File Integrity Monitoring NON STOP FILE INTEGRITY MONITORING

Information security is now a mainstream requirement for all organizations, of all sizes and industries

The range and variety of threats to your confidential data is not only vast, but growing and evolving all the time. Firewalls and anti-virus protection have been sidelined, only providing protection against a fraction of today's threats to your information assets – zero day threats, mutating malware, APT's or advanced persistent threats, coupled with phishing and insider threats mean that your network and servers are exposed right now.

learn more try it get a quote request a demo ask a question

Overview

File Integrity Monitoring strengthens security in 4 key areas

 

Compliance

All governance, regulatory and compliance standards like NIST 800-53, SOX, PCI DSS, NERC CIP, HIPAA , FedRAMP, DISA STIG all mandate the need for cyber security controls. Maintaining system integrity is a key control for provably secure systems, as is vulnerability mitigation and malware protection. File Integrity Monitoring technology fulfils all requirements for all compliance standards including the application of a Hardened Build Standard.

Learn more about Compliance and File Integrity Monitoring here

System Hardening / Vulnerability Management

The science of rendering servers, database systems, firewalls, EPOS systems and all other IT devices fundamentally secure is still the most effective - but often the most neglected - security best practice. Todays' contemporary networked systems rely on inter-operation, ease of use and open access – all in direct opposition to system security. A Hardened System is one that has a 'locked down' configuration, removing all unnecessary function, access and other potential vulnerabilities that could be exploited by a hacker. The information security industry's authority on secure configuration guidance is the Center for Internet Security. CIS Benchmarks are the recommended hardened build-standard for all security and compliance initiatives.

Learn more about System Hardening and File Integrity Monitoring here

Breach Detection and Malware Protection

Zero Day Threats, by definition, are invisible to Anti-Virus systems. Trojans that masquerade as legitimate system files can be hidden in plain-sight. Application Backdoors, once embedded, will remain operational forever unless regular file integrity checks are run. Breach and Intrusion detection requires forensic-level change detection for files, registry hives, service and process lists and other indicators such as operating network ports.

Learn more about Breach Detection and File Integrity Monitoring here

Configuration Management and Change Control

The only constant in IT is the perpetual state of change. Patching, upgrades, new users, new sites, new applications all require changes to the network, servers and workstations. Any change may re-introduce vulnerabilities that contravene your organization's Hardened Build Standard, so continuous File Integrity Monitoring is essential for maintaining security

Learn more about Configuration Management/Change Control and File Integrity Monitoring here

Technology

What is Windows File Integrity Monitoring?

File Integrity Monitoring ensures no unauthorized changes are made to files, folders or configuration settings by monitoring the integrity of the computer file system.

What should it cover?

What should it cover?

The monitoring approach needs to cover all file and folder attributes, including the file or folder properties (and in particular the security and permissions) as well as the file contents or composition. Enterprise Windows File Integrity monitoring solutions should use a cryptographic hash value, calculated for each file, to detect changes. This provides a unique 'DNA fingerprint' for each file, generated using a secure hash algorithm such as MD5, SHA1, SHA256 or SHA512, and provides a means by which even a minute change to a file will be detected.

It is also necessary to monitor Windows Registry hives, keys and values as Windows configuration settings are controlled via Registry entries. In this way, all significant configuration attributes can be audited for compliance and tracked for changes – installed updates and programs, local user accounts, and the local security and audit policies, which cover everything from the screensaver being used through BitLocker and Windows Firewall settings.

Why is it important?

Why is it important?

Several reasons – security, compliance, data protection and change control.

Security:  

any change to a system file could be as a result of a malware infection for example, Trojan malware replacing legitimate system files. Security breaches will also leave other clues, such as registry changes, changes to services, with new DLL and other system files being created. By detecting and reporting any of these irregular changes, file integrity monitoring provides a Windows HIDS (host intrusion detection system) function.

Compliance:

to maintain operational and access security, for example, tracking special Windows config files such as the registry and security policy. Password policy and user rights/permissions - for example Remote Desktop or remote network share access - are all controlled via settings in the registry and local security policy. In other words, file integrity monitoring for Windows will track configuration drift and to help enforce a hardened build standard.

However, for compliance, FIM goes further and can be used to analyze configuration settings and ensure that cyber security vulnerabilities have been mitigated from the host.

All governance, regulatory and compliance standards like NIST 800-53, SOX, PCI DSS, NERC CIP mandate the need for a hardened build standard and breach detection, for example, using the CIS Benchmark for Windows or NIST resources. All Windows versions are catered for including Server 2012, Windows 8.1, Windows 7, 2008R2, Vista, XP and 2003.

