at anypoint in time.Verifying Integrity In Real-time, CimTrak monitorschanges and responds instantly to unexpected/unwanted changes. This Proactively preventscyberattacks at the source without restrictingoperations to reactive threat feeds.Complete Change DetailCimTrak pinpoints exactly what has changedand provides complete change audit information.Forensic details provided with changes include; Whochanged the information, What exactly changed,When it was changed, and the process used tochange it, or the How.
THE DEFINITIVE GUIDE TO FILE INTEGRITY MONITORINGSystem Integrity AssuranceSystem integrity assurance works under the same principle as physical security. It establishes a known, trusted, andauthoritative baseline of what is allowed and then prevents, limits, or rolls back everything else. Whenever an unknownchange occurs, it’s managed by exception so that acceptable changes are added to the baseline while unacceptablechanges are prevented.System Integrity Assurance can be demonstrated as the following workflow:This is a closed loop process for managing changes from a trusted baseline. Similar to the change managementprocedures articulated by best practices of ITIL, NIST CIS and others, this process covers all stages needed to ensure onlyacceptable changes are allowed to proceed, while others are prevented or rolled back.10
THE DEFINITIVE GUIDE TO FILE INTEGRITY MONITORINGKey Questions For Evaluation» Is the solution capable of truly real-time detection?» Is the solution easy to install, configure and use?» Does the solution only log file changes or does it haveother capabilities?» Does the solution give you important informationregarding changes such as who made the change,what process was used, and the originating IP addressof the change?» Can the solution show you exactly what within a filewas changed, giving you a side-by-side comparisonwith the original file?» Does the solution integrate with other securitysolutions such as SIEM’s?» Is the solution capable of providing a holistic look atchange across your IT environment, or does it onlymonitor file changes?11» Can the solution differentiate between “good” and“bad” changes, allowing you to focus your attention onthose that are most critical?» Does the solution have centralized policy managementand reporting?» Does the tool have a simple methodology forreconciling changes in your infrastructure?File Integrity Monitoring plays a critical role inmaintaining the security
What is File Integrity Monitoring (FIM)? File Integrity Monitoring is an IT security technology which is used to detect changes in an organization's IT environment by making comparisons against a known state. Do I Need FIM? Beyond the fact that you're required to have FIM in place for various compliance drivers such as PCI-DSS, your
