After spending several decades in this industry, I have seen growth in many different security products and in many different areas. All the while, I've questioned whether specific technologies were offering real value or were just over-marketed to create more revenue opportunities for investors. As we have seen repeatedly, categories of security products blossom in many different ways.
So many vendors, so much technology. Where do we go from here?
Let’s take a look at the firewall and endpoint protection marketplace. First off, look at what has happened to firewalls in the last 20 years. We have gone from the original stateful multi-layer inspection firewalls to application firewalls, from north-south traffic to east-west traffic, to firewalls in the Cloud and beyond. This migration has brought us from the start of managing a few firewalls to managing hundreds to now having specialized change management and attack modeling solutions that address firewall topologies, not to mention the requisite operational expertise that we need to keep things running optimally on a continual basis.
Now, look at the endpoint area. We originally had antivirus. Now, antivirus, which many security professionals
say is completely outdated and just needs to be removed because signatures are completely outdated. Not only that, but we also now have endpoint detection, prevention, response, obfuscation, hardening, and on and on it goes.
How do we manage all of this, and what is the best utilization of the dollars that we are now putting into securing our enterprise?
Thinking about Confidentiality, Integrity, and Availability (CIA)
A good place to start is the Three Principles of a Secure System. To most security professionals, the three principles are focused around Confidentiality, Integrity and Availability (CIA). As Paul Edon so eloquently defines this his blog
The correct level of access should be given to only those people and processes that need it to complete their duties. If no access is required then none should be given.
Ensure the integrity of the information is maintained at all times and that any information provided is an accurate and unchanged representation of the original.
Ensure all information is readily accessible to all authorized users at all times.
The theory is simplistic but the practicality of supporting such requirements is anything but. If you study each principle separately, you will quickly realize that to achieve the end goal across a reasonably simple system requires a number of complex controls be put in place.
Meeting the requirements of all three principles brings more complexity, especially as the missing part of the jigsaw is “Audit,” the ability to evidence controls, findings, remediation, etc. The current thinking is to change it to CIA2 – it may also help to reduce confusion.
If we go back to basics of the CIA triad and focus on change in the environment to catch risks early, we can focus on addressing root causes and get the most we can out of each dollar spent on securing our environment rather than investing in yet another “new” security tool.
The Importance of File Integrity Monitoring and Why it Matters to Your Business.
File integrity monitoring (FIM
) was invented in part by Tripwire founder Gene Kim
. It went on to become an important security control that thousands of organizations build their cybersecurity programs around. The term “file integrity monitoring” was commonly propagated by the PCI standard.
FIM is a know-how that monitors and identifies changes in files that may specify a cyberattack. Unfortunately for many organizations, FIM mostly means noise: too many changes, no context around these changes, and very little insight into whether a change poses a risk. FIM is an important security control, but it must provide enough insight and actionable intelligence.
Otherwise known as change monitoring, file integrity monitoring involves examining files to see if and when they change, how they change, who changed them, and what can be done to restore those files if those modifications are unsanctioned.
Companies can leverage the control to administer static files for doubtful modifications such as modifications to their IP stack and email client configuration. As such, FIM is useful for detecting malware as well as achieving compliance with regulations like the Payment Card Industry Data Security Standard (PCI DSS
The overall goal of file integrity monitoring is to catch a potential security breach as early as possible. Since changes on critical pieces of infrastructure are often harbingers of a security breach, file integrity monitoring is the best way to catch those signals early.
Most importantly, both PCI DSS and HIPAA compliance frameworks mandate file integrity monitoring. Of course, they each do so in a slightly different way, using varying terminology and a range of specificity.
Something for Security Professionals to Consider
If you see unexpected or unexplained file changes, you can investigate instantly and resolve the issue swiftly if your system has been compromised.
You can settle changes against change tickets or a list of accepted changes in a text file or spreadsheet.
You can determine if changes take conformations out of policy (impact hardening standard).
You can automate responses to specific types of changes—for example, flag the appearance of a DLL file (high-risk) but auto-promote a simple modification to a DLL file (low-risk).
And it’s because of all of this that starting at the roots of integrity makes great sense for your business.
Delivering on the accuracy of information, built on principles of integrity with the highest value for your security spend, Tripwire stands in a class by itself.
To a successful and integrity filled 2020!