#1. Focus On Correctness Not Change.
The objective of any integrity monitoring solution should be to verify integrity/correctness, not to simply detect change. Detecting change is fundamentally flawed in two main ways. First, without knowing if a system is correct at the beginning, you may not know if changes are good or bad.
For example, applying a patch to a vulnerable application actually corrects an incorrect system. Second, without the concept of correctness, the volume of alerts is overwhelming and requires manual parsing to try and find unauthorized and potentially dangerous changes. Finding the two main unauthorized changes should be the goal: 1) changes that aren’t supposed to occur (e.g., malware), and changes that are supposed to occur and don’t (e.g., exploitable vulnerabilities that aren’t patched).
#2. Use File Data for Forensics, Not Alerting.
There are thousands of files on any given system, and often thousands of systems in any given corporate network. Even under normal circumstances, thousands of changes occur in relatively small amounts of time—an amount that cannot be handled manually without a huge, expensive staff. However, when a breach or other incident has occurred, file data can be a crucial part of any forensic exercise. By implementing the other recommendations in this post, you can shift to using file-level information for forensics rather than real-time alerting.
#3. Put Real “Integrity” Into File Integrity Monitoring.
Historically, File Integrity Monitoring has really been a misnomer (or worse, false advertising). The relevant definition of “integrity” is “unimpaired or perfect condition”. Traditional offerings have never had the ability to determine the integrity of the files on the system. These solutions should really be called what they are, “File Change Monitoring”—they detect changes not correctness. SIM solutions like SignaCert Integrity include File Whitelists that verify the legitimacy and provenance of files. Files without any metadata are clearly ones worthy of investigation. SIM solutions finally put the integrity into File Integrity Monitoring.
#4. Verify Application Integrity to Receive More Consumable/Actionable Information.
If you want your integrity monitoring solution to provide real time, truly actionable data (not just after-the-fact tracking and reporting), then you should view and verify information at the application level. To oversimplify, this is a matter of human processing ability and mathematics. It is far easier for a human to interpret data on the application level than on the file one. Additionally, any files that cannot be “rolled up” into applications are suspect and quickly become the focus of investigators. On the math front, an application may be comprised of hundreds or thousands of files. Investigators can analyze and interpret applications far easier than they can files. Traditional FIM solutions have no such ability. Whitelist-driven SIM solutions not only provide application views, they provide metadata around the applications’ legitimacy and provenance. (To further improve your benefit/noise ratio, connect your SIM solution with your risk or threat profiles to enable real-time monitoring for your most critical/high risk applications (e.g., Point of Sale devices, critical app servers or databases, systems that contain sensitive information such as PII or IP).)
#5. Verify System Integrity to Increase Security & Reduce Noise.
Many systems (or parts of systems) should be similarly configured. By whitelisting a reference system, all other “like” systems can instantly be compared against the baseline and determined to be correct or not. This approach will immediately increase security and reduce noise. Let’s return to the goals identified in #1, “Focus On Correctness Not Change”. Comparison against a system whitelist would discover unauthorized changes that aren’t supposed to occur (e.g., malware), and changes that are supposed to occur and don’t (e.g., exploitable vulnerabilities that aren’t patched) because neither of those would match a system whitelist! They would be clearly discovered and quickly remedied.
As you can see, whitelist-driven solutions fundamentally change the efficacy and value of any FIM/SIM solution. If you want to learn more about the leading SIM solution, SignaCert Integrity, here are some easy options for you:
- Read the “Value of SignaCert Integrity” eBrief
- Request a demonstration
- Request information on SignaCert’s “$99 per device” promotional pricing.