Data Protection:

Windows FIM can also show who has accessed or changed files, useful for data protection audit trail purposes.

Change Control:

by tracking file and configuration changes, change control is re-enforced by providing a 'closed loop' of change approval, followed by implementation, followed by change detection and change quality assurance.

How does Windows File Integrity Monitoring work?

How does Windows File Integrity Monitoring work?

The principle means of operation is to establish an initial inventory of files to be monitored, including all metadata such as 

-          Name and Path

-          Size/Length

-          Attributes, Audit and Security

-          Created and File Write dates

-          Cryptographic Hash Value

In addition, the File Contents may be tracked which allows the details of the actual changes made to a text-based configuration file can be exposed. This is not always practical – binary file contents changes cannot be usefully reported and even for human-interpretable file types, the file contents may be impractical to track if too large. By contrast, tracking metadata and a hash value gives an infallible means of detecting changes in a highly consistent manner regardless of the file type or size.

Traditional file integrity monitoring solutions such as Tripwire work on a file system baseline being established comprising all file metadata and hash values, against which subsequent updated baselines were compared, allowing any changes to be detected. This is a host resource-intensive operation and only allows changes to be detected daily or weekly.

Alternatively, modern file integrity solutions like NNT Change Tracker work from an initial, one-time baseline against which changes-only are detected using a continuous, real-time FIM agent resident on the host. Agent-based file integrity monitoring for Windows not only provides real-time, instantaneous detection of malware and breach activity, but a substantially gentler FIM technology in terms of host resource requirements, only using resources when changes need to be assessed, for just those files that have changed without needing a repeated full inventory/baseline process to be run.

How does Windows FIM detect zero day malware?

How does Windows FIM detect zero day malware?

In order to detect a Trojan replacement, including zero day malware that signature-based Anti-Virus systems will miss, it is necessary to track file integrity using a cryptographic hash value for each file.

This approach means even the slightest change to a file composition will result in a large change to the hash value. Tracking Windows file integrity using hash values will govern any file type, including binary files like .exe, .dll, .sys and .drv, but also any other file type, including zipped archive files (for example archived log files) or text-based configuration files (for example, XML, .aspx or .js files)

Which Windows files and folders should be tracked?

Which Windows files and folders should be tracked?

On a Windows system, file integrity monitoring should be applied to at least the Program Files, Program Files (x86), System 32 and SysWOW64 (operating system files, exe, driver, and DLL files). Applying FIM to the Windows System Drive C:\Windows is also a legitimate approach but as ever, the broader the reach of the monitoring net, the more false positives that will need to be managed.

To this end, it will be necessary to then exclude any files that are known and expected to change regularly, such as live log and database files, for example, C:\Windows\Logs. This ensures that the 'noise' from regular activity is removed and therefore providing focus on irregular, unexpected changes.

A good Windows FIM tool will allow filters to be applied by file type/extension or through pattern matches based on regular expressions to fully/partially match a file/folder name, both for inclusion and exclusion of files for monitoring.

Likewise for the Registry – the registry comprises millions of values, many of which change frequently during regular operation of the Windows server. Similarly 'fine-grain' inclusion/exclusion configuration for registry file integrity monitoring is essential in order to provide a low maintenance but forensically precise FIM solution.

Agent-Based or Agentless? Which is better for Windows FIM?

Agent-Based or Agentless? Which is better for Windows FIM?

Quick summary: Agent-based FIM for Windows will give a more powerful solution, but Agentless FIM for Windows will be simpler to install.

Agentless FIM will not require any files to be deployed to, nor any programs to be installed on, the end-points. An agentless FIM operation will employ some form of 'dissolvable' agent used in conjunction with a scripted PSExec-type interaction with the host. In other words, a temporary, transient binary is copied over to the host which is used to generate hash values of files. The baseline database and 'diff' functions are performed back at the Agentless FIM appliance, so the process can often be resource-intensive, both for the network and the host under test.

Conversely, as described in the earlier 'How does Windows File Integrity Monitoring work?' section, using an intelligent locally run Agent for Windows FIM is considerably more efficient, working from a one-time baseline operation.

Agent-based FIM also has two other major advantages - firstly, the breach detection can be performed in real-time, reporting file changes seconds after they have been made. Secondly, the Agent can augment the file change information with kernel-sourced intelligence, such as 'Who Made the Change?' and 'Which process was used?', making investigations easier and faster.

The best Windows File Integrity Monitoring solutions provide both Agent-based and Agentless options, allowing full freedom of choice and deployment flexibility.

How often should Windows File Integrity checks be made?

How often should Windows File Integrity checks be made?

