WHITE PAPER. Meeting the True Intent of File Integrity Monitoring



Similar documents
WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

TRIPWIRE NERC SOLUTION SUITE

PCI DSS Top 10 Reports March 2011

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Best Practices for PCI DSS V3.0 Network Security Compliance

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

The PCI Dilemma. COPYRIGHT TecForte

Best Practices in File Integrity Monitoring. Ed Jowett, CISSP ITIL Practitioner Sr. Systems Engineer, Tripwire Inc.

Proving Control of the Infrastructure

PCI DSS Reporting WHITEPAPER

Real-Time Security for Active Directory

TRIPWIRE REMOTE OPERATIONS: STOP OPERATING, START ANALYZING

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

assure the quality and availability of business services to your customers

Enforcing IT Change Management Policy

Event Log Monitoring and the PCI DSS

FairWarning Mapping to PCI DSS 3.0, Requirement 10

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Compliance Management, made easy

Managing Special Authorities. for PCI Compliance. on the. System i

Security Information and Event Management (SIEM)

Sample Vulnerability Management Policy

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

TABLE OF CONTENTS. INTRODUCTION: - Section 1: PCI DSS Version 3.0 Changes - Section 2: Can IDS and WAF Techniques Replace Systems with PCI DSS 3.0?

Strengthen security with intelligent identity and access management

Boosting enterprise security with integrated log management

BlackStratus for Managed Service Providers

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Enabling Continuous PCI DSS Compliance. Achieving Consistent PCI Requirement 1 Adherence Using RedSeal

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Feature. Log Management: A Pragmatic Approach to PCI DSS

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

PCI White Paper Series. Compliance driven security

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

THE TOP 4 CONTROLS.

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

White Paper. Managing Risk to Sensitive Data with SecureSphere

Improving Network Security Change Management Using RedSeal

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

BRAND-NAME is What COUNTS!!!

End-user Security Analytics Strengthens Protection with ArcSight

Using Skybox Solutions to Achieve PCI Compliance

Stop the Finger-Pointing: Managing Tier 1 Applications with VMware vcenter Operations Management Suite

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

FIREMON SECURITY MANAGER

Optimizing Cloud Efficiency Through Enhanced Visibility and Control. business White paper

eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

Give Vendors Access to the Data They Need NOT Access to Your Network

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

5 Steps to Implement & Maintain PCI DSS Compliance.

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Protection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant

How SUSE Manager Can Help You Achieve Regulatory Compliance

Closing Wireless Loopholes for PCI Compliance and Security

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Dynamic Data Center Compliance with Tripwire and Microsoft

IBM Tivoli Netcool Configuration Manager

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Attack Intelligence: Why It Matters

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

nfx One for Managed Service Providers

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

Continuous compliance through good governance

TRIPWIRE CUSTOMER SUCCESS STORIES: PCI PARTNERSHIPS FOR RAPID COMPLIANCE SUCCESS

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

FireScope + ServiceNow: CMDB Integration Use Cases

FILE INTEGRITY MONITORING

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

The Comprehensive Guide to PCI Security Standards Compliance

WHITEPAPER. Top 10 Reasons NetMRI Adds More Value than Basic Configuration and Change Management Software

Achieving Compliance with the PCI Data Security Standard

PCI Data Security Standards (DSS)

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

agility made possible

Integrated IP Address Management Solution WHITEPAPER. Top 10 Reasons NetMRI Adds More Value than Basic Configuration and Change Management Software

CorreLog Alignment to PCI Security Standards Compliance

PCI DSS READINESS AND RESPONSE

Time Is Not On Our Side!

What is Penetration Testing?

Net Report s PCI DSS Version 1.1 Compliance Suite

Reining in the Effects of Uncontrolled Change

Real-Time Security Intelligence for Greater Visibility and Information-Asset Protection

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

PCI Compliance for Cloud Applications

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

IT Security & Compliance. On Time. On Budget. On Demand.

