Video: Data Protection and The Art of Layered Security
The Contemporary Cyber-Threatscape
Your organization is under attack right now.
The range of techniques and battlefronts is bigger than ever and while Cyber Security incidents being in the headlines isn't new, this year has been unprecedented in terms of headlines in the mainstream press.
- The number of new malware samples identified each year exceeds 25 million and this number is increasing by over 20% each year. With phishing attacks on the increase too, how will Anti Virus Systems ever keep pace?
- Hacktivist groups, using cyber-attacks against government and corporate targets are a new phenomenon, looking to cause disruption to any target they see as a cause celebre. Threatened cyber attacks are a common corporate blackmail weapon employed by organised crime, and as such, more companies will be exposed to this type of highly organised attack.
- But the more common issue for any organization is the Insider Threat. What defences do you have against a trusted employee gone rogue. One with the privileges to access business critical systems. This could be a simple malicious revenge attack by a disgruntled ex-employee, or someone duped or coerced into assisting criminal activity.
- And then we have the Advanced Persistent Threat or APT. So far the APT has largely been viewed as Government sponsored cyber-espionage. However the leading edge of technology usually becomes the norm a year later, so expect to see APT techniques reach the mainstream and be exploited by business competitors undertaking industrial-espionage for intellectual property theft.
So despite our defenses being better than ever before, all automated security technologies still suffer with security blind spots. Signature based technologies will always be prone to zero day threats, while phishing attacks will always catch enough suckers. We aren't saying that Anti Virus technology and firewalls are of no use, but it is time to recognise they will never be fully effective against all cyber threats, especially the inside man scenario or the more elaborate APT attack.
File Integrity Monitoring – At The Core of A Layered Security Strategy
The NNT view is that there is an art to delivering effective security. By recognizing there will always be gaps in modern automated security defenses, it becomes clear that there is an essential need for fundamental security measures. File Integrity Monitoring, combined with best practice processes in device hardening and change management, are the only way to maintain truly secure systems.
NNT Change Tracker provides protection against threats by ensuring all security best practise measures are in place at all times. If any weakening of defences is detected, these will be clearly identified, including any changes to system files and significant configuration settings.
Compliance Dashboard – How Vulnerable Is My Estate?
New for Change Tracker Version 5.5 is the Compliance Dashboard – this shows at a glance whether devices are within compliance for your hardened build standard. A hardened build should be derived for all devices in your estate to provide a fundamentally secure platform.
Change Tracker audits device configuration settings against a range of pre-defined hardened checklists and a simple percentage score returned. NNT provide a range of default checklists for different standards based on manufacturer best practice guidelines and recognised authorities such as NIST and CIS.
System hardening is always a balance between the requirements for operational performance and the demands for maximising security. In this example for a Windows device, the Change Tracker report checks the password policy, registry settings, and audit and security policy. The report will also check for the existence of 'must have' services, and that all unnecessary services have been disabled or set correctly.
Report checklists are applied to all configuration attributes that affect security and NNT will work with you to refine an optimized checklists for your systems in your environment. New for Version 5.5 are a greater range of checklists, including Cisco devices – switches, routers and ASA firewalls, and reports for hardening Linux and Unix variants, including Ubuntu, CentOS, RedHat and Solaris.
FIM and Breach Detection
Configuration Drift And The Hardened Build-Standard
Once systems have been hardened it is essential to maintain this configured state – the Change Tracker Changes Dashboard serves as a visual check for whether any config changes have been made – these should be minimal and only when essential. The Dashboard records changes as either Planned or Unplanned. Where changes need to be made, either for system enhancements or maintenance they should be approved in advance and entered into the system as a Planned Change.
With Change Tracker this process is made simple and is ideal if you are an organisation just getting to grips with the adoption of Change Management processes. For more mature organisations we offer an API to integrate Change Tracker with your existing Service desk or Change Management system.
Simply enter the type of changes expected, the reference for the Planned Change and any description of the changes intended. Change Tracker's Closed Loop Change Management operation means that any changes made will be recorded and reconciled with the Planned Change Record. We then fix a start time and duration – just 5 minutes for this quick demo change.
All Planned Changes are recorded in the Planned Changes repository – here's the one I just added. It goes against my login ID as I entered it – Change Tracker offers controlled, Role Based access so some organisations choose to appoint one user as 'Change Approver' while others distribute authority to create Planned Changes to all system admins.
During a Planned Change window, all changes for tagged devices are recorded and assigned to the Planned Change record, but Change Tracker actually co-ordinates the whole process. As the Planned Change window opens, an entry is recorded as an event for the devices concerned and this is communicated to the assigned engineer via email. It's a useful reminder that scheduled work is required to start now.
Change Tracker is easily powerful enough to track all changes to all system attributes and file system changes, however it is more usual to assign a configuration policy to devices specifying which attributes need to be tracked. Let's take a look at the policy for the device specified for the Planned Change – this is stored as a template so it can be edited and saved then applied to groups of similar devices.