Security compliance standards such as the PCI DSS mandate the need to run weekly file integrity checks. However, this weekly period has been determined not because this is necessarily sufficiently frequent to prevent a serious data security breach, which it isn't.

In fact, the weekly period was derived more as a compromise between the need for frequent FIM checks being balanced against the (traditionally) high resource loads placed on a server during the repeated inventory or baseline process as discussed earlier.

However, with security breaches being so potentially damaging within days or even hours, the need for prompt detection is paramount, therefore any delay to detection may prove costly.

Real-time file integrity monitoring, with continuous detection should be the minimum level of expectation in order to counteract contemporary cyber security threats.

What is Linux/Unix File Integrity Monitoring?

What should it cover?

What should it cover?

Similar to Windows FIM, all file and folder attributes, including the file or folder properties, need to be tracked for changes and in particular, the file/folder security and permissions: groups and types, guid, suid and sticky bit.

Given that most Linux configuration settings reside in text-based configuration files, change tracking for file contents or composition changes is vital.

File Integrity monitoring solutions for Enterprise Linux hosts should use a cryptographic hash value, calculated for each file, to detect changes. A hash value provides a unique 'DNA fingerprint' for each file and because secure hash algorithms - such as MD5, SHA1, SHA256 or SHA512 – produce a substantially different hash value for microscopic file changes, this guarantees that even a minute change to a file will be exposed.

Why is it important?

Why is it important?

Several key drivers warrant the requirement for FIM: security, compliance and change control.

Security:

System files should only change when planned and required patches or updates are applied. Any unexpected change to a system file could be due to Trojan malware replacing legitimate system files, or a backdoor being implanted into a system binary. Linux security is controlled by the various configuration files, for example

/etc/sysctl.conf – Kernel Control file, used to mitigate a number of exploitable vulnerabilities borne from networking functions and post-boot run-states

/etc/passwd and /etc/shadow – control user permissions and governs the protection afforded by user credentials

/etc/ssh/sshd_config – controls security settings associated with SSH user sessions

Note: A full list of Linux security files to track is built-in to Change Tracker as a configuration monitoring template. Any tampering with these files could result in weakened security, rendering the host more vulnerable to attack, but could also provide key indicators of hacker activity. In this way, file integrity monitoring provides a vital HIDS (host intrusion detection system) function.

Compliance:

GRC (Governance, Risk Management, and Compliance) policies mandate the need for a hardened build standard. Reducing the attack surface of a Linux or Unix system requires known vulnerabilities to be mitigated through adoption of secure configuration settings.

For example, correct configuration of the host TCP wrappers (/etc/hosts.allow and /etc/hosts.deny) controls access to the host, directly reducing the attack surface.

FIM technology not only detects changes when secure configuration settings are tampered with, but can also analyze configuration settings and ensure that cyber security vulnerabilities have been mitigated from the host.

All governance, regulatory and compliance standards like NIST 800-53, SOX, PCI DSS, NERC CIP mandate the need for a hardened build standard and breach detection, for example, using the CIS Benchmarks for RHEL, CentOS, Ubuntu and other Linux platforms like SUSE, while for Unix, CIS Benchmarks also exist for Solaris, AIX and HP/UX.

Change Control:

by tracking file and configuration changes, change control is re-enforced by providing a 'closed loop' of change approval, followed by implementation, followed by change detection and change quality assurance. Maintaining a hardened, vulnerability-minimized build-standard while undertaking regular operational changes requires careful planning but also the safety-net of continuous compliance checking which a real-time FIM solution can provide. Finally, without change control discipline, there is no way to distinguish between planned and unplanned changes, leaving a state of 'change management anarchy' where breach activity can hide in plain sight with no practical means of distinguishing this from desired changes.

NNT Change Tracker has revolutionized this area by providing Closed-Loop, Intelligent Change Control – expected changes can be pre-approved as planned changes, leaving just unexpected for review. Whether these unexpected changes are merely unwanted or actually more serious breach activity will only be known after review, but with Closed-Loop Intelligent Change Control removing all planned change 'noise', they will at least be clearly highlighted for attention.

How does Linux/Unix File Integrity Monitoring work?

How does Linux/Unix File Integrity Monitoring work?

The principle means of operation is to establish an initial inventory of files to be monitored, including all metadata such as

- Name and Path

- Size/Length

- Security and Permissions: groups and types, guid, suid and sticky bit

- Created and File Write dates

- Cryptographic Hash Value

Especially important in the Linux/Unix world is to track file contents changes for any text-based configuration files that govern security and application operation. Much more useful to show a 'before and after' view of the files to show the details of the actual changes made than to just report that a change has been made.

