Change detection technology has changed: for the better
Mark Kedgley examines the importance of real-time file integrity monitoring in a constantly and quickly evolving threat landscape.
Few experts would argue against the importance of real-time file integrity monitoring (FIM) in an era of fast changing and sophisticated security threats. It is literally impossible to second guess the method of a breach and therefore the ‘last line of defence’ detection offered by FIM has never been more critical. The worldwide coverage of the recent breach at Target shows how vital cybersecurity is, and how high the stakes are if your defences are breached. Little wonder that leaders in security best practices such as NIST, the PCI Security Standards Council and the SANS organisation all advocate FIM as an essential security defence.
That said, many would also challenge the actual value and quality of some FIM deployments over the past decade. From the highly complex, $multimillion software investments all the way down to freeware, far too many deployments are actually increasing, rather than reducing, business risk by creating a deluge of unmanaged and unmanageable alerts. Put simply - too much information and not enough context to provide an effective solution.
But write off FIM at your peril. Not only does FIM play a key role in compliance, but used correctly, it is also a proven and robust way to protect against evolving security threats, including zero hour malware and the APT.
There is now a middle option available that exists between the complex and expensive legacy products and freeware: the latest generation of solutions are easy to deploy, a fraction of the price and, critically, are simple to use.
Maybe it is time to reconsider your take on FIM?
Changing security threat
Organizations recognise that traditional security tools such as antivirus and firewalls alone are no longer adequate to fully protect against the inexorably expanding range and variety of threats. Real-time file integrity monitoring helps to improve external and internal threat defences by reporting on all irregular file and configuration changes. Tracking change and flagging up the unauthorised, unexpected and out of context change is a key security best practise that will identify serious, business compromising security breaches that would otherwise have been undetected for weeks, months, even years.
For all these reasons FIM has been used by many organizations for many years – yet it is possibly only recently that it could be considered both affordable and simple enough to use effectively.
Despite the compelling, indeed essential, value FIM can offer, large numbers of organizations are still dissuaded from investing due to the perceived cost and complexity of the technology, a perception set by the early pioneer products in the FIM market. For good reasons: the traditional FIM solution is complex. It requires dedicated personnel to manage and configure. And it is expensive – really expensive. Just the cost of getting started can be a surprise – and bear little relation to the initial quote. By the time the business has considered the options, from the devices to be monitored, agent versus agentless deployment, database system or simple file detection, security policy compliance auditing as well as simple daily FIM reports, the bill is enough to make your eyes water.
Sadly the up-front expense is just the beginning of the problem with the legacy FIM products; it is down the line that the issues – and the costs – really become untenable. Unless the business has one – or more - dedicated individuals with the time and skills to manage tasks, adjust actions, modify rules and edit policy to deliver the fine grain monitoring that complex FIM solutions require, the whole thing becomes unmanageable.
The alternative is to call in costly consultancy resources to make the changes every single time the business wants to add devices or adjust policy. It is no surprise that such additional costs cannot be justified. The result is too many alerts, and no focus. Alert overload inevitably leads to the system being ignored and a genuine security incident could be missed. The situation is almost worse than not having a solution at all.
So what is the option? Leave the system unmonitored? Not the best idea. Freeware? Possible – there are a number of solutions. But that, too, is fraught with danger. While freeware can enable organizations to tick the compliance box, its value is questionable. The biggest problem is the lack of context provided to change information: every single Windows update or file changes will create an alert. There is no way of differentiating between good and bad changes – and that is really dangerous. As most security auditors now concede, organizations that have gone down the freeware route are now overwhelmed by unmanageable and unmanaged change information that is leaving them wide open to breach and abuse.
So freeware is really not viable. But does the alternative really have to be so expensive? Is the highly complex, ‘reassuringly expensive’ tag a sop to the CTO’s ego or the painful reality of dated design and behemoth of a business model that is predicated on consultancy, upgrade and support fees?
The truth is that the latest generation of FIM solutions are far less complex. They can be deployed remotely; and are highly intuitive, hence avoiding the need for expensive consultancy. Critically they are usable: rather than creating the extensive and unmanageable log file of ignored events, by minimising complexity newer solutions are easily adjusted to ensure only the relevant changes – those therefore requiring investigation – cause alerts.
Rather than getting swamped with unmanageable volumes of unnecessary and unhelpful alerts, the business gets a few critical issues to investigate, making the process of spotting a zero hour attack much more likely.
FIM is a fundamental factor in the overall fabric of security. That said, there is no doubt that the ‘reassuringly expensive’ solutions in the market have undermined the perception of FIM’s value. Having a poorly configured and misused FIM solution is more dangerous than not having one at all. The sad reality is that many organizations are simply flushing away the $multi-million investment – and at the same time putting data security and system integrity at risk.
If FIM is to work for the business, individuals need to understand and trust the output. And that means it has to be quick to deploy, easy to use and simple to update. With the right approach, FIM adds value and truly safeguards the business – without adding unjustifiable cost.
For those organizations using FIM, it is time for honesty and to determine whether the current deployment is a friend or foe. For the rest, stop assuming FIM is too complex and expensive: times have changed. Not only is FIM approachable and attainable – but it has also never been more important.
•Date: 11th February 2014 • UK/World •Type: Article • Topic: ISM