Best Practices in File Integrity Monitoring Ed Jowett, CISSP ITIL Practitioner Sr. Systems Engineer, Tripwire Inc.
Who is Ed Jowett 2
Agenda Best Practices in FIM The 3 Main Drivers of FIM Lessons Learned Integration Points SEM, SCM, CMS, VA, etc Best Practice Techniques Alerts / Reports Depth and Frequency General Discussion 3
The main drivers of FIM Three (3) main drivers that I see Compliance / Regulations Security / Risk Programs Operational Requirements What s drives FIM at your company? 4
PCI Compliance and Beyond Have you reviewed the PCI DSS? 5
Why File Integrity Monitoring? What do I have? What did it used to look like? What should it look like? How has it changed? Why should I care? Who needs to know?
7
The Physical vs. The Virtual What/Who do we need to monitor? System Admin or Virtual Admin What/Who can do more harm? 8
Security Programs need a Sandbox How often do you run a test? 9
Integration Points What other systems can use this type of data? Change Mgmt. System Security Config. Mgmt. Security Event Mgmt. Log Mgmt. Vulnerability Mgmt. and others. Do your organization maintain some sort of hardening guides? 10
11
Crawl Walk Run 12
Gain Situational Awareness Knowledge is Power Server Classification Documentation Determine Business Ownership and Risk Asset Location Physical Characteristics Node Classification is easy to implement High Severity means Mandatory Response Addition vs Removal of an object
Classification Techniques Needs alignment to the business Custom Properties / Tags Change Characteristics Severity and Risk Values System Classification is Critical Service Group vs. Business Group Re-Assessment is required
Automate the Response with Reports and Alerts " Reduce massive volume of data Correlate (bad) changes and other (suspicious) events " Distill intelligent information " Respond immediately Get the details to the right folks Make risk-based decision How do you gather feedback from the report users?
When The Inevitable Happens
Forensics Are Key To Understanding the Breach " If a hacker breaks into your infrastructure you need to not only understand the current state of the infrastructure but what it looked like five minutes before the breach " PCI Section 10.6 and 11.5 are written specifically to understand the breadth and depth of the breach " Good forensic information will dramatically reduce the cost of clean up and answer three critical questions you will be asked What happened? How badly was I exposed? How can I stop it from happening again? " Maintaining an accurate Baseline is KEY!
Depth of Monitoring 18
Frequency Matters to insure a Known, Good State KNOWN AND TRUSTED STATE CHANGE Confidence Time MEGASCAN required to reassess Continuous Monitoring Lowers MTTR Increases Security Reduces Risks Sustainable MANUAL ASSESSMENT TRADITIONAL ASSESSMENT CONTINUOUS ASSESSMENT
In Summary - Why File Integrity Monitoring? What do I have? Gain Situational Awareness What did it used to look like? Maintain an accurate Baseline What should it look like? - Enforce your hardening guidelines How has it changed? - Attributes, Content or HASH Why should I care? Node Classification Who needs to know? Proper and Accurate Reports and Alerts
Questions and General Discussion Ed Jowett ejowett@tripwire.com www.tripwire.com Tripwire Americas: 1.800.TRIPWIRE Tripwire EMEA: +44 (0) 20 7382 5440 Tripwire Japan: +812.53206.8610 Tripwire Singapore: +65 6733 5051 Tripwire Australia-New Zealand: +61 (0) 402 138 980
Integrated & Automated Security Intelligence VISIBILITY INTELLIGENCE AUTOMATION Iden%fy events of interest Correlate to Bad Changes SIEM Log Management Remediation Engine Policy Engine Continuous Monitoring Iden%fy changes of interest Correlate to Suspicious Events Correlate to Security Policy Iden%fy threats of interest 22