Basic file integrity monitoring solutions such as those from SIEM and Vulnerability Scanner vendors work on a file system baseline being established comprising all file metadata and hash values, against which subsequent updated baselines were compared, allowing any changes to be detected. This repeated re-baselining operation is a host resource-intensive operation and therefore the compare will typically only be run once a day at most, meaning that changes are then only detected daily or weekly.

Alternatively, modern file integrity solutions like NNT Change Tracker work from an initial, one-time baseline against which changes-only are detected using a continuous, real-time FIM agent resident on the host. Agent-based file integrity monitoring for Linux/Unix hosts not only provides real-time, instantaneous detection of malware and breach activity, but a substantially gentler FIM technology in terms of host resource requirements, only using resources when changes need to be assessed, for just those files that have changed without needing a repeated full inventory/baseline process to be run.

How does Linux/Unix FIM detect zero day malware?

How does Linux/Unix FIM detect zero day malware?

In order to detect a Trojan or backdoor replacement, including zero day malware that signature-based Anti-Virus systems will miss, it is necessary to track file integrity using a cryptographic hash value for each file. Even contemporary sandbox-based technology can easily be bypassed using 'sleeper' APT that only becomes active after a delayed period of time designed to outwit the sandbox execution simulations.

Tracking Linux/Unix file integrity using hash values will govern any file type, including binary program files and libs, but also any other file type, including zipped archive files (for example archived log files) or text-based configuration files (for example, .conf, .XML, .aspx or .js files)

Which Linux/Unix files and folders should be tracked?

Which Linux/Unix files and folders should be tracked?

On a Linux/Unix system, file integrity monitoring should be applied to at least the core operating system files on the /etc path and standard paths for libs and binaries. Depending on your corporate build standards for 3rd party program files, other standard paths like /opt should be tracked too.

Within any of these locations, aside from those files that are expected to remain constant and unchanged, there will also be a number of files that will change during regular system operation. Examples include log files and database files, but there are also a variety of temporary files, for example pre-link files, that will also be seen to change. Therefore it is essential that the Linux/Unix FIM solution allows for very precise inclusion and exclusion rules. This ensures that the 'noise' from regular activity is removed and therefore providing focus on irregular, unexpected changes.

The best Linux FIM tools will allow filters to be applied by file type/extension or through pattern matches based on regular expressions to fully/partially match a file/folder name, both for inclusion and exclusion of files for monitoring.

Agent-Based or Agentless? Which is better for Linux/Unix FIM?

Agent-Based or Agentless? Which is better for Linux/Unix FIM?

Quick summary: Agent-based FIM for Linux/Unix will give a more powerful solution, but Agentless FIM for Linux/Unix will be simpler to install.

Agentless FIM will not require any files to be deployed to, nor any programs to be installed on, the end-points. An agentless FIM operation will employ some form of 'dissolvable' agent used in conjunction with a scripted SSH interaction with the host. In other words, a temporary, transient binary is copied over to the host which is used to generate hash values of files. The baseline database and 'diff' functions are performed back at the Agentless FIM appliance, so the process can often be resource-intensive, both for the network and the host under test.

Conversely, as described in the earlier 'How does Linux/Unix File Integrity Monitoring work?' section, using an intelligent locally run Agent for Linux/Unix FIM is considerably more efficient, working from a one-time baseline operation.

Agent-based FIM also has another major advantage in that the change/breach detection can be performed in real-time, reporting file changes seconds after they have been made.

The best Linux/Unix File Integrity Monitoring solutions provide both Agent-based and Agentless options, allowing full freedom of choice and deployment flexibility.

How often should Linux/Unix File Integrity checks be made?

How often should Linux/Unix File Integrity checks be made?

Security compliance standards such as the PCI DSS mandate the need to run weekly file integrity checks. However, this weekly period has been determined not because this is necessarily sufficiently frequent to prevent a serious data security breach, which it isn't.

In fact, the weekly period was derived more as a compromise between the need for frequent FIM checks being balanced against the (traditionally) high resource loads placed on a server during the repeated inventory or baseline process as discussed earlier.

However, with security breaches being so potentially damaging within days or even hours, the need for prompt detection is paramount, therefore any delay to detection may prove costly.

Real-time file integrity monitoring, with continuous detection should be the minimum level of expectation in order to counteract contemporary cyber security threats.

