If you’ve been in information security for a while, you’ve likely had some experience with file integrity monitoring (FIM). It’s a capability with a long history, going back to the original open-source Tripwire tool for monitoring file hashes.
And FIM has staying power. It’s still around, and there are still new deployments. There aren’t a lot of security controls that continue to be valuable over such a long time frame. After all, knowing how and when files change is universally useful and pretty important to security.
Technology has evolved, however. While 1998 might have produced a killer 233Mhz CPU for your desktop, 2018 has driven your applications to the cloud. In the meantime, FIM itself hasn’t changed all that much. It’s still about detecting changes in files in most cases.
It’s time for FIM to grow up and evolve into integrity management.
Integrity management is the process of establishing baselines and monitoring for changes. It’s about defining a desired state and maintaining it. That concept is, ultimately, what information security is all about. FIM applies the concept very narrowly to files and maybe to some additional configuration elements.
Integrity management seeks to apply the concept to the entirety of your IT eco-system including systems, network devices, and cloud infrastructure. They might even occur outside of your organization as changes in the threat environment.
If you think of your desired state measured in terms of acceptable risk, then maintaining integrity is all about maintaining that acceptable level of risk. Changes that impact your risk posture or profile must be addressed, and the sooner the better.
In order to make the concept of integrity management more real, let’s take a brief look at the core steps involved.
1. Start with a Secure Deployment.
The first place to apply the principles of integrity management is at deployment. Every organization should work to ensure they’re deploying systems that meet risk acceptance criteria. That means you have to establish those criteria and be able to measure them for servers, images, containers and any other system that gets deployed, whether on-premise, virtual or in the cloud. Ask yourself which systems in your organization don’t get this treatment.
2. Baseline every system that’s deployed.
The time to establish a baseline for a system is when it’s first deployed. That baseline is crucial for being able to identify changes and determine how they might affect the risk posture of that system. The baseline should be closely correlated with the standards for secure deployment of that type of system.
3. Monitor systems for change.
Detecting change is at the heart of Integrity Management. Once you’ve deployed and baselined secure systems, you must be able to detect changes that compromise the integrity of that system. This process requires a close connection between change detection, baselines and the change process for the organization.
4. Investigate and remediate changes.
Not every change requires action. Implementing a reconciliation process to separate the wheat from the chaff is crucial. Changes that are business as usual and associated with change orders or planned updates don’t require response. Changes that can’t be reconciled or changes that impact risk must be investigated and remediated. In order to do so, you must have sufficient detail about the changes to make decisions.
Implementing an integrity management program isn’t easy, but it is a highly valuable approach to your organization. If you want to dig into more details on integrity management, how to apply it to different environments like cloud and DevOps, and get a clearer picture of the benefits, we’ve created a whitepaper that takes the topic further.