Академический Документы
Профессиональный Документы
Культура Документы
W H I T E PA P E R
Best Practices
In File Integrity Monitoring
In any security monitoring strategy, file integrity monitoring (also commonly refered to by its acronym, ‘FIM’) is one of
the most powerful host-intrusion techniques available to detect compromised IT assets and data against both known
and unknown threats. File integrity monitoring is also required to meet many compliance regulations such as PCI DSS,
NERC-CIP, FISMA, Sarbanes-Oxley, HIPAA, and GLBA.
The high success rates of phishing attacks, the ongoing adaptation of malware, and an ever-growing list of software
vulnerabilities means that compromise is not a question of “if”, but rather “when”. Just a quick news search will
produce countless articles on successful hacking attempts, from the infamous Target Corporation breach in late 2013
to the recent re-emergence of the Dridex malware.
The fact is, as soon as a bad actor–whether malware, malicious hackers, or unscrupulous employees or contractors–
get on to a system in your IT environment, they often try to alter files and access your data. Being alerted the moment
that critical system, configuration, or data files and directories have experienced a change goes a long way in
protecting your organization. This is the realm of file integrity monitoring, a critical tool in the security defense of any
organization that wants to protect its assets.
In this paper, you’ll read about the fundamentals of file integrity monitoring, best practices in file integrity monitoring,
and then how the AlienVault® Unified Security Management™ (USM™) approach can help you quickly and easily
enable FIM capabilities across your IT assets.
›› Determine how the operating system, its subsystems, and applications will operate
›› Track (in log files) the actions and activities that take place across the operating system and applications
© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 1
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G
An attack can exhibit itself across any of these three areas and either cause the operating system or application to
not operate as intended, to capture or change mission-critical information, and/or to manipulate log files to hide the
activities of any malicious activity. Even authorized changes may result in misconfigurations that could expose the
organization to increased risk and compromise. A good example of this was highlighted in a recent SC Magazine
article covering a data breach at Scottrade Bank, where a trusted vendor uploaded a file to a Scottrade Bank server
without enabling the proper security protocols. The result was the personal information of 20,000 customers being
exposed to the internet in an unencrypted state.
File integrity monitoring is a proven and well-regarded security countermeasure to address these types of risk, which
is designed to monitor critical files across your infrastructure and ensure that you are notified when suspicious activity
is detected. To detect such activity on files, typically one of the following file monitoring approaches will be used:
1. Baseline comparison, where one or more attributes of a file will be captured or calculated and stored as a baseline
that can be compared against at some future time. This can be as simple as the time and date of the file. Of course,
since this data can be easily spoofed, a more trustworthy approach is to periodically assess the cryptographic
checksum for a monitored file (e.g. using the MD5 or SHA-2 hashing algorithm) and then compare the result to the
previously calculated checksum.
2. Real-time change notification, which is typically implemented within or as an extension to the kernel of the
operating system, will generate a change record when a file is accessed or modified.
Of the two approaches, the baseline comparison approach was one of the first techniques used for file integrity
monitoring and tends to be the more widely practiced. Equally, it can be implemented across any system. Real-time
change notification is not usually supported by the monitored operating system, so it makes it far more complex and
costly to build a solution with this approach, resulting in much higher costs for the end user. Some solutions may take
a combined approach or implement other ways to monitor files for changes, while also monitoring file permissions and
file access. Regardless of the approach used, the result is the same. A security alert will be generated if a monitored
file or directory is added, deleted, or modified.
In addition, some modern operating systems (e.g. Windows Server) provide built-in audit capabilities that can be easily
leveraged. In the past, IT professionals shunned such functionality because of the potential impact the feature could
have on the system. Newer versions of the operating system, however, perform better and leverage group policy
to ensure precision of the files and directories that need to be monitored. The data produced by the built-in audit
capabilities can be collected, analyzed, and alarms generated when suspicious or malicious activity is discovered.
In fact, file integrity monitoring security solutions have a broad appeal to almost every organization, from SMBs to the
enterprise, non-profits, and government agencies. Certain businesses will find file integrity monitoring both essential
and required, including:
›› Businesses that are subject to regulatory compliance. Several regulations (e.g. PCI DSS, NERC CIP 007), or
approaches commonly used to assure compliance with those regulations (e.g. ISO 17799), call out file integrity
monitoring as an internal control that should be deployed to assure protection of an organization’s assets and data.
