IT pros understand that not all open source products are created equal. Some of the most beloved tools for business and personal computing, including Firefox, WordPress, and Apache, are the result of successful, long-term open-source (OS) projects. However, when it comes to protecting your organization against information security threats, how do available OS options objectively stack up?
There are several open-source file integrity monitoring systems on the market, each of which varies. The strengths of one open source solution could be the weaknesses of another. In this blog, we'll present a set of criteria that can be a helpful tool for evaluating any file integrity monitoring solution. Any successful software selection process should be guided by your unique needs and risk tolerance criteria.
1. Network Coverage
The structure of your network should dictate your approach to FIM, not vice versa. In general, the more complex your network, the more risks and the more complex of an FIM is required.
Factors that can affect whether or not a given open source file integrity monitoring solution will mitigate enough risks can include:
- The number of hosts monitored: not all OS FIM solutions are engineered for monitoring multiple hosts.
- Network structure: If your organization has multiple networks or segregated networks, this can affect ideal deployment and monitoring needs.
- Administration plans: Will you use a single administrator or multiple admins? While a single admin is more pragmatic for many small and mid-sized organizations, does the OS FIM solution offer built-in accountability or does it default to "super admin" powers?
- What are you trying to monitor? There's no right or wrong answer here. It depends on your needs and tolerance for risk. However, monitored elements that may or may not be built into your OS FIM could include both files and kernels.
2. Ease-of-Use and Implementation
It goes without saying that a product that's extraordinarily difficult to use, to the point where you simply don't have the resources to learn it, isn't the right choice.
Many OS and paid FIM solutions carry a steep learning curve. With OS, this carries the obvious challenge of a lack of qualified support aside from forums and user-generated documentation. Prior to implementing, determine whether you're able to effectively create rules, decipher log messages, and otherwise close up vulnerabilities.
It's also important to consider baseline integrity when considering implementing OS FIM. You won't be able to detect existing intrusion or compromise since all future scans will take place using your compromised baseline as a status quo. With most OS FIM, it's recommended that you implement the FIM solution at the same time as you download a new operating system.
Regardless of whether you're using the most basic OS FIM or the costliest paid version, the single most-effective way to introduce risk into your organization is by disregarding the logs. The quality of logging can be especially critical with OS FIM, which may or may not include real-time alerts as a feature.
During the evaluation and setup phase, it's crucial to evaluate whether a solution receives, sorts, and archives alerts in logs.
Factors to consider should include:
- Is a log analysis application necessary to decipher the important information from the "noise," and what about compatibility, ease-of-integration, and ease-of-use?
- Are log entries coded by event to signify when a response is required?
- How much information is logged? A high volume of information can be critical to effective forensic investigation post-incident.
- Am I able to back up and archive read-only copies of data? This can be critical for internal accountability.
Features of OS and paid FIM solutions can vary drastically. Prior to downloading, you should create a list of comprehensive business requirements. Based on your requirements analysis, you can determine whether the following features are necessary. The list below is not a comprehensive list of FIM features, but is certainly worth looking for.
- Centralized control
- Multi-platform support
- Master-agent configuration mode
- Advanced automation
- Real-time notifications
- Detection of negative changes prior to installation
- Differentiation between positive, neutral, and negative changes
5. Freemium Upgrade Issues
If you are opting for the OS freemium version of a paid platform, it's wise to evaluate the reality of transition if purchasing a license is a strong possibility in the future.
Depending on how similar or dissimilar the UI and other aspects of the OS and paid versions are, you could find that an upgrade creates another learning curve and additional adoption challenges for your platform admin.
6. OS Compatibility
The majority of OS FIM are designed for Linux or Unix. Some OS FIMs support Windows and, more rarely, Mac OS. However, it's very important to understand the difference between official support and effective use. This is where user-generated reviews and support forums can come in handy.
Every IT professional with a background in OS products knows that just because an application can technically run doesn't mean it's optimal—you could be dealing with a death of high-quality information or security gaps. In some cases, features may not work optimally. If the OS compatibility is low, OS FIM can actually introduce network risks.
Is Open Source File Integrity Monitoring too Risky?
In some cases, OS FIM can reduce risk to an acceptable level. However, this depends on the factors discussed in this blog. If your IT admins have the appropriate skill set for effective implementation, you have an adequately simple network, and you're able to reconcile features with your needs, OS may be the right choice for you.
In other cases, such as situations where OS compatibility is questionable and you're unable to consistently decipher logs or are installing FIM on a compromised host, installing OS FIM may be riskier than not using FIM.
While some organizations have a choice, many companies are forced to explore FIM to comply with PCI-DSS. It's critical to evaluate whether the available OS FIMs are objectively the right fit for you to avoid minimal risk mitigation.
Unlock Real-Time Protection and Built-in Intelligence
Today's IT managers need the ability to detect real-time changes in increasingly complex IT environments. Researchers have found that cybercriminals are able to gain entry to a company network and complete data retrieval in a record amount of time—often, just a matter of minutes. With network-wide, intelligent monitoring and smart alerts, you can finally unlock peace of mind.
To learn more about how CimTrak stacks up against your options for file integrity monitoring, download our definitive guide to FIM today.
June 16, 2016