File Integrity Monitoring
(FIM) has been around for a long time. In fact, Tripwire has been a pioneer in FIM since the early 1990s when Gene Kim released the first version of Tripwire.
Monitoring for change enables you to know what changes were made, who made the changes, and the changes that occurred. This allows you to easily roll back to a known good configuration and contain any damage from unauthorized change or a potential breach very quickly.
However, monitoring the entire operating system for change can get noisy very quickly. Administrators can get bombarded with change notifications, reducing the likelihood that actual malicious activities will be caught.
Administrators of FIM Systems, therefore, need to anticipate where attackers are likely to strike, what they will change and where they may place malware, for it’s entirely possible that malware may get placed on the system in a location that is not monitored by the File Integrity Monitor System – that is, unless they are using Tripwire Enterprise File Integrity Monitoring System.
Tripwire Enterprise Auto-Monitor is a revolutionary new way to monitor the unknown. Administrators can now configure their FIM environments to monitor what matters to their environments. When any new executables are placed on the system, Tripwire Enterprise detects the new process and checks to see if it’s being monitored.
In the event that the new executable is not being monitored, Tripwire Enterprise will dynamically configure the asset to monitor the executable and the associated files with that process. Now administrators don’t need to worry about where attackers will strike, only that their systems have Tripwire in place.
Tripwire Enterprise Auto-Monitor finds where you’re being attacked, monitors the activity and applies the monitoring across the environment to anticipate where the attacker is going to strike next. The feature also integrates with our premium Threat Intelligence providers to allow for automated response to malware. If a known piece of malware is placed on any of your assets, Tripwire Enterprise will find it, kill the process and clean the system from infection.
The latest Verizon Data Breach Investigation Report
indicates that once breached (which often is seconds to minutes), exfiltration can begin within minutes to hours, thus providing a very narrow window during which you can detect and deter the threat. If you’re using a typical FIM product, they might have the usual and undifferentiated change detection without real time, “who” made the change data, or detailed and actionable information.
This would lead to operating in the dark as to new malware and even exfiltration of data, with the average time to detect for 2015 being 204 days. This scenario is unlike one in which one deploys Tripwire Enterprise, which not only detects change in real-time but also has a sophisticated method to judge those changes. Additionally, the advanced capabilities in Auto Monitor protect against the unknown.
Let’s imagine a scenario where an average FIM system is in place monitoring critical system files.
A new exploit is released that can compromise a directory on the system that isn’t being monitored. Previously, administrators would be blind to the fact that new malware was placed on the here, exfiltrating data from their networks. With Tripwire Enterprise, Auto-Monitor will detect the new malware, as well as the associated files.
Not only will administrators be alerted to the malware, but they will also be apprised of the data that attackers may be exfiltrating out of the enterprise.
Tripwire Enterprise Auto-Monitor is available now. Contact your Tripwire Sales or Professional Services Team to get more information about configuration management
Title image courtesy of ShutterStock