Can File Integrity Monitoring Catch Internal Threats?
One of your greatest information security risks is likely your employees—especially administrative users. Data from the 2016 Verizon Data Breach Investigations Report (DBIR) indicates 77% of breaches involved an insider. Almost one-third of these guilty insiders have access to privileged information as a job function, such as IT administrators or similar roles.
The most disturbing recent trend is insider-outsider collusion, or insiders working in collaboration with outsiders for financial gain from breached data. The most common forms of insider threat that result in a data breach include:
- Privilege Abuse,
- Data Mishandling,
- Unapproved Hardware or Software, and
- Possession Abuse.
Verizon's analysts concluded that organizations should view all employees "with a healthy level of suspicion" which involves technical safeguards for monitoring use.
To take a deep dive into human infosec risks, we recommend What Your Information Security Policy is Missing: The Human Side.
What Does PCI Say About Insider Risks?
PCI-DSS Requirement #10 discusses the importance of regular audits. The requirement addresses the importance of automating audit trails and preventing administrative users from editing audits. While meeting compliance requirements is critical, organizations may choose to exceed PCI guidelines.
Join us as we review whether file integrity monitoring software can reduce your insider threats. We'll also provide objective insight on how to evaluate options with privileged user risks in mind.
Can File Integrity Monitoring Protect Against Internal Threats?
In most cases, your average file integrity monitoring (FIM) solution does not mitigate insider risks. The important word here is "average." The vast majority of FIM solutions on the market do not monitor or log actions taken within the software itself.
This can actually introduce risk, especially if your employees are smart and have criminal intent.
With most FIM solutions, administrative users can manually disable the features. They can turn off monitoring of certain files or configurations. By removing technical oversight, they're able to take negative actions without an audit trail. Even if they make terrible changes to critical system files, no alerts are generated and no one is notified.
Why FIM Audit Trails are Critical
CimTrak is one of very few FIM softwares with an audit trail that cannot be altered by users. This means your administrative and privileged user actions are continually monitored. It eliminates any risk that your FIM software will hide malicious activity.
CimTrak's audit trail also allows total oversight into user activity. Any time a critical file or configuration is changed in a negative way, an alert is generated. These alerts clearly differentiate between positive, neutral, and negative changes.
What About User Error and Security?
While malicious activities by administrative users are among the scariest form of information security risks, decision makers should also consider risks related to human error and how the right FIM solution can help.
Some common forms of human error that can be introduced by individuals at varying levels of your organization can include:
- Falling prey to a phishing attack,
- System misconfiguration,
- Insufficient patch management,
- Lost devices (laptops or mobile),
- Emailing sensitive information to the wrong person, and
- Clicking on malicious URLs.
In many cases, the right FIM solution will allow sufficient oversight into your network to detect negative changes that can result from one or more of these insider errors. Agent-based FIM allows oversight into the status of individual devices to help determine whether carelessness or broken policy has resulted in an infected device. It can also provide real-time insight into the aftermath when a Phishing attack occurs or if your configuration standards have changed in a negative way.
File Integrity Monitoring and Insider Risks: Other Things to Consider
While insider threats aren't the only consideration when selecting FIM, they're a critically important one. Other complimentary and related factors to consider when evaluating potential FIM vendors can include:
Does the FIM solution enable real-time detection?
While this feature isn't strictly required under PCI compliance requirements, it is important. Data from the Verizon DBIR indicates the average cybercriminal completes data retrieval in minutes or less. Real-time discovery can allow you to reverse changes immediately and prevent damages.
Does the solution distinguish between positive, neutral, and negative changes?
The more complex your network, the more value built-in intelligence can offer. In a complex network, a massive amount of configuration changes can be a normal part of daily operations. A FIM tool that is smart enough to identify risks lowers your error margin and chances of ignoring an insider attack in-progress.
Do you have the ability to immediately remediate negative changes?
Optimally, your FIM's centralized management portal should allow full change reversal.
Are you able to verify precise changes against original configurations?
The more detail an alert or FIM audit trail offers, the more informed your response. It's important to know when your organization's security or compliance is decreasing based on recent changes.
Does the solution attribute changes to user IDs and originating IP address?
When you're performing a fast investigation on negative changes, details on the origin of a change can be helpful in distinguishing between insider threat, insider account compromise, and other issues. With detailed audit trails, you're able to perform smarter forensics.
FIM for Comprehensive Information Security
The right technical safeguards and tools for information security won't just focus on outsider threats. They'll also take a look inside your organization to ensure your internal users aren't taking malicous actions or acting in error.
By adopting a FIM solution that includes unalterable audit logs and real-time change reversal, you can eliminate very real risks. CimTrak offers best-of-class solutions for mitigating insider risks in today's information security environment. Our FIM technology creates accountability and total visibility into the actions of your internal stakeholders, including administrators.
For a 90-second overview of how CimTrak stacks up, click here!
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".