No security director wants to discover a data breach weeks or months after it's concluded. Real-time intrusion detection can be the difference between a security incident and an incident resulting in expensive data loss. While a comprehensive security policy is an important tool for a culture of detection, evaluating the right technologies is also key to discovery and compliance.
Regardless of where your organization stands on the technology adoption curve, picking the right tools is critical. An ineffective file integrity monitoring solution or intrusion detection tool may not mitigate enough risks. In this blog, you'll learn about the difference between file integrity monitoring and intrusion detection and how these two pieces fit together to support your security initiatives.
What is Intrusion Detection?
Intrusion detection is defined by NIST as the "process of monitoring the events occurring in... network and analyzing them for signs of possible incidents." The discovery and prevention of negative events during intrusion detection is referred to as intrusion prevention.
According to NIST guidelines, the four basic areas of technical monitoring for intrusion detection include:
- Network,
- Wireless,
- Network behavior, and
- Hosts.
Why Intrusion Detection?
By all accounts, today's cybercriminals are getting faster and smarter than ever before. There's been a rise in the industrial cybercrime organization, a high-tech company that operates much like a Silicon Valley startup. Today's hackers are highly-skilled, smart tech workers, not teenagers using someone else's code in their parents' basement.
Verizon research reports:
- 82% of attackers completed a compromise within a matter of "minutes."
- Only 25% of organizations that suffered an incident discovered the issue in a matter of days.
- 63% of confirmed data breaches involved leveraging weak, default, or stolen passwords.
Intrusion detection can enable your organization to detect and prevent negative changes in real-time, mitigating the negative impact of a security
For more insights on the state of information security, we recommend 7 Things to Know from Verizon's 2016 Data Breach Investigations Report.
What's the Difference Between File Integrity Monitoring and Intrusion Detection Systems?
Intrusion Detection Systems (IDS) are defined by UC Berkeley as "automated systems that monitor and analyze network traffic and generate 'alerts'. " Network-based IDS (NIDS) monitor network traffic in the form of packets. Alerts are generated using signature-based detection, or detection of statistical anomalies.
File Integrity Monitoring (FIM) solutions are an automated system monitoring various aspects of your critical system files and other infrastructure elements, which may include file contents, security attributions, permissions, registry settings, security policies, drivers, servers, local users, and groups.
FIM may work by completing scheduled "polling" of files, or with real-time change detection mechanisms. Two common variations of FIM include agent-based software, which monitors all connected devices and activity, and agent-less, which lives on a gateway server.
The difference between NIDS and FIM is the intrusion prevention aspect and the comprehensiveness of the tools. NIDS cannot detect encrypted traffic. In fact, the efficacy of your NIDS depends on the vendor's ability to keep up with signature updates.
Given the rapidly-changing nature of information security threats, it is not uncommon to have a threat that is not among the signatures recognized by a NIDS. CimTrak is the only file integrity monitoring solution that enables full intrusion prevention by enabling administrators to completely remediate changes
How Does File Integrity Monitoring Support Intrusion Detection?
Not all file integrity monitoring tools are equivalent, and many lack the capabilities to enable full intrusion detection and prevention. CimTrak is perhaps best defined as a Host Based Intrusion Prevention System (HIPS). This supports intrusion detection initiatives by:
- Monitoring at the kernel level, removing the need to depend on signatures of statistical calculations of abnormal activity.
- Logging all changes and using built-in intelligence to differentiate between positive and negative changes.
- Enabling full intrusion prevention through real-time reporting and the ability to remediate changes.
- Auditing and logging both external and internal activities to protect against insider threats.
Enabling Real-Time Intrusion Detection with File Integrity Monitoring
Does file integrity monitoring enable or support your real-time intrusion detection objectives? The short answer is "well, it depends." The right file integrity monitoring solution can enable unprecedented security by monitoring at the kernel level using built-in intelligence, providing real-time reporting, and logging with integrity.
CimTrak offers a comprehensive solution to your intrusion detection, integrity monitoring, and compliance needs. Our solution is the only file integrity monitoring tool that offers both convenient change remediation and protection against insider threats. To learn more, click here.
