Had Heartland Payment been using Tripwire’s Enhanced File Integrity Monitoring solution, they would have uncovered something amuck within hours or even minutes of being breached—provided the solution was utilized as described below and the alerts were acted upon.
Here is a simple summary of what Tripwire’s Enhanced File Integrity Monitoring solution would have provided the Heartland IT Security team, given the current public knowledge of the breach.
- Following the SQL injection, the key to the breach was the installation of the hacker’s package in Heartland’s infrastructure. Because Tripwire can continuously monitor for change, the installation of the “bad” code would have been detected quickly whether it was installed on a single server or migrated to other servers, even if installed in unallocated space or ADS. The alert would have triggered an investigation process to determine the unknown source of the code.
- Part of the final discovery of the malware was the tedious evaluation of temp files. Tripwire would have helped determine that the files were not associated with any known application; that would have raised a red flag.
- It has been stated that this breach continued for an extended period. To have accomplished that, the configuration of the server(s) would have been altered to allow the malicious code to become persistent through server re-boots. Tripwire’s continuous Configuration Assessment capabilities would have detected the configuration change causing an alert and providing detailed information to speed investigation and remediation.
- Finally, even though the details have not been revealed, it is likely that changes to Heartland’s network infrastructure must have taken place to ease the exporting of sensitive data out to the hacker. Tripwire’s ability to detect network device configuration changes (start-up & running) and then to immediately assess the changes against policy (CIS, PCI, etc.) would have been a red flag to Heartland’s security team.
But Heartland Payment Systems was PCI compliant! Why would the Tripwire Enhanced File Integrity Monitoring solution have helped Heartland find the effects of the breach any sooner? Because Tripwire doesn’t just detect change like so many simple file integrity monitoring products, or assess configuration information every once in a while. Instead, Tripwire determines if a detected change was expected and authorized, and if the same change was in compliance with policy. It does this on a continuous basis and generates alerts and remediation advice when the answer to either question is “no”.
No solution is going to stop every breach or bad change. But continuous detection and analysis of change to critical system, configuration or content files can dramatically reduce the risk and duration of malicious change.