1
https://www.scmagazine.com/scottrade-bank-data-breach-exposes-20000-customers-personal-information/article/649030/
© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 2
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G
›› Businesses with highly sensitive data. Most IT professionals – and hopefully business professionals too–consider
data the lifeblood of the business. It is the fundamental resource used to fulfill all transactions, execute all services,
carry out internal/external communications, and quantify the success or failure of business strategies. There’s no
room for error in securing sensitive data.
›› Businesses that have a substantial server infrastructure of any kind. This doesn’t just mean “enterprise,” usually
defined as “organization with a thousand employees or more,” but can mean a small enterprise, mid-market business,
or even a small business. What matters is not the headcount, but the server count and the criticality of those servers to
the business. Certainly, any organization that owns and operates a data center would fall under this heading; the more
servers, databases, configuration files, logs, etc., must be monitored, the stronger the case for file integrity monitoring.
›› Operating System directories and files. It’s important to assure that your base operating system is functioning
as expected, so monitoring the system binaries and libraries should be your first step. On Windows, the core OS
binaries and key configuration files are typically located under:
• C:\Windows\System32 directory
On Linux, the critical directories to monitor include:
• /bin
• /usr/bin
• /sbin
• /usr/sbin
2
https://www.cisecurity.org/
© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 3
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G
›› Applications directories and files. The system is the foundation on which the application sits, however, it is the
applications that your employees, partners, and customers interact with, and that store and manage your data. Thus,
you should monitor application binaries accordingly. On Windows systems, most applications (by default) store their
binaries and configuration files under:
• C:\Program Files
• C:\Program Files (x86)
Linux systems typically install applications into:
• /usr/bin
• /usr/sbin
• /opt
Depending on the type of server and applications being run, additional files and/or directories may also need to
be monitored. For example, if the server is a web server, the directory where the website files reside should be
monitored as well. This will vary by organization based on web server used and configuration of the web server.
›› Configuration files. Modifying system and application binaries can be challenging since they are often locked when
the system starts up or when the services/daemons are running. That said, configuration files define how the system
and applications on the system will function, and are typically only read when the system service or application
starts up. Configuration settings can be stored in many ways. On Windows platforms, the Windows Registry is
typically used for configuration purposes. Text-based configuration files can be found across Windows, Unix/Linux
and OS X. Attackers may target any of these configuration locations for a planned attack, or an administrator may
inadvertently misconfigure a system, causing that system to be exposed and putting the data on that system and
the rest of your infrastructure at risk.
›› Log files. Log files contain the transaction and activity history for the core operating system, its subsystems, and
applications that reside on the system. They are often the first place an attacker will look to hide their tracks.
While actively written log files will continually change, only the system or application should be writing to them.
To ensure that log files are not tampered with, you should establish an active log management collection method
to pull (or push) the logs from the system to a separate log management solution for centralized monitoring and
tamper-proof storage. Archived log files are static in nature, so you can also monitor for any changes or deletions
of those files.
›› Digital keys and credentials. Even with the availability of directory systems and hardware security modules, many
systems and applications will store their keys and credentials for authentication and encryption on a system.
Monitoring those credential / key stores is also important to ensure your system is protected. For example, Unix
systems store their password file under /etc., and Windows under C:\Windows\System32\config. You may be using
other popular authentication applications such as Secure Shell (SSH) application.
›› Content files. Corporate and customer data is the lifeblood of most organizations, and data leakage remains one
of the top security concerns of many organizations. Even content as simple as your website is mission-critical. The
effects on your brand and reputation can be significant should an attacker deface your public presence. Monitoring
content files for unauthorized changes within the web server is critical to ensure the integrity and confidentiality of
that data.
© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 4
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G
›› Standalone vs. HIDS. Some file integrity monitoring solutions integrate with, or are a part of, a host-based intrusion
detection system (HIDS). HIDS capabilities are a superset of file integrity monitoring capabilities and can detect
threats in areas other than files, such as system memory (RAM) or I/O. Standalone file integrity monitoring generally
means file analysis only.
›› Performance. The more people in the organization you talk to, the more files you will find that need monitoring. With
that in mind, look for proven file integrity monitoring solutions that don’t consume too many system resources and,
when running, exhibit minimal impact on system performance.
›› Scalability. It will come as no surprise that your IT infrastructure will differ from that of other organizations. You may
be running systems that are just Linux, Windows, or OS X, or have a mix of operating systems. Maybe you have
some older Unix technologies in house. Whatever the environment, you should assess whether the file integrity
monitoring solution you select can cover all, or just some of your IT environment and whether that is sufficient for
your requirements.