And the number one solution that delivers
all the key security and compliance benefits of file integrity monitoring is NNT Change Tracker™
Easiest To Use – Most Fully Featured – Most Affordable
Learn more about NNT Change Tracker here

SC Magazine 5 Stars NO WONDER SECURE COMPUTING MAGAZINE RECENTLY AWARDED NNT CHANGE TRACKER THEIR HIGHEST AWARD OF 5 STARS FOR ‘FEATURES, PERFORMANCE, SUPPORT AND VALUE FOR MONEY’.

This product packs quite a bit of features and functionality for a low cost.
SC Magazine
Change Tracker Enterprise ™
Date published: 06/04/2014
5 / 5 stars
Products

“Thanks for all your help. It is a pleasure to work with such a responsive, knowledgeable vendor.”
Linda Knipping, CISSP, CIPP/IT
Sr Systems Security Analyst

“NNT’s support is hands down the best I have ever worked with”
John Landers – Paymetric USA – Customer

Trusted by:
pma.jpgbarton-cooney.jpgeon.jpgpaypro-business.jpgucsandiego.jpgryanair.jpgpunter-southall.jpgBlackbird-Technologies.jpgtechnologypros.jpgBiaggis.jpgeTranzact.jpgnxgen.jpgbriefing.jpgShelby-County.jpgclickandbuy.jpgwhsmith.jpgcare.jpgvse.jpgpaymetric.jpgzap.jpgduoboots.jpgsymetra.jpgnctm.jpgthewestbrom.jpgwonga.jpgraiffeisen.jpggvec.jpgcornell.jpgspendvision.jpgcentertheatre.jpgrentatoll.jpghampshire.jpgbchdigital.jpgScotRail.jpghub_logo.jpgsymago.jpgnewlook.jpgingbank.jpgfis.jpgdatamatx.jpgeuroffice.jpgepay.jpgharbouritau.jpgtravelodge.jpgactivetelesource.jpgvnpay.jpgdhl.jpgghl.jpgwindsorandmaidenhead.jpgpkr.jpgjack-wills.jpgmarwoodgroup.jpggm.jpgAWA-Collections.jpgkennethhagin.jpglivetv.jpgdunelm.jpgwallashops.jpghei-hotels.jpginss.jpgunionbank.jpgbnpparibas.jpgsimmons.jpgberkshireassociates.jpgspar.jpggeneral-dynamics.jpgnafsa.jpgcolliercounty.jpgeztaxreturn.jpgsunchemical.jpgbowtie.jpglivenation.jpgRed-Card-Systems.jpghph.jpgjet-blue.jpgfirst-quantum.jpgbobby-cox.jpgeasystreet.jpgedm.jpgzen.jpgzenithbank.jpgcuany.jpg4wheelparts.jpgdupont.jpgticketmaster.jpgblakemore.jpgNIBSS.jpgharrods.jpgopportune.jpgnkwd.jpgace.jpgaspen.jpgadvance2000.jpgboomkat.jpgwestfield-state-university.jpgderivco.jpgvoxgen.jpgzamir.jpgTotal-Card.jpgodeon.jpgorbcomm.jpgpowerchord.jpgageas.jpgonpoint.jpgarmy.jpgwizzair.jpgSense-of-Security.jpgdeluxecorp.jpgnhs.jpgabrsm.jpglark.jpgenmax.jpgpicturehouse.jpgpartnerships.jpgford.jpgcsmartlive-casino.jpgmaxwellpaper.jpgdudley-nhs.jpghepsiburada.jpgaberdeen.jpgbritish-museum.jpgsynergiecontact.jpgwestern-financial-group.jpggowireless.jpgessex-police.jpgunifiedpayments.jpgcua.jpgovec.jpgjohnsons.jpgchaparral.jpghandh.jpgPenn-State-Uni.jpgforeshore.jpgMontrose-Travel.jpgCompliance-360.jpgkalmbachpublishing.jpgislandbanki.jpgprometric.jpggolubcapital.jpgveolia.jpgpurchase.jpgcigna.jpgrayonier.jpgwhynotleaseit.jpgkenneth-copeland.jpgacas.jpglansare_logo.jpgnhs-bury.jpgarqiva.jpgrealec.jpgselectcore.jpglandisgyr.jpgbrocade.jpgStandard-Hotel.jpgbom.jpgxaxis.jpgcredimax.jpgxap.jpgconcord.jpgnashville-int-airport.jpgpando.jpgiridium.jpgAeriandi.jpgretail-lockbox.jpgdublin-business.jpgSpanson.jpgalamo-colleges.jpgredwood.jpg5thavetheatre.jpgcablewire.jpguniversal-orlando.jpgbankofchina.jpgmtrgaming.jpgrnib.jpgRichland-Logistics.jpgvmi.jpgwett.jpgsajan.jpgstpeters.jpgiac.jpg