IT environments in businesses are often volatile. The value of hardware might depreciate over time. There is constant evolution in the world of software. Existing configurations go through a variety of transitions. While some of these updates are permitted since they are part of the organization's regular patching cycle, others raise red flags because they appear out of nowhere.
Unauthorized changes that go undetected may as well mean that an intruder is compromising your critical files or surveying your system trying to find vulnerable configurations to exploit. Having visibility into the changes that happen within your established baseline is the first step to accelerating incident response. IBM notes that businesses with quick reaction times saw an average of USD 2.66 million lower breach costs, or 58% cost savings.
Organizations tend to leverage the powers of File Integrity Monitoring (FIM) and Secure Configuration Management (SCM) to deal with these changes, but they often fail to understand that these two solutions can work together in harmony.
What is FIM?
Many organizations tend to focus on preserving the confidentiality and availability of their critical files, forgetting the importance of (file) system integrity. This is exactly what a File Integrity Monitoring (FIM) solution does. A change in the system's integrity can impact the availability and confidentiality of the system.
File Integrity Monitoring (FIM) is a technique that keeps an eye out for any modifications to files that could be the result of a malicious hacking attempt. FIM is sometimes known as change detection since it comprises tracking file alterations and restoring them if necessary. In this way, businesses can use the control to monitor static files for unauthorized changes. Since this is the case, FIM is helpful for both malware detection and meeting standards like the Payment Card Industry Data Security Standard (PCI DSS).
For a FIM solution to deliver to its promises, it must provide sufficient insight and actionable intelligence for organizations to augment their security postures. The purpose of FIM is not to create noise, but rather to act like “internal affairs” and ensure that personnel with privileged access to these files are doing their job and not messing around with configuration files in production systems or databases.
Although FIM is an excellent tool for maintaining compliance with standards like PCI DSS, it is a mistake to consider this as the sole purpose. The ultimate goal is to keep the organization secure by ensuring that any changes to the baseline configuration are authorized and not the result of any malicious act, internal or external. This is where FIM starts to complement Secure Configuration Management (SCM).
What is SCM?
NIST describes security configuration management (SCM) as "the management and control of configurations for an information system with the objective of enabling security and managing risk."
The default settings of many systems are an easy target for attackers. When a criminal has access to a system, they begin modifying it. Tools for managing security configurations are crucial for these two reasons. Misconfigurations that leave your systems susceptible can be found using SCM, but so can "strange" changes to essential files or registry keys.
Signature-based defenses are insufficient to detect advanced threats in an era of nearly daily disclosures of new zero-day threats. Organizations need to know what is occurring on crucial devices and be able to distinguish between "good" and "bad" changes if they are to notice a breach early. With the help of SCM solutions, businesses can monitor the status of their most valuable assets and react accordingly. Organizations can quickly detect a breach by establishing a baseline configuration for their systems and then regularly monitoring for indicators of intrusion. If a breach is discovered quickly, it can be contained, and its effects lessened.
How can they work together?
FIM and SCM are a perfect match, and this can be understood better when discussing Zero Trust. The core principle of Zero Trust is about ensuring only authorized individuals can access critical assets to perform authorized actions. The purpose of Zero Trust is to limit the potential of a breach and reduce the impact of a successful attack.
File Integrity Monitoring and Secure Configuration Management solutions do exactly that; monitor critical file systems and assets to ensure all actions against them are legitimate and alert if something is unexpected. Therefore, change management is a necessary step toward a Zero Trust framework to increase the level of security of an organization’s infrastructure.
FIM and SCM make sure that the established baseline used for running your organization in a secure manner remains protected from unauthorized changes. In addition, both solutions provide early warnings in case of unauthorized changes to your baseline configuration to help your incident response team act immediately, limit the impact to your operations and revert back to the good known secure state.
The value of Tripwire
Tripwire’s FIM and SCM solutions are part of the umbrella Tripwire Enterprise platform.
The File Integrity Monitoring solution focuses on adding business context to data for all changes that occur in an organization’s environment. As such, it provides IT and security teams with real-time intelligence that they can use to identify incidents that are of real concern. It also helps personnel learn the who, what, when, and how of a change, data which they can use to validate planned modifications.
On the other hand, the Secure Configuration Management solution automates the tasks for securing your infrastructure and provides deep system visibility at the same time. The moment your system becomes misconfigured, Tripwire SCM notifies your teams and offers detailed remediation instructions in order to bring the misconfiguration back into alignment.
Both solutions are easily configurable to allow your organization to be secure in a rapidly changing risk and business environment and maintain compliance against a variety of frameworks, including PCI DSS, CIS and NIST.
If you want to find out more, visit the Tripwire Enterprise page, where you download datasheets and read successful use cases.