›› Integration with Security Integration and Event Management (SIEM) solutions. Sending alerts to a SIEM solution
can enhance your security defense by enabling cross-correlation of an incident with other security alerts, helping
to reduce false positives and to identify and prioritize real threats to your organization. In addition, some SIEM
solutions offer log retention, enabling alert and event information to be stored for later forensics analysis of an
incident or suspicious activity.
›› Integration with change management solutions. Since the purpose of file integrity monitoring is to detect change
and the purpose of change management is to manage change, it’s beneficial to coordinate these solution classes
carefully to minimize the false positives that might otherwise come up. In addition, such integration can also help
identify what change was made should any rollback be required.
›› Cost. With today’s IT security budgets, understanding the costs associated with any solution is very important.
Unfortunately, many commercial off-the-shelf (COTS) file integrity monitoring solutions can be very expensive and
require a significant amount of time to roll out and manage. Alternatives include open source software solutions,
or investigation of all-in-one solutions where you can obtain file intrusion monitoring along with additional, critical
security monitoring tools within the same package.
© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 5
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G
The lesson from this is that you should never rely on a single technology to protect your IT infrastructure. Rather, you
should consider deploying multiple security layers across your IT infrastructure to increase the chances that you will
either block, or detect any attacks in progress.
One such solution that provides a multi-layered security protection is AlienVault Unified Security Management (USM),
which incorporates five essential security capabilities – asset discovery, vulnerability assessment, intrusion detection,
behavioral monitoring, and SIEM log management – in a single, unified solution. Its intrusion detection capabilities
include comprehensive file integrity monitoring and host intrusion detection, providing assurance that applications
and application data remain protected from malicious actors – both internal and external.
2. Scaling Your Threat Detection and Response with Real-time Security Intelligence, ensuring that:
a. The AlienVault USM platform has the latest intrusion detection rules, malware signatures, and more from
the AlienVault Labs Security Research Team to identify the latest threats.
b. Security teams have the latest information on threats and available fixes and workarounds, virtually
eliminating the time and resources that those teams would typically spend in researching that information.
3. Deployment to Detection in Minutes. The AlienVault USM family of solutions provide deployment options that are
easy to deploy and start using, protecting your IT infrastructure in minutes.
© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 6
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G
As soon as a change to a monitored file is detected, the USM platform triggers an alarm on the AlienVault USM
console, ready for triage and response by the security team. Even though these changes might not require a
response, it’s important to monitor all activity to first determine a baseline and then detect any abnormalities like
policy violations or potential system compromise.
AlienVault USM’s implementation of host-based IDS and file integrity monitoring enables you to monitor all user
activity on your critical systems. These events are forensically captured, processed, and correlated with other data to
provide the necessary context you need for effective incident response.
Helping you to identify, triage, and prioritize threats, AlienVault USM delivers rich graphical dashboards to quickly
identify deviations from operational baselines that require additional investigation.
›› AlienVault USM Anywhere™, our cloud-based, SaaS-delivered solution designed to monitor your on-premises,
cloud, and hybrid cloud environments from the AlienVault Secure Cloud. Software-based sensors are deployed into
your infrastructure to find assets, discover vulnerabilities, detect intrusions, and collect data from your applications,
systems, and devices to perform threat detection and provide you the tools to respond to discovered incidents.
›› AlienVault USM Appliance™, our appliance-based solution designed for organizations that require dedicated on-
premises monitoring from their own data centers. A virtual or hardware-based USM Appliance server is deployed
into your data center and hardware or software-based sensors are deployed into the rest of your infrastructure to
provide the monitoring and data collection capabilities.
© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 7
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G
With AlienVault USM Anywhere or AlienVault USM Appliance, organizations are able to gain the benefits of file
integrity monitoring in a unified platform that also delivers asset discovery, vulnerability assessment, intrusion
detection, behavioral monitoring, SIEM and Log Management – all through a single, unified solution. Only with these
five security essentials can organizations truly mitigate the IT security risk from today’s threats. With the AlienVault
USM approach, along with the integrated real-time security intelligence, the effectiveness of the final solution is
multiplied compared to deploying multiple point solutions to try to achieve the same effect – all at reasonable cost.
AlienVault USM TM
BEHAVIORAL
MONITORING AlienVault Labs
• NetFlow Analysis
Threat Intelligence
• Service Availability
Monitoring
VULNERABILITY ASSESSMENT
• Continuous Vulnerability Monitoring
• Authenticated / Unauthenticated
INTRUSION DETECTION Active Scanning
• Network IDS • Remediation Verification
• Host IDS
• File Integrity Monitoring (FIM)
© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 8
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.