Vulnerability Management

Big Data and Security: At the Edge of Prediction

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Transcription:

WHITE PAPER Meeting the True Intent of File Integrity Monitoring

Introduction The term file integrity monitoring, or FIM, popped up back in 2001 when the VISA started working on a security specification that would eventually become the Payment Card Industry Data Security Standard (PCI DSS, or just PCI). FIM was referenced in two requirements of PCI specification, but requirement 10.5.5 specifically instructed organizations that processed, transmitted or stored cardholder data to Use file integrity monitoring/change detection software (such as Tripwire) on logs to ensure that existing log data cannot be changed without generating alerts. In reality, FIM had been around before its reference in the evolving PCI standard. Previously, though, it used a different name: change audit. So here we are ten years later. Where is FIM now? Is it still relevant or important? Does it really protect data and improve security? The answers, in order are: 1. FIM is still called file integrity monitoring (FIM), and is now part of almost every IT compliance regulation and standard and every IT security standard. Some refer to FIM as change audit. 2. Yes, FIM is still relevant and important, although many organizations that must use FIM solutions complain that the term FIM is now synonymous with noise due to the huge volume of changes these solutions detect. 3. Yes, FIM does protect data and improve security, but only when FIM has specific capabilities. In this paper, we give an overview of FIM, an explanation of how FIM provides data protection and improves security, and what capabilities FIM must offer to effectively provide that data protection and security. AN OVERVIEW OF FIM FIM is technology that monitors files of all types and detects changes in these files that can lead to increased risk of data compromise. Unfortunately, many merchants subject to FIM under PCI have lost sight of its intent and spirit. For these merchants, FIM means noise: too many changes, no context around these changes, and very little insight into whether or not a given detected change poses a risk or is just businessas-usual. It s hard to argue with them given that this has been their experience with the FIM tools they ve used. FIM actually is a critical tool in the fight against cardholder data compromise, and really, of any type of sensitive data; however, a true FIM tool must provide additional information. That information, or intelligence, would allow it to only alert security teams to changes that pose increased threat to cardholder data, and not to the hundreds of thousands or even millions of changes that occur daily on large, enterprise-level IT infrastructure. It s also important to understand that while FIM is valuable to PCI, it can and is used to reduce risk of compromise to any IT asset, not just cardholder data. Making FIM an Effective Security Tool To return FIM to its rightful place at the security table, we must change how we use FIM and ensure our FIM solution has specific capabilities. We must decide what in the infrastructure needs to be monitored and how to manage the changes to those IT assets that our FIM solution detects. We also need a solution that gives us more information than a basic something changed. Finally, we need to analyze each change to identify when changes introduce risk. DETERMINING WHAT TO MONITOR AND MANAGING DETECTED CHANGES Monitoring every file on every device or application all the time is impractical and unnecessary, so the first step for effective FIM is controlling what is monitored. Ideally, a FIM solution would provide a way to control what files are monitored for change and the level of monitoring these files require. In other words, the solution would let you determine how much information about these files the file properties you want to capture. You would make those determinations based on the type of file being monitored and how much risk changes to a file might introduce. For example, a permissions file for a financial application represents a high-risk file. You would likely want to harvest enough properties about changes to this file to help you determine if a change is expected or if it is suspect. Although you will limit the scope of the files you monitor, as well as the properties you capture for each monitored file, even a medium-sized organization will generate a large amount of change data. Managing the large volume of change data captured by a FIM solution requires a 2 WHITE PAPER Meeting the True Intent of File Integrity Monitoring

