Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

Transcription

1 Whitepaper Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know Phone (0) detecting the unknown

2 Integrity Use Case: Whitepaper PCI DSS Introduction Deciding which file integrity monitoring product to deploy can be challenging. Unlike many other IT security tools, there are not an overwhelming number of options available. Still, understanding which product is the best for your environment in terms of functionality, security, and usability can be difficult. Knowing what to look for in a solution is the first step in making an informed decision. Innovative file integrity software such as CimTrak boasts many improvements over the open-source options available. It also has advanced, capabilities that are simply not available with other commercially available file integrity monitoring solutions. With file integrity monitoring required by compliance regulations including PCI-DSS, NIST and SANS Consensus Audit Guidelines, the need to understand the current generation of file integrity monitoring software is now more important than ever. This paper will explore current file integrity monitoring capabilities and how file integrity monitoring is used to keep data secure and enterprises in compliance. How it works First, it's critical to understand exactly how file integrity monitoring works. All file integrity monitoring products are essentially comparison tools that keep track of cryptographic hashes of files at different points in time. Hashes are used because they provide a unique "fingerprint" of each file and they can be easily analyzed since they are simply a string of characters. When a file is altered in some way, the hash for that given file changes to a unique new value. A strong hash provides absolute certainty, or non-repudiation, that a file has indeed changed. Integrity checking products use various hash algorithms, along with other file parameters, as a basis for proof that a file has, or has not been altered. However, file integrity monitoring products differ drastically in speed, performance impact, and capabilities in how they accomplish these steps. Advanced solutions such as CimTrak utilize innovative technologies that maximize file integrity monitoring performance. Understanding which product is the best for your environment in terms of functionality, security, and usability can be difficult. Knowing what to look for in a solution is the first step in making an informed decision. File integrity monitoring products are essentially comparison tools that keep track of cryptographic hashes of files at different points in time. Innovations File integrity monitoring, like many other IT technologies, is in a nearly constant state of evolution. Even the name, file integrity monitoring, is deceptive. Today, file integrity monitoring tools such as CimTrak are capable of much more than simple file monitoring. Monitoring critical network device configurations, drivers, the Windows registry, services, and installed software are just a few of the other items that CimTrak can monitor. CimTrak can even alert you when a file has simply been opened without any changes being made. 2

3 : PCI Poll Based vs. Real-Time Detection Capabilities Years ago, poll-based file integrity monitoring solutions were an IT professional s only choice. Even today, many open-source and even some commercially available solutions still use a poll-based methodology. Polling a file for changes means that a file is checked a certain time intervals. This differentiates it from the new generation of continuous file integrity monitoring technologies such as CimTrak which can detect changes on many operating systems in real-time. Unlike other file integrity monitoring tools, CimTrak does not accomplish this by continuously polling a file, that is, by constantly checking the file for change. While this method roughly approximates real-time detection, it is extremely resource intensive, as hashes of these files must be calculated repeatedly. CimTrak was the first file integrity technology to operate at the kernel level, allowing it to intercept file changes from the operating system itself. By hashing only the watched files that are changed by the operating system, CimTrak needs to perform this action only once as it occurs in true "real-time. This intelligent change detection methodology uses minimal system resources so that CPU cycles and disk I/O remain low. This advanced methodology also provides greater accuracy and other forensic information that is not possible through polling. Real-time change detection provides a distinct advantage over poll-based solutions. Today, threats to IT infrastructures abound. Further, organizations store a large amount of data on IT systems and rely on them for almost every aspect of their business. Unexpected or unknown changes can be catastrophic and cause loss of income and reputation. Therefore, every second matters when it comes to change detection. By detecting changes instantly, IT security personnel can be alerted instantly to changes that are malicious or can cripple critical business functions. Beyond Simple Logging and Alerting Many file integrity monitoring applications only log and alert you to changes. This greatly limits the value to the enterprise. As a third generation file integrity monitoring tool, CimTrak has advanced capabilities beyond logging and alerting of changes. CimTrak even gives you the ability to take instant action automatically upon detection of a change. CimTrak can generate and store new baselines each time a change occurs. This functionality gives you the ability to allow changes but gives you the flexibility to roll a file back to any previous baseline with the click of a mouse. Advanced file integrity technologies operate at the kernel level, allowing them to intercept file changes from the operating system itself. Every second matters when it comes to change detection. By detecting changes instantly, IT security personnel can be alerted instantly to changes that are malicious or can cripple critical business functions. Of course in some instances, preventing changes from occurring in the first place is the most effective way to ensure system security and uptime. CimTrak was the first and is still the only file integrity monitoring solution with the ability to instantly reverse changes without the need for calling on other applications outside the solution. This advanced feature brings an entirely new dimension to file integrity monitoring by ensuring that critical files and applications are only changed through approved processes. 3

