NNT F.A.S.T. Cloud Threat Intelligence Integration
A Mute button for FIM Change Noise
Change Tracker™ Gen7 R2 provides the most accurate and effective FIM solution guaranteeing the integrity of your secure IT systems and reporting any changes as they occur. But how do you distinguish between:
‘good’ - intended, desirable changes such as updates and patches, and
‘bad’ - malicious activity following a breach?
The smart response is to leverage cloud-based Threat Intelligence to automatically validate file changes as they are detected using an authoritative file whitelist. And now you can use the NNT FAST™ (File Approved-Safe technology) Cloud to do just this, in real-time.
Is the new or changed file detected known to be safe?
The overwhelming majority of file changes in a secure IT estate will be attributed to regular patching, for example, Windows Updates.
Given that your estate is inherently secure and subject to change control and other security best practices, >99.99% changes recorded will be ‘safe’. Not always expected or operationally desirable, but at least files have been provided by the manufacturer and not a hacker.
Isn’t this the job of Anti-Virus technology?
Anti-Virus is Signature-based, in other words, AV operates using a blacklist of all known bad files.
Millions of new viruses are released into the wild every day, and accordingly, AV vendors add updated signatures as soon as the malware has been identified. It’s simple: blacklisted files are removed before they do harm.
Unfortunately, Zero Day Malware is invisible to AV. Zero Day = Never-Before-Seen, so no signature. Millions of viruses, Trojans and APTs do not exist on the blacklist and are free to do damage until caught.
So how do you spot Zero Day malware if it can’t be identified?
If a Blacklist approach is flawed, will a Whitelist work better?
A Whitelist is also signature-based, comprising all known good files. Using a whitelist as a ‘safety-first’ decision basis prioritizes security above all else. Not whitelisted? Assume harmful.
A truly comprehensive whitelist is an ambitious objective, but with zero day malware production rates relentlessly spiralling upwards, it’s a more realistic goal than that of the AV vendors.
By collaborating with a range of security researchers, manufacturers and crowd-sourcing data from the global community, while factoring in other trust indicators such as signing certificates, a reliable and effective whitelist is readily within reach.
Can a Whitelist Verification process be automated?
Using the NNT FAST™ Cloud, powered by external Threat Intelligence feeds, Gen 7™ makes this whole process even easier by automating the analysis and approvals process.
By integrating the FAST™ Cloud File Reputation repository into Gen 7™, file changes can be automatically and instantly verified as ‘known safe’ as they are detected. But it doesn’t stop there – other changes associated with patching can also be queried and automatically approved using the NNT FAST™ Cloud. For example, Software/Update changes, Windows registry changes, or even new services/processes being created can all be reviewed and, where pre-selected as ‘known safe’, automatically reviewed and approved for you.
So a Whitelist and Blacklist combined in a Real-Time FIM scenario guarantees Security?
The challenge for security professionals is that you need to know when changes are made to systems, but sorting the ‘everyday/ok’ from the ‘unusual/suspicious’ changes always required a time-consuming, manual review.
IMPORTANT: the whitelist knowledge is being combined with the blacklist of your AV system, not replacing it. If a file is known-harmful, the AV will still quarantine it. Likewise, if a file is known-safe, the whitelist will confirm this. All that is left for you to manually review and approve is the tiny minority of ‘not-yet whitelisted’ files - for example, bespoke in-house developed applications.
BUT - if you are unfortunate enough to be breached, files related to this cyberattack will also be exposed in this ‘no man’s land’ of neither blacklisted, nor whitelisted files.
With Gen7™ R2 automatically assessing and approving changes confirmed as ‘on the whitelist’, the reduction in FIM change noise - and therefore your time to review FIM changes – will transform your ability to properly investigate the genuinely suspicious events, thereby delivering a solution that actually meets the true security purpose of system integrity monitoring.
Isn’t it time for you to stop making token gestures towards cyber security and start taking it seriously?