File Integrity Monitoring Software

Slow and Stealthy

Whether due to complacency or naivety, the vast majority of organisations have failed to adapt security processes and procedures to reflect the changing threat landscape. From the Chinese hackers gaining access to valuable Intellectual Property to the Russian gangs recently exposed for a $500m fraud, the attack model today is a world away from the loud mouthed internet vandal that used to dominate the headlines.

Today’s attacks are carried out by groups, rather than individuals; are designed to steal valuable data – and leave no trace. And these organisations are patient. A recent analysis of Advanced Persistent Threat (APT) incidents by Mandiant revealed the average period over which the attackers controlled the victim's network was one year, with the longest almost five years. And these breaches are not just bypassing the AV software: growing numbers of APTs are actually inside jobs, with authorised users introducing key logger software or malware directly to systems via USB. Throw in social engineering and irresistibly tempting phishing emails and there are simply too many ways to side-step traditional defences and infiltrate the business.

Given the growing awareness of the trend towards the APT, why are so many organisations persisting on relying upon securing the perimeter solely via AV and firewall – with many even acknowledging that the approach is probably ‘secure enough’? It’s not.

New Reality

To be frank, AV was never enough, even in the days when the threat landscape was dominated by the attention seeking big virus or malware creator. AV has to be updated daily in response to the new threats that have emerged – by default, during that time the business is at risk of infection. AV cannot address the zero day, or zero hour, threat until it has been identified, quarantined and an antidote created.

This model was flawed when the majority of viruses were noisy and high profile. In today’s threat landscape, viruses and malware are the opposite: silent, stealthy and targeted. That means fewer organisations or individuals are affected – and hence there are fewer opportunities for the virus to be identified and neutralised. That zero day threat might go undetected for some time because it is attacking a specific vulnerability within the business – or targeting a specific individual to gain access.

Mature Model

If AV doesn’t work – what is the option? Firstly, organisations need to address the complacency that exists and start implementing some of the standard security processes and procedures that are key to defending the infrastructure and reducing the risk of compromise. Getting the basic principles of security right is a good place to start. Perceived by some as a black art, security hardening checklists can now be delivered in a best practice template that reflects the specific operating system and network environment. With access to a list of recommendations within a matter of minutes – is there really an excuse for continuing to ignore the essentials of IT security?

However, organisations also need a completely infallible way of detecting the presence of malware if and when it does manage to bypass security defences. The back stop to traditional defences ideally needs to be a real time alert triggered by any change to file structure that might indicate compromise or the beginning of the slow move towards the central core of the business.

File Integrity Monitoring (FIM) is proven to radically reduce the risk of security breaches; indeed it is a core recommendation of the PCI DSS and other security standards. It raises an alert related to any change in underlying, core file systems – whether that has been achieved by an inside man or an unwittingly phished employee introducing malware, or some other zero day threat blasting unrecognised through the AV. Flagging up changes in this way ensures there is no chance of an APT gaining hold; no risk of the stealth attack that gets in and out leaving no trace – there is a trace and the business is immediately notified.

Gold Standard

To date too many organisations have failed to implement FIM for fear of the additional work load created by a system that flags every single unauthorised change – a fact that says rather too much about the anarchic attitudes towards change management endemic within most organisations. FIM raises an alert for every unauthorised change that occurs within the infrastructure. For organisations with robust change management processes, with clearly defined patch windows and no changes made without request and authorisation, implementing and running FIM is a breeze: the only time alerts are flagged are when actual security concerns arise.

Combining FIM with effective change management and a consistent build standard not only fundamentally reduces the security risk but it also minimises the risk of downtime created by unauthorised or misguided system changes. It supports a raft of compliance requirements, most notably PCI DSS, and provides organisations with infrastructure visibility to support effective planning and investment. And, critically, unlike AV, FIM creates a secure environment that truly reflects the current threat model.