version-based architecture that is compact and fast, and that stores data permanently. One approach that has proven highly successful is to capture the initial state, or baseline, of every monitored file or element and store it in a database. From that point on, the solution detects any changes to an element, including the properties you determined need to be monitored, and stores that change data in the database as the original baseline version plus these typically minor changes. These delta versions, where delta means incremental change to the element s properties, must be stored indefinitely in the database. But to truly add value, the solution must allow this captured history of each element to be accessed, analyzed and acted upon at any point in time. DETERMINING WHAT CHANGED AND WHO MADE THE CHANGE Knowing only that a file has changed is of little use unless you know what about the file or what within the file has changed. Each file has dozens of attributes that, if changed, could spell trouble. Capturing these attributes can provide information essential in determining if the change is harmful or harmless it tells you exactly what within a file changed so you can quickly determine if the change was high-risk and provides the information required to fix the issue. A true FIM solution will be able to harvest this level of information, including changes to configuration files and even character-for-character differences to human-readable file types like Word documents or PDF files. In addition, knowing who made a change is often key to determining if a change is suspect or low-risk. But capturing the who data is not easy, and most FIM solutions are unable to provide this important information. Most FIM solutions available today need to enable OS Auditing on the monitored device to get this who information; yet most IT professionals will not allow this due to concerns about security. The use of real-time detection agents installed on each monitored device can overcome this issue. DETERMINING IF EXPECTED, ACCEPTABLE CHANGES WERE MADE Many changes are intended to make improvements or to correct problems. However, just because a change is proposed and scheduled does not mean that it was actually made or made correctly. Being able to confirm that a change has successfully been made is critical; otherwise improvements that you think were made are not always realized and problems remain when you think they have been resolved. A true FIM solution needs to detect a change, and must also be able to compare that change against what was expected to change. Such capability provides independent confirmation of change processes and policies. While most changes are intentional, or at least not harmful, some changes simply shouldn t be made because they pose increased risk to the environment. Critical configuration files are one example. Each of these files contains one or more configuration settings values that must be in predefined states or ranges to meet and maintain security policy. If any of these configuration files are changed, the settings values must immediately be re-evaluated to determine if they still conform to the security policy. Application executable (.exe) files of mission critical applications are another example of file types that should probably generate an alert if they change for any reason. A true FIM solution must know what has changed, what specific files are supposed to change, and if a given change is within policy. This ability to analyze changes converts volumes of change data from noise into actionable intelligence. ADDRESSING THE ISSUE OF UNAUTHORIZED VS. UNDESIRED/SUSPECT CHANGE PCI DSS 11.5 requires merchants to alert on unauthorized modification of critical system, content or configuration files, but the term unauthorized is fairly misleading. Many interpret the term to mean that they must measure how well the organization adheres to change process policy. In fact, the intent of the term in the requirement is for organizations to be alerted to changes that are undesirable and could put cardholder data at risk of compromise. The 11.5.b Testing Procedure that was added in version 2.0 of the security standard clarifies that it is an audit requirement to Verify the tools are configured to alert personnel to unauthorized modification of critical files. Auditors have typically required proof that appropriate change data has been captured, but there has been inconsistency in verifying whether the FIM solution was also Meeting the True Intent of File Integrity Monitoring WHITE PAPER 3

configured to determine if any of detected changes were not authorized. Too often, the change data has just been stored in bulk in an effort to meet compliance requirements. However, if the data is not continually analyzed for high-risk change, the FIM solution provides limited or no protection against cardholder data compromise. Even in cases where the FIM solution is being used to help determine which changes don t follow approved change process, unauthorized change differs a great deal from suspect or undesired change. Unfortunately, many presume that unauthorized change is always bad, which is not necessarily true. While an unauthorized change may not have followed defined change process policy, it may actually resolve a critical problem. On the other hand, defining a change as authorized presumes it is a good change, which may be THE CAPABILITIES OF TRUE FIM Detects changes Determines which changes introduce risk Determines which changes result in non-compliance Distinguishes between high- and low-risk changes Integrates with other security point solutions equally untrue. Many authorized changes cause problems and have to be rolled back or modified sometimes using an unauthorized process. Whether a detected change can be reconciled to some form of authorization or not fails to address the issue of a bad change; that is, a change that exposes a device or application to increased risk of compromise. Finding bad change is the issue that must be addressed by FIM and that is the true intent of the PCI DSS 11.5 requirement. And not only should FIM detect bad change, it should detect it immediately so the damage can be minimized. A true FIM solution helps merchants automatically determine if detected change is authorized (or even most likely authorized). More importantly, a true FIM helps automatically determine if a change is suspect and needs immediate investigation, or is expected and can be considered low- or no-risk. Conclusion: True FIM Makes FIM Relevant So again, we ask, Is FIM still relevant and important? The answer is a resounding yes. FIM is a critical capability IT security and compliance need to protect the IT infrastructure and its sensitive data. But for FIM to be relevant, it must do a lot more than just detect changes. True FIM must use change detection to help determine whether the changes are good or bad. It must also provide multiple ways to distinguish low-risk change from high-risk change. And it must do this at the speed of change. In addition, True FIM should also work with other security point solutions, like those for log and security event management. Correlating change data with log and event data allows security professionals to better protect their environment, including cardholder data environments. Doing so, allows security professionals to quickly see, trace and relate problem-causing activities with each other. Such visibility and intelligence provides the key for quickly remediating issues before they cause real damage. 4 WHITE PAPER Meeting the True Intent of File Integrity Monitoring

ABOUT TRIPWIRE Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses, government agencies, and service providers take control of their physical, virtual, and cloud infrastructure. Thousands of customers rely on Tripwire s integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA, the integrated compliance and security software platform, delivers best-of-breed file integrity, policy compliance and log and event management solutions, paving the way for organizations to proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and @TripwireInc on Twitter. 2011 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. WPTFIM2a

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information