4 Most environments call for a combination of actions, ranging from simple logging all the way up to real-time restoration of changes. CimTrak s granular approach to monitoring allows users to configure different actions depending on the type of change that has occurred. For example, upon detection of a file modification, you may want CimTrak to simply log the change or create a new baseline and store it. However, if someone tries to delete the file, potentially deleting critical information and taking down critical business processes, CimTrak can be configured to instantly restore the file upon detection that the file has been deleted. Providing Deep Situational Awareness Knowing that a file change occurred in your IT environment is of little value without more information. In addition to letting you know what attributes of a file have changed, CimTrak provides you a side-by-side comparison of files and highlights the exact lines that have changed. This prevents the tedious task of searching through a file to determine that exact spot where a change occurred. Further, CimTrak gives you other valuable change data, including who made the change, where the change originated, and what process was used to make the change. This data is immensely helpful in determining whether changes are routine or potentially malicious. In addition, it is important to note that advanced file integrity monitoring solutions do not require that an operating system s auditing feature be turned on. IT professionals are often reluctant to turn auditing on as it can decrease their organization s security posture and cause system performance issues. Change data including who made the change, where the change originated and what process was used to make the change is immensely helpful in determining whether changes are routine or potentially malicious. Many file integrity monitoring solutions do not provide this added layer of insight into changes, which greatly limits the value of the solution. Not only will valuable time be wasted trying to pinpoint changes and determine whether the change represents a risk, but an organization s security posture could also be negatively affected. Another added feature of advanced file integrity monitoring solutions such as CimTrak is their ability to interact with other security solutions that may be deployed. One example is security information and event managers (SIEM s), which many organizations have adopted to centralize security alerting and reporting. CimTrak can feed data on changes to SIEM s and other tools that give IT security professionals the ability to correlate change data with other log and event data. This data, log and event aggregation allows deep insight into what is happening in the IT environment and allows for quicker reaction to threats that can compromise security. Advanced file integrity monitoring solutions can interact with other security solutions that may be deployed. This allows even deeper insight into what is happening in the IT environment. 4

5 Inherent Solution Security Often, IT professionals are afraid of implementing a security solution because while it may address the problem at hand, it creates other security issues that need to then be addressed. CimTrak is developed with the belief that an integrity product needs to be built with a high level of inherent security. After all, organizations are entrusting sensitive data (potentially proprietary or classified) and critical configurations to the file integrity monitoring solution. An insecure solution can allow a number of problems to occur. Many file integrity monitoring solutions have inherent security flaws that can be exploited. File integrity monitoring solutions should be built with a high level of inherent security. Unsecured Communications A file integrity monitoring solution should use encrypted communications amongst the solution s components. Failure to do so could result in data being intercepted through a man in the middle attack. All communications amongst CimTrak components are fully encrypted with the encryption type configurable by the user. Further, the CimTrak FIPS edition crytptographic module is certified by NIST to the Federal Information Processing Standard (FIPS) Level 2. No other file integrity monitoring solution offers the ability to use FIPS Level 2 certified cryptography. This makes it ideal for use in government and defense applications as well as commercial enterprises that desire an even higher level of security. In fact, CimTrak is the only file integrity monitoring tool approved by the U.S. Department of Defense for use on critical systems. Unsecured Hash Storage Hashes of monitored files and configurations can be compromised if they are not stored securely. Many file integrity monitoring solutions rely on the end user to ensure the security of the stored hashes on their systems. Any vulnerability can lead to a breach of the hashes, which means that a file s integrity can no longer be ensured. CimTrak s Master Repository provides a highly secure solution, which ensures that hashes are stored securely. This eliminates the need to spend valuable time and resources securing and monitoring stored hashes. Insecure Audit Logs Logs generated regarding changes to files and configurations should not be able to be altered in any way. A secure audit trail is essential to ensuring integrity in any IT environment. Logs from a file integrity monitoring solution should be stored securely and should not be able to be modified, even by the solution administrator(s) or users. Administrators or users cannot alter audit logs generated by CimTrak in any way once they are generated. This ensures the complete integrity of the audit trail. 5

