File integrity monitoring helps ensure that critical system and data files aren’t altered — maliciously or accidentally.
Most organizations associate the term “security breach” with the theft or exposure of sensitive data. However, data tampering could pose an even greater threat, according to leading security experts.
Admiral Michael S. Rogers of the U.S. Navy, who heads up the National Security Agency, U.S. Cyber Command and Central Security Service, told delegates at a recent security conference that three cybersecurity threats keep him awake at night. The first was an attack on U.S. critical infrastructure, and the third was destructive use of cyber resources by non-state terrorist groups. The second was data tampering — the subtle alteration of information without an organization’s knowledge.
Data tampering could be an act of revenge by a disgruntled employee, industrial espionage by a competitor, or the work of hactivists or a rogue nation state. Whatever the root cause, the prospects of such a security breach are alarming. How long might it take for an organization to discover that its data had been modified? How would the organization recover from such a security breach?
The risk of data tampering points to the need for file integrity monitoring (FIM) systems, which regularly examine critical data files to determine if, when and how they change. These essential security controls can help organizations quickly detect data tampering due to ransomware, malware, rootkits and other malicious code, as well as internal and external threat actors. FIM systems can also spot modifications that violate company policies or regulatory requirements, and errors by legitimate users that might cause downtime or data loss.
How FIM Works
Data files change constantly through natural computer system and user processes. However, there are a number of files that should not change under typical circumstances — operating system files, application executables, configuration files, security settings, and user identities, privileges and credentials. FIM systems can generate alerts if these files are modified so that IT personnel can investigate.
System log files should also be monitored even though they change continually. Organizations should ensure that only systems and applications write data to logs, and that log files are frequently collected and stored in a separate management system. FIM can also be used to monitor files that contain sensitive information.
FIM systems use a cryptographic algorithm to create a hash of the attributes of a file in a known, good baseline state. However, because hackers can spoof or tamper with file system information, a checksum of the file may also be generated. All of that information is stored in a database, and the current state of the files compared against it. If the tiniest change is detected, an alert is generated.
FIM must be implemented in conjunction with change management processes to minimize the number of false positives. When a file is altered legitimately, the FIM system should be instructed to compute a new hash and store it in the database.
Because FIM systems can be resource-intensive, it typically isn’t practical to monitor all of the files within an organization. However, several government and industry regulations, including the Payment Card Industry Data Security Standard (PCI DSS), mandate that organizations use FIM to monitor log files, critical system files, configuration files and certain content files.
A Number of Options
Agent-based FIM solutions require the installation of software on systems to be monitored, while agentless solutions don’t. Agent-based systems are more powerful, and enable real-time analysis of files. However, agentless systems are more popular because they are less expensive, easier to implement and operate, and provide hassle-free maintenance of endpoints.
FIM systems are increasingly integrated with security information and event management systems (SIEMs), which gather data from systems and devices across the enterprise for correlation and analysis. Integration of FIM with SIEM makes it possible to correlate data tampering with other security alerts to minimize false positives and prioritize threat response.
Cloud-based FIM deployments are growing rapidly, but on-premises FIM systems continue to hold a larger share of the market. Government agencies and organizations in the financial sector prefer on-premises deployment because it gives them full control over all platforms, applications, systems and data.
Although the FIM market is mature, research firm MarktsandMarkets expects it to see a compound annual growth rate of more than 13 percent, to reach $986 million by 2022. This growth is being driven by security concerns and increasingly stringent government and industry regulations, but the high cost and complexity of many FIM solutions continue to be constraining factors.
The threat of data tampering may be keeping security experts awake at night, but tools are available to help organizations mitigate this risk. File integrity monitoring is a core control that should be integrated into every organization’s cybersecurity strategy.