Great security technology is expensive—but not nearly as pricey as the costs of non-compliance or a security breach. Gartner recently predicted that information security spending would become an $81.6 billion industry in 2016.
With the tools already in your security portfolio, the skills of your development team, and a little ingenuity, is it possible to build your own file integrity monitoring (FIM) system from the ground up? If you already have some of the tools, it may save you money, right? Well, not exactly.
For most organizations, the decision to build a file integrity monitoring franken-system is not the path of least resistance. A self-built system may offer some advantages over many open source file integrity monitoring solutions, but any custom software build is a massive undertaking.
However, to understand exactly what goes into the world's most effective file integrity monitoring solutions, join us as we review the necessary components for a secure FIM solution.
What are the Objectives of an FIM Franken-System?
If you're approaching the process from many common software development lifecycle models (SDLC), the first step is to gather requirements and document business requirements, to establish success metrics or user stories for your project.
For an agent-based file integrity monitoring system that meets leading specifications and provides advanced security, you may define the objectives as the following:
1. Detect Environment-Wide Changes
Depending on your network, your FIM system will likely need to monitor for changes in critical system files, servers, network devices, databases, active directory, point-of-sale systems (POS), and virtualized environments. In addition, there is the need to support nearly identical behavior of the FIM on multiple operating systems.
2. Provide Instant Notification
While you may choose to define success as meeting PCI requirements for weekly scans and scans after any major changes, real-time notifications offer superior situational intelligence.
3. Provide Documentation on Changes
To enable the smartest actions possible, your FIM system should provide documentation on all activities that take place within the network. Optimally, these logs should be an uneditable accountability trail that is human-readable and should provide built-in intelligence on the quality of changes and compliance status.
4. Take Action
To maximize the value of your homegrown FIM system, you may choose to design a system that enables full change remediation from the management console.
Elements of a Homegrown File Integrity Monitoring System
To achieve the goals of your file integrity monitoring franken-system, what is needed? Using existing or homegrown systems, here's a basic overview of what you'll need to acquire, create or build.
The master repository of your system will act as a centralized, secure storage point for your protected history and log files. While some open source and basic FIM solutions use the master repository as a place to store hashed copies of system scans, more sophisticated solutions will store entire compressed and encrypted copies of critical files to enable change remediation in the future.
Technical specifications for this aspect of your franken-system should include (but are not limited to) strong encryption, compression, file isolation, a rollback capability, and complete prevention of administrative overrides to maintain integrity.
Agents and Modules
The agents and modules of your franken-system will be responsible for monitoring your servers, network, and other components of your infrastructure; and for performing real-time communication with the master repository. While the exact actions may vary depending on the type of agent, the minimal functionality will include the hashing of data, identifying other key attributes of the data being monitored, and enforcing rules defined by established FIM policies. Your agents need the technical ability to determine whether changes are allowed based on configuration data and either log, refuse, or reverse changes accordingly.
The management console should be a user interface that directly integrates with the master repository. This should act as a web-based application, which allows credential-based access to administrators for remote management and configuration of policies that define how your servers and network devices are monitored.
From the management console, administrators need the ability to access reporting, review logs, respond to alerts, and restore files to a previous state based on data stored in the master repository.
While these details are by no means a comprehensive overview of all of the technical requirements or security best practices for building a file integrity monitoring system, it should provide a high-level overview of the scope of work that must be performed.
For additional insight into the components of an effective, agent-based FIM we recommend the following resources:
- How Does File Integrity Monitoring Work?
- CimTrak Technical Summary
- Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What You Need to Know
Is Building a Homegrown File Integrity Monitoring System Right for Me?
With average project costs ranging from tens of thousands of dollars to hundreds of thousands of dollars, a homegrown file integrity monitoring system is rarely the most cost-effective security solution for organizations. Due to the volume of data, and the binary data that needs to be potentially stored, many standard databases are unable to effectively serve the role of the master repository. The management console should ideally be a web application and must be created from scratch. Often multiple iterations of the user interface must be developed to find the simplest method to perform a task. In addition to the cost of custom application development, the efforts required to integrate your master repository, management console, and agents can be intensive and prohibitive.
If you are concerned about the costs of popular solutions for agent-based file integrity monitoring, CimTrak could be the right option for your budget and needs. A budget-friendly alternative, it offers comprehensive network coverage, real-time alerts, and the unique ability to remediate changes in real-time. Learn more today.
October 25, 2016