Ninety-one percent of global organizations have adopted a risk-based security framework, according to Pricewaterhouse Cooper (PwC) research. For some 48%, this includes "active monitoring" of security intelligence. Real-time threat detection can enable security programs to protect against evolving threats. However, not all varieties of monitoring software are equivalent.
At a conceptual level, file integrity monitoring software works by detecting changes to critical files and configurations. Common flavors of integrity monitoring, including open-source (OS) and paid versions, may execute either real-time change detection or polling. In this blog, you'll learn about the subtle difference in how common types of file integrity software operate and how to evaluate which is best for you.
What is Polling in File Integrity Monitoring?
In the file integrity world, polling is the act of checking critical system files at designated intervals. This could be once per week in accordance with PCI-DSS guidelines or more or less frequently.
Polling is accomplished by calculating file attributes as hashes, which are compared to a preexisting or baseline scan of critical system files. This technique is the original approach to file integrity monitoring. Today, some open-source file integrity monitoring solutions and some paid solutions still rely on this method as opposed to real-time change detection.
Advantages of Polling-Based File Integrity Monitoring
- May improve security from a pre-implementation state
- May meet PCI requirement 11.5
- Could be lower cost, especially if an open-source option is selected
Disadvantages of Polling-Based File Integrity Monitoring
- Does not support real-time change detection
- Cannot appropriately detect issues if the baseline scan is compromised
- Extremely resource-intensive
- May not offer human-readable reporting
- Certain open source implementations may introduce risk
What is Real-Time Change Detection in File Integrity Monitