Challenges to Data IntegrityDestructive malware, ransomware, malicious insider activity, and even honest mistakes all set the stage for why organizations need to quickly detect and respond to an event that impacts data integrity. Businesses must be confident that these events are detected quickly and responded to appropriately. Attacks against an organization’s data can impact business operations, revenue, and reputation. Examples of data integrity attacks include unauthorized insertion, deletion, or modification of data to corporate information such as emails, employee records, financial records, and customer data. Some organizations have experienced systemic attacks that force operations to cease. While ransomware remains the most prominent attack method, other data integrity attacks may be more dynamic, targeting machines, spreading laterally across networks, and continuing to cause damage throughout an organization. These behaviors are usually targeted against multiple files at a time. After all, for most organizations there would be little impact if a single file is held hostage. Most attackers tend to choose high impact over subtle craftiness. This makes the events easily detectable if the correct monitoring tools are in place.
NIST Cybersecurity FrameworkNIST published version 1.1 of the Cybersecurity Framework in April 2018 to provide guidance for protecting and developing resiliency for critical infrastructure and other sectors. The framework core contains five functions, outlined in a handy, easy-to-remember graphic:
- Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
- Protect – Develop and implement appropriate safeguards to ensure the delivery of critical services.
- Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
- Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
- Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident
NIST SP 1800-25, Identifying and Protecting Assets Against Ransomware and Other Destructive EventsApplying the Cybersecurity Framework to data integrity, this practice guide informs organizations of how to identify and protect against a data integrity attacks, and in turn, understand how to manage data integrity risks and implement the appropriate safeguards. The solution developed by NCCoE isolates the opportunities that would allow for cybersecurity events to occur and implements strategies to remediate those conditions. Also, the solution uses information from known cybersecurity events, and applies them to protecting IT infrastructure. To achieve this, the following core capabilities should be in place:
- Vulnerability management
- Policy enforcement
- Integrity monitoring
- Secure storage
- Network protection
NIST SP 1800-26, Detecting and Responding to Ransomware and Other Destructive EventsThe NCCoE, also offers a practice guide to assist organizations about how to quickly detect and respond to data integrity attacks. This incorporates multiple systems working in concert to detect an ongoing data integrity cybersecurity event. Additionally, it provides guidance about how to respond to the detected event. Addressing these functions together enables organizations to have the necessary tools to act during a data integrity attack. Detecting and responding to attacks against data integrity could be done when the following capabilities work together:
- Integrity monitoring
- Event detection
- Vulnerability management
- Reporting capabilities
- Mitigation and containment
Benefits of the Practice GuidesPrior to the practice guides, NIST had also released the NIST SP 1800-11 guide, “Recovering from Ransomware and Other Destructive Events.” These practice guides to data integrity can help your organization:
- develop a strategy for identifying, protecting, detecting, responding, and recovering from a data integrity cybersecurity event;
- facilitate comprehensive protection from adverse events, effective detection and response, and smoother recovery from an adverse event both to maintain operations and to ensure the integrity of data critical to supporting business operations and revenue-generating activities; and
- manage enterprise risk.
Benefits of Tripwire SolutionsTripwire is very proud to be part of the NCCoE project. Companies have considered Tripwire functionality a key component to successfully implementing the NIST Cybersecurity Framework because the controls found in Tripwire solutions provide support for all five functions. The NCCoE used Tripwire IP360 to perform the vulnerability management functions. Tripwire IP360 is a vulnerability scanner and management tool, which can scan a variety of hosts for known vulnerabilities and report on the results. Furthermore, the tool can manage and assign risk levels to these vulnerabilities, allowing security teams to effectively manage vulnerabilities throughout the enterprise. For integrity monitoring, Tripwire Enterprise was used. Tripwire Enterprise is a file integrity monitoring tool that establishes a baseline for integrity activity within the enterprise. This baseline is used in the event of an attack to detect and alert on changes within the enterprise as well as aid recovery should it be necessary. Finally, Tripwire Log Center was used for logging purposes. Tripwire Log Center collected, transformed, and forwarded logs from Tripwire IP360 and Tripwire Enterprise. If you want to learn more about how Tripwire solutions can help your organization implement data integrity functions, contact the experts or ask for a demo.
* The NCCoE is a public-private partnership that brings together industry organizations, government agencies and academic institutions under cooperative research and development agreements to collaborate in the creation of practical cybersecurity solutions that address the needs of specific industries as well as broad, cross-sector technology challenges. NIST does not evaluate commercial products under this project and does not endorse any product or service used.