Security fundamentals: File integrity monitoring
The majority of security practitioners agree that establishing foundational security controls will give agencies the biggest security bang for their buck. So where should those agencies focus their efforts in order to ensure a strong foundation of security?
There are four key principles at the heart of every effective security foundation: log management, file integrity monitoring, policy compliance and vulnerability management. This second of a four-part series addresses file integrity monitoring (FIM).
Every incident starts with a change. Accepting this simple fact can dramatically change an IT manager's perspective on preventive and detective controls in the agency environment. While there is some value in shiny new technologies like machine learning, artificial intelligence or even active threat hunting, a close examination of how incidents occur will show that the ability to effectively detect and prevent changes across the entire environment has exponentially more value. While integrity monitoring has been available for many years, the technology has changed and the value has dramatically increased. FIM and change detection are inextricably linked, and detecting change is at the core of FIM.
Shifting from FIM to integrity management
FIM can describe a very specific set of capabilities and is often associated with meeting compliance requirements. However, FIM isn’t just for files anymore; it has also become shorthand for a broader application of integrity, broadly referred to as integrity management. Integrity management offers an umbrella approach to managing risk, and it can be used alongside compliance and security standards. There are four basic steps to ensuring integrity.
Step 1: Start with a secure deployment. Every agency should work to ensure it is deploying systems that meet risk acceptance criteria. That means IT managers must establish those criteria and be able to measure them for servers, images, containers and any other system that gets deployed, whether on-premise, virtual or in the cloud. Make sure all systems get this treatment.
Step 2: Baseline every system that’s deployed. The baseline is crucial for being able to identify changes and determine how they might affect the risk posture of any system. The baseline should be closely correlated with the standards for secure deployment of that type of system.
Step 3: Monitor systems for change. Once IT managers have deployed and baselined secure systems, they must be able to detect changes that compromise the integrity of that system. This process requires a close connection between change detection, baselines and the change process for the organization.
Step 4: Investigate and remediate changes. Not every change requires action. Implementing a reconciliation process to separate the wheat from the chaff is crucial. Changes that are business as usual, such as those associated with change orders or planned updates, don’t require response. Changes that can’t be reconciled or changes that impact risk must be investigated and remediated. In order to do so, IT managers must have sufficient detail about the changes to make decisions.
Integrity management is required
The security benefits of integrity management are clear. Agencies are significantly more likely to prevent, detect and effectively investigate incidents if they apply the principles of integrity management. Beyond those benefits, however, the core capabilities are also required by a variety of regulatory standards. The standard that tends to matter most across government is the National Institute of Standards and Technology's 800-53 governing security and privacy controls. Not only does the 800-53 contain an entire family on system information and integrity controls, but control SI-07 explicitly calls for the use of “integrity verification tools to detect unauthorized changes” on a variety of organization-defined objects.
While integrity verification is required for SI-07, the ability to detect and reconcile changes delivers validation of many other controls. And while integrity management cannot "create, enable, modify, disable and remove information system accounts in accordance with policy" as the AC-02 account management control calls for, it will provide the ability to capture every single one of those changes for investigation and audit.
Agencies that can shift their risk management perspective from a piecemeal approach to a holistic one focusing on integrity management will start seeing benefits that span security, compliance and IT operations. The principles of integrity management are even more important in the fast-changing world of DevOps, automation and the continuous integration and deployment. Whether it is called file integrity monitoring or integrity management, this capability is both required and foundational.
Tim Erlin is VP of product management and strategy at Tripwire.