With the recent WannaCry ransomware attack still top of mind for many IT professionals worldwide, it’s an important reminder to that you should monitor not just your networks and security devices, but also data on your servers and desktops. In the case of WannaCry, having File Integrity Monitoring (FIM) in place can enable you to detect changes to key data files that WannaCry tries to encrypt and inform you of the threat before the affected asset and its data become unusable and possibly irretrievable.
With emerging variants of WannaCry and the continuous onslaught of attacks against your infrastructure, whether you’re looking to protect a key asset like Active Directory, or perform change audit on any of your critical servers, a File Integrity Monitoring solution should be a part of your security defense. With that in mind, it’s important to re-iterate that FIM is not the ‘silver bullet’ of security solutions, but is definitely a powerful and effective defense that you should have in your IT security arsenal.
In my previous blogs on FIM, I introduced (part 1) the ‘what’ and the ‘why’ behind FIM as one invaluable approach to monitoring for malicious changes to files. I then introduced (part 2) some best practices for FIM, including what files to monitor and how to get the best value from your FIM deployment.
This week I’m going to discuss what to look for when selecting a FIM solution, caveats to be aware of, and how our AlienVault Unified Security Management (USM) products – AlienVault USM Anywhere and AlienVault USM Appliance – can help you implement a multi-faceted security program with its several essential security capabilities, including FIM.
Selecting a File Integrity Monitoring Solution
It can be difficult to find the right solution for your unique environment. Just a quick search on ‘File Integrity Monitoring’ brings up an overwhelming number of search results. But, which to look at and what are the differences among the various solutions?
Well, let’s start with the following list, which will provide you the key things to look for in your final solution:
- Agent vs. agentless. Agent-based FIM solutions leverage software agents installed on target systems. They typically yield the most powerful analyses and can deliver change monitoring at or near real-time.
In contrast, agentless FIM tools get up and running very quickly because no agent is required. However, the feature set and depth of functions of agentless FIM tools is generally reduced, and the analysis isn’t real-time. This leaves potential risk from not being able to monitor change when you need it most. If you require the depth and feature richness of an agent-based system, consider a unified approach that integrates multiple security functions into a single agent for a smaller footprint and less management effort.
- Standalone vs. HIDS. Some FIM solutions integrate with, or are a part of, a host-based intrusion detection system (HIDS). HIDS capabilities are a superset of FIM capabilities and can detect threats in areas other than files, such as system memory (RAM) or I/O. Standalone FIM tools generally provides file analysis only.
- Performance. The more people in the organization you talk to, the more files you will find that need monitoring. Particularly with meeting compliance objectives, some go with the approach to monitor as much as possible when trying to audit change. With that in mind, look for proven FIM solutions that don’t consume too many system resources and, when running, exhibit minimal impact on system performance.
- Scalability. It will come as no surprise that your IT infrastructure differs from that of other organizations. You may be running systems that are strictly Linux, Windows, or OS X, or you may have a mix of operating systems. Maybe you have some older Unix technologies in house. Maybe you’re running a predecessor to Active Directory for your identity management solution. Whatever the environment, you should assess whether the FIM product you select can cover all or just some of your IT environment and whether that is sufficient for your requirements.
- Integration with Security Information and Event Management (SIEM) solutions. Sending alerts to a SIEM solution can enhance your security defense by enabling cross-correlation of an incident with other security alerts, helping to reduce false positives and to identify and prioritize real threats to your organization. In addition, some SIEM solutions offer log retention, enabling alert and event information to be stored for later forensics analysis of an incident or suspicious activity. This is important for meeting compliance objectives for change audit and log retention, such as required by regulations like PCI DSS.
- Integration with change management solutions. Since the purpose of FIM is to detect change and the purpose of change management is to manage change, it’s beneficial to coordinate these solution classes carefully to minimize the false positives that might otherwise come up. In addition, such integration can also help identify what change was made should any rollback be required.
- Cost. With today’s IT security budgets, understanding the costs associated with any solution is very important. Unfortunately, many commercial off-the-shelf (COTS) file integrity monitoring products can be very expensive and require a significant amount of time to roll out and manage. Alternatives include open source software solutions or investigation of all-in-one solutions that deliver FIM along with additional, critical security monitoring tools within the same package.
Determining the right plan for your IT security program
To be very clear - there is no solution that is the ‘silver bullet’ for IT security. While FIM is powerful and may be necessary to enable change audit and meet your compliance objectives, as with other security solutions, it can be circumvented. For instance, if a FIM solution only generates checksums at predictable intervals, files can be changed — and then changed back — in between those intervals (even in a matter of seconds or less), thus evading detection. Some FIM solutions, even when flagging a change, may lack detail about the timing or specific nature of the change. It’s also possible for malware to fool FIM solutions in some cases by generating false replacement files that still have the correct checksum — a particularly tricky problem to recognize.
The lesson here is that you should never rely on a single technology to protect your IT infrastructure. Rather, you should consider deploying multiple security layers across your IT infrastructure to increase the chances that you will either block or detect any attacks in progress.
One such solution that provides a multi-layered security protection is AlienVault Unified Security Management (USM), which incorporates five essential security capabilities – asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, and SIEM log management – in a single, unified solution. Its intrusion detection capabilities include comprehensive FIM and host intrusion detection, providing assurance that applications and application data remain protected from malicious actors – both internal and external.
AlienVault Unified Security Management (USM) – An All-In-One Approach to Threat Detection and Response
Whether your IT infrastructure resides in your data center, a public cloud, a virtualized private cloud, or any combination of those, AlienVault offers two products to meet your needs:
- AlienVault USM Anywhere, our cloud-based, SaaS-delivered solution designed to monitor your on-premises, cloud, and hybrid cloud environments from the AlienVault Secure Cloud. Software-based sensors are deployed into your infrastructure (AWS, Azure, Hyper-V, and VMware) to find assets, discover vulnerabilities, detect intrusions, and collect data from your applications, systems, and devices. USM Anywhere performs threat detection and provides you the tools to respond to discovered incidents.
- AlienVault USM Appliance, our appliance-based solution is designed for organizations that require dedicated on-premises monitoring from their own data centers. A virtual or hardware-based USM Appliance server is deployed into your data center and hardware or software-based sensors are deployed into the rest of your infrastructure to provide the monitoring and data collection capabilities.
With both USM Anywhere and USM Appliance you get a single platform for simplified, accelerated threat detection, incident response, and policy compliance that delivers three core value propositions:
- Unified Security Management, providing simplified security with the following five essential security capabilities that provide resource-constrained organizations with all the security essentials needed within a single pane of glass:
- Asset Discovery: Know who and what is connected to your IT environments at all times
- Vulnerability Assessment. Know where the vulnerabilities are on your assets to avoid easy exploitation and compromise.
- Intrusion Detection. Monitor the traffic on physical, virtual, and cloud networks to identify suspicious or malicious activities in your environment.
- Behavioral Monitoring. Identify suspicious behavior and potentially compromised systems.
- SIEM and Log Management. Correlate and analyze security event data from across your network.
- Scaling Your Threat Detection and Response with Real-time Security Intelligence, ensuring that:
- The AlienVault USM platform receives continuous threat intelligence updates with the latest intrusion detection rules, malware signatures, and more from the AlienVault Labs Security Research Team.
- Security teams have the latest information on threats and available fixes and workarounds, virtually eliminating the time and resources that those teams would typically spend in researching that information.
- Deployment to Detection in Minutes. AlienVault USM Appliance and AlienVault USM Anywhere are easy to deploy and use, protecting your IT infrastructure within minutes of starting.
File Integrity Monitoring with Host Intrusion Detection
With the AlienVault USM platform, you can deploy a lightweight agent to perform FIM as well as host-based intrusion detection of your Windows, Linux, and Unix systems and the applications and data that reside on them. This approach simplifies the implementation of FIM by using a single, multi-functional agent, rather than requiring you to install multiple single-purpose agents. In addition, all events and alerts are aggregated to one location, enabling you to monitor all your servers and assets via a single web-based console.
As soon as a change to a monitored file is detected, the USM platform triggers an alarm on the USM Anywhere or USM Appliance console, ready for triage and response by the security team. Even though these changes might not require a response, it’s important to monitor all activity to first determine a baseline and then detect any anomalies like policy violations or potential system compromise.
The implementation of host-based IDS and FIM with USM Anywhere and USM Appliance enables you to monitor all user activity on your critical systems. These events are forensically captured, processed, and correlated with other data to provide the necessary context you need for effective incident response.
Delivering a Complete Security Management Platform
As mentioned above, FIM and host intrusion detection are just a few of the capabilities that the AlienVault USM platform uses to protect your environment. With the ability to perform vulnerability scanning, behavioral monitoring, and aggregate and correlate data from nearly every system and network device, it contains the all critical elements you need to secure your environment.
Helping you to identify, triage, and prioritize threats, AlienVault USM Anywhere and AlienVault USM Appliance deliver rich graphical dashboards to quickly identify deviations from operational baselines that require additional investigation.
Include File Integrity Monitoring as part of your Comprehensive IT Security Management Program
I hope that, through this blog series, you understand how FIM is a powerful security monitoring capability that should be (or, to meet compliance objectives, must be) part of the IT defense portfolio of any organization. That said, with the continually changing threat landscape and speed and many ways in which attacks can happen, file integrity monitoring should not be your only defense mechanism, but should be included as a security control that is part of your unified approach to provide your organization optimal protection.
If you’re looking to implement FIM, or looking for a more comprehensive security monitoring solution, you should definitely put AlienVault on your shortlist. AlienVault USM Anywhere or AlienVault USM Appliance offer the benefits of File Integrity Monitoring in a unified platform that also delivers asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, SIEM and Log Management – all through a single, unified solution. Only with these five security essentials can organizations truly mitigate the IT security risk from today’s threats. With the AlienVault USM approach, along with the integrated real-time security intelligence, the effectiveness of the final solution is multiplied compared to deploying multiple point solutions to try to achieve the same effect – all at reasonable cost.