6 No Monitoring Of Actions By Solution Administrators and Users Internal threats are often vastly more potent than external threats. Most file integrity monitoring solutions do not monitor actions taken with the solution itself. This creates the ability for an administrator or user to disable monitoring of certain files or configurations and then exploit the fact that those files or configurations are not being monitored. An unalterable audit trail of all actions taken within the solution should be created and securely stored. An unalterable audit trail of all actions taken with CimTrak is created and securely stored. This ensures that administrators and users actions are being monitored and eliminates the risk that CimTrak can be used for malicious activity without an audit trail being created. This feature also allows administrators to ensure that users are executing work orders correctly and in a timely manner. Compliance Drivers One of the major changes to file integrity monitoring is the trend toward the incorporation of compliance checking and reporting. The impetus for this was the tight correlation between various compliance standards and integrity monitoring. Several well-established compliance standards call for file integrity monitoring to be implemented. Payment Card Industry Digital Security Standard (PCI-DSS) The Payment Card Industry Digital Security Standards (PCI-DSS) was the first compliance standard to require file integrity monitoring of critical systems that handle payment card data. Section 11.5 specifically requires file integrity monitoring be implemented to check files in the PCI environment. Given the extremely sensitive nature of payment card data, the ability to ensure the integrity and security of systems that handle it is extremely critical. File integrity monitoring solutions allow you to meet compliance standards including PCI-DSS Advanced file integrity monitoring solutions such as CimTrak allow you to fully meet PCI-DSS requirement 11.5 and assists with many others. The CimTrak PCI Compliance Module also automates the checking of critical operating system configurations to ensure compliance with PCI requirements. NIST System And Information Integrity (SI) Guidelines NIST Recommended Security Controls for Federal Information Systems and Organizations lays out a framework for U.S. government agencies to safeguard IT systems. While it was developed for government use, it can be applied to any organization as best practice guidelines. For this reason, many commercial organizations also adopt the framework. Two main sections, SI-4 and SI-7 of the standard specifically discuss the need for integrity monitoring. Both sections deal with monitoring the IT environment for changes, which could affect security and compromise sensitive information. SI-7 specifically calls for a... system that detects and protects against unauthorized changes to software and information. It further states that commercial off-the-shelf integrity mechanisms should be deployed. 6

7 Integrity verification tools such as CimTrak assists both government agencies and commercial enterprises that follow in meeting sections SI-4 and SI-7 of the standard. Further, CimTrak can assist in meeting other areas of the standard including the Configuration Management (CM) and Audit and Accountability (AU) sections. SANS Consensus Audit Guidelines (CAG) SANS Consensus Audit Guideline #3, Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers, also calls for file integrity monitoring to be implemented. SANS Consensus Audit Guideline #3 discusses how deploying file integrity monitoring can detect security threats and notify appropriate personnel in a timely manner. Requirement 3.5 requires integrity checking tools be placed on servers to monitor the security of the operating system as well as applications. CAG requirement 3.7 requires file integrity monitoring for critical system files including executables, libraries and configurations to ensure that changes are detected and that appropriate IT personnel are alerted. As mentioned previously, CimTrak detects changes on most operating systems instantly, and can provide instant alerting. In addition, through its restore feature, CimTrak has the ability to instantly restore changes to critical systems and applications, thus effectively ensuring continued system security. Key Questions When Evaluating a File Integrity Monitoring Solution» Is the solution capable of truly real-time detection?» Is the solution easy to install, configure and use? Knowing what questions to ask when evaluating a file integrity monitoring solution helps you understand how they differ.» Does the solution only log file changes or does it have other capabilities?» Does the solution give you important information regarding changes such as who made the change, what process was used, and the originating IP address of the change?» Can the solution show you exactly what within a file was changed, giving you a side-by-side comparison with the original file?» Does the solution integrate with other security solutions such as SIEM s?» What inherent security does the solution have? File Integrity Monitoring plays a critical role in maintaining the security, integrity, and compliance of you organization s IT assets. By providing you key information on changes, file integrity monitoring allows you to be aware of, and react to, changes efficiently. Understanding how various solutions differ is the first step in finding and implementing a solution that meets your needs. detecting the unknown Phone (0) [email protected] Copyright 2015 All Rights Reserved by Distology