We hear a lot in the news today about how important it is to make sure that critical files have not been tampered with – whether its malware, hackers, or employees/contractors - if we can be alerted the moment critical system files and sensitive data files have experienced unauthorized changes, then we’ve gone a long way in protecting the organization. This is the realm of File Integrity Monitoring, a critical tool in any IT security professional’s tool belt. In fact, so critical that once I got started on this topic, it got really long, so I’ve broken it up into a 3-part series. Over the next few weeks I’ll cover the basics of What Is File Integrity Monitoring, share some Best Practices in File Integrity Monitoring, and then dive into Open Source File Integrity Monitoring tools.
File Integrity Monitoring - A Powerful Technique
It may seem pretty basic to start off with “what is file integrity monitoring?”, but I find it’s best to make sure we’re all on the same page. And even if you’re familiar with the topic, it’s always handy to have a quick reference of all the different types and uses for file integrity monitoring.
So, what is file integrity monitoring? File integrity monitoring is one of the most powerful techniques used to secure IT infrastructures and business data against a wide variety of both known and unknown threats.
The premise is simple: if malware, hackers, or trusted insiders abusing their privileges are going to create a security breach, that breach won’t exist in a vacuum. Instead, it will generate changes in the infrastructure, such as changes to application files, operating system files, log files, etc. Once detected, these changes will reveal the breach. So the faster and more accurately such changes are detected and pinpointed — without generating too many false positives — the more secure the organization’s services and data will be.
Toward this end, file integrity monitoring solutions work by assessing fixed files (such as OS files) and generating a cryptographic checksum to represent them as a baseline. Then, they repeatedly recalculate a new checksum for the same resources, compare it to the baseline, and if they detect changes have occurred, generate a security alert.
Hopefully that answers the question of “what is file integrity monitoring” – let’s explore a bit more who should use file integrity monitoring and what are the different types of file integrity monitoring.
Who Should Use File Integrity Monitoring?
The answer to that, frankly, is organizations of almost all kinds. The power of these solutions, combined with the increasing sophistication and diversity of modern threats, and the targeting of even small businesses, makes file integrity monitoring very compelling.
However, certain businesses in particular will find file integrity monitoring essential. These include:
- Businesses that face serious compliance requirements. Pertaining to file integrity monitoring, such requirements come in two classes — standards or regulations that explicitly demand file integrity monitoring (like PCI DSS) and those whose requirements are more abstract, but certainly imply file integrity monitoring (like Sarbanes-Oxley). In general, any time a standard or regulation states that data must be monitored or managed so as to ensure its integrity, file integrity monitoring solutions will likely be playing a substantial role in the process.
- Businesses that have a substantial on-premise IT infrastructure of any kind. This doesn’t just mean “enterprise,” usually defined as “organization with a thousand employees or more,” but can mean a mid-market business or even a small business. What matters is not the headcount, but the server count and the criticality of those servers to the business. Certainly any organization that owns and operates a data center would fall under this heading; the more servers, databases, configuration files, logs, etc., must be monitored, the stronger the case for file integrity monitoring will inevitably be.
- Businesses with highly sensitive data. Most IT professionals – and hopefully business professionals too! – consider data the lifeblood of the business. It is the fundamental resource used to fulfill all transactions, execute all services, carry out internal/external communications, and quantify the success or failure of business strategies. There’s no room for error in securing sensitive data.
- Cloud/PaaS/IaaS/SaaS providers. Security has historically been a primary concern for business leaders when they consider outsourcing services to a public cloud. File integrity monitoring solutions can help substantially to ease those concerns. If you don’t fall into one of the above categories because the business is entirely run off cloud/SaaS software – make sure each of your vendors are meeting your security and compliance needs in this area.
Challenges in File Integrity Monitoring
One particularly important consideration in deploying and using file integrity monitoring solutions is how well they’re integrated with change management.
Since the purpose of file integrity monitoring is to detect change, and the purpose of change management is to create change, it’s necessary to coordinate these solution classes carefully, to minimize the false positives that might otherwise come up.
The next is just sheer volume – the more people in the organization you talk to, the more files you will find that need monitoring. Today’s enterprise-class file integrity monitoring solutions can more than hold up to your needs here without impacting the performance of the files being monitored, but expect some tuning at first to tune out the noise.
Variations on the File Integrity Monitoring Theme
Different file integrity monitoring solutions leverage different methodologies. Common distinctions include:
- Agented vs. agentless. Agented file integrity monitoring solutions leverage software agents installed on target systems. They usually yield the most powerful analyses, but also, of course, require the agents to be updated over time (a management headache). Agentless file integrity monitoring tools, on the other hand, get up and running very quickly because no agent is required, but the feature set and depth of functions is generally reduced and the analysis isn’t real-time (as it is with agented solutions). If you require the depth of an agent-based system, consider a unified approach that integrates multiple security functions into a single agent for a smaller footprint and less management effort.
- Standalone vs. HIDS. Some file integrity monitoring solutions integrate with, or are a part of, a host-based intrusion detection system (HIDS). HIDS capabilities are a superset of file integrity monitoring capabilities, as a rule, and can detect threats in areas other than files such as system memory (RAM) or I/O. Standalone file integrity monitoring generally means file analysis only.
No security solution is perfect, of course. File integrity monitoring solutions are no exception. For instance, if a file integrity monitoring solution only generates checksums at predictable intervals, files can be changed — and then changed back — in between those intervals, thus escaping detection. Some file integrity monitoring solutions, even when flagging a change, may lack detail about the timing or specific nature of the change. It’s also possible for malware to fool file integrity monitoring solutions in some cases by generating false replacement files that still have the correct checksum — a particularly tricky problem to recognize.
Now that we’ve done a quick tour of “what is file integrity monitoring”, in the next blog entry, I’ll be discussing the best practices available to help businesses get the highest possible value from file integrity monitoring solutions.