File Integrity Monitoring Templates for Windows
Let's take a look at the File Integrity parameters. This is a typical profile for a Windows server – there are specified paths to be tracked, such as the SysWOW64 folders, the System32 paths and in this case, the Program files folders and the IIS website folders. Change Tracker intelligently applies a series of rules and filters to the tracking required – we may choose to track all changes to files and folders, but more usually we will want to filter changes so we only see changes to files that qualify as system files, such as executables, dlls and driver files. Alternatively this web files filter includes java and asp net file types, but you can define additional filter groups for your applications preferences. We mainly want to exclude files which change frequently such as log files and databases – we expect these to change so we learn nothing when they do, whereas system or program files should only change when we apply patches or updates and the filter helps to remove any non-useful changes.
There is a further option to explicitly exclude named files or paths, and for high security environments, options for generating a unique secure hash for each file and to enable live tracking for changes. The hash option allows us to detect Trojan malware trying to masquerade as legitimate system files, while Live Tracking ensures changes are alerted in real-time, as when a breach occurs time is of the essence in limiting any damage caused.
File Integrity Monitoring Templates for Linux and Unix
Agentless and Agent-based FIM
For Linux and Unix systems there are options for agent-powered and Agentless FIM as well as a File Contents tracker for text-based configuration file change tracking. Similar options apply – specify a path to track, any files or types to exclude and whether subfolders should be tracked. Change Tracker includes pre-defined templates for all significant security files governing system access, operation, password policies and so on. The Agentless FIM Over the LAN tracker works neatly in conjunction with the File Contents tracker – FIM Over the LAN tracks file attributes only so is a 'light touch' tracker but if it detects a change, it can trigger the more detailed Contents Tracker to run to show exactly what changed within the file.
We need to make our Planned Change as the Change Window is nearly up – I have RDPed onto the target system for the change which in this case is going to be a change to a key system file in the System32 path. But I am going to copy in a pre-built Trojan file – I am going to use the cover of the Planned Change to make an Insider change. In this case the file sizes are different but I will always see a difference in the file secure hash value even if the files were manipulated to make them look the same. Note that I am logged under my Admin account which gave me the rights to change a core system file. Once the Planned Change finishes all the changes detected are recorded against the record and it is neatly presented in a single screen making it very easy to review. Good change management relies on system governance so a QA Testing or Post Implementation Review Phase should always be in place to ensure even Planned Changes are good changes, executed as expected.
The details of the exact changes detected are presented clearly – the file change detected and its associated attributes are exposed, and crucially, the name of the user who made the change are also recorded. If this was a Trojan added by a stealthy insider they would still be caught.
Similarly for Linux or Unix file changes, the same Planned Change record presentation is used, exposing all changes made. Here I get three changes recorded, just because I am using the three different FIM options available for Linux – Agentless and agent-based FIM, plus the File Contents tracker option in this case as the changes affected a text based Message of the Day banner. Note the change says it was Reconciled Retrospectively – we'll see how this works in a moment.
FIM for File Contents Changes – Linux Config File Change Tracking
The File Contents tracker shows a side by side, before and after view of the file changes detected to make it easy to see exactly what changes were made and in fact the whole design philosophy behind Change Tracker is to make security best practices easy to implement for maximum benefit.
For example, the same at a glance, before and after view of the change we just examined in the Planned Change Record is used for email alerts too. In the same email is an example of the presentation of the same change detected by the Linux FIM tracker – the headline is that there has been a change to an existing file and the file affected is detailed along with its key attributes.
Similarly if we make another file change to our demo Windows Server as we did earlier, this will be detected using Change Trackers Live Tracking function. This means changes are detected and alerted in real-time as you can see here. If I make the change then refresh email, the change is reported within a minute or so – of course, neatly summarized again for easy analysis and with the perpetrators name exposed.
Or if you prefer to work from the Changes Dashboard, this will highlight that a new, unplanned change has been detected – drill down through the pie chart to see change details and the full change record.
Scheduled FIM Reports By Email
Vulnerability Assessment Reports by EmailThe other emails in my Inbox have been generated by Change Tracker – I get a full audit trail of Planned Changes in progress – useful if you schedule a planned change window and like to have a reminder or as a means of providing visibility of changes in progress to the rest of the team. And when the planned change windows ends, I also get a summary of changes recorded.
Likewise I can get a scheduled email summary of my estates hardened status – similar to the Compliance Dashboard output we saw at the start of the video. Any devices not 100% compliant are highlighted and the remediation steps required summarised in an email attachment – our research shows email is the most effective way to provide compliance updates to users and so maximises the usefulness of the Change Tracker system – it is designed to tell you what you need to know, when you need it.
Change Tracker also allows you to schedule delivery of FIM Summary reports via email along with Hardening Report scans and overall event activity summary reports.
NNT make it easy to manage compliance and we'd welcome the opportunity to help you with your security and compliance projects – please visit www.nntws.com where you can see case studies, whitepapers and request pricing or a free trial – just follow the links and register details. Thank you for your time today.