The purpose of every security team is to provide confidentiality, integrity and availability of the systems in the organization. We call it “CIA Triad” for short. Of those three elements, integrity is a key element for most compliance and regulations.
Some organizations have realized this and decided to implement File Integrity Monitoring (FIM). But many of them are doing so only to meet compliance requirements such as PCI DSS and ISO 27001. However, file integrity monitoring is more than just about complying with regulations; it is also an important key to staying secure and safe. I will try to touch on these ideas below.
Change as a Source of Potential Insecurity
Changes are inevitable on IT systems. IT admins can change systems’ configurations or files, delete them or add new ones. These changes are normal if they are performed by authorized people.
However, not just authorized people make changes on systems, and not all authorized changes mean these changes are approved. When a penetration occurs, a threat actor also makes changes on an organization’s systems. They reflect his efforts to establish a lasting network and then to move laterally, try to find sensitive and more important data and ultimately exfiltrate it. All these operations require changes on the systems.
Fortunately, organizations can use a FIM tool to spot those malicious activities. That’s because a file integrity monitoring tool detects changes on the systems such as those made to files, services, registry, etc. The tool helps to identify changes, thereby helping to provide perspective on whether they are authorized or not.
As I mentioned above, most organizations that are using file integrity monitoring are doing so just to comply with regulations. For example, if they need to be compliant with ISO 27001 for one of their applications or departments, they’ll only deploy FIM to that department’s applications or servers. Of course, it is important to comply with regulations, but organizations need to think more widely about FIM.
Again, as I mentioned above, changes are critical, especially for production systems. Applications and systems work with files, services, and etc. Any unauthorized change may cause the application to not work properly and may affect critical systems. Also, many threat actors and malware strains change, add or delete files to critical directories. So, it is important to be able to detect a change on a critical system and directory.
A Ponemon Institute report suggests that organizations should detect a threat actor inside the organization within 100 days. That gives them 100 days post-penetration to search your environment for sensitive data. All the while, a threat actor makes changes on the systems. If organizations use FIM for their production environment, they can identify these kinds of threats quickly.
The Value of Protecting Individual Assets with FIM
So, it is important to spread/broaden FIM’s scope. All network devices, critical servers, databases, and virtual environment are critical to monitor with FIM.
Let’s look at how to use FIM on some of these assets now.
Detecting changes on network devices is critical not only in order to protect systems against threat actors but also for change management. Think of critical outages in the organization. When there is an outage on a critical application, sometimes it turns into complete chaos. Especially in big organizations, admins try to fix the interruption and can end up making too many changes in the process. After fixing the outage, some of these changes remain as is, and these can cause some other outages or vulnerabilities in the systems. So, it is very important to know what was changed and when.
These days, most of the critical applications run on virtual systems. This technology is very easy for creating new systems but very sensitive due to central management. Unauthorized changes and misconfigurations on virtual environment may affect more than one system in one go. For example, a misconfiguration on a system’s RAM value can affect other virtual servers’ RAM usage, and maybe it can cause slowness on most of the critical servers. This sensitivity in central management needs to be monitored more carefully. FIM products can monitor for and alert to these kinds of changes.
Most of the big organizations have database security products in their environment. IT teams can monitor for changes on the databases with database security tools, but still, they need a complete file integrity monitoring tool that covers all of their systems including databases.
Threat intelligence services provide IOCs of newest threats, with IOC being the changes made by a threat actor. FIM tools have integration capabilities with threat intelligence services. This integration helps organization to detect newer threats in their systems.
Full Visibility with FIM
FIM is a good solution to comply with regulations. But as mentioned before, when a threat actor penetrates successfully, they firstly try to make their connection lasting and then search for the ways to move laterally so that they can exfiltrate sensitive data. In this situation, protecting all systems including databases, critical production servers and network devices with FIM is important.
With a full file integrity monitoring platform, organizations will gain full visibility into their environments and defend against incidents caused by both external threat actors and also from insiders who might apply misconfigurations to business assets. So, it is important to use FIM in production systems as much as possible and not only on systems that regulations pin down.
About the Author: Emre Özpek is working as a Security Consultant with more than 15 years experience. Assisting various organizations both on cybersecurity and soc structure, architecture and helping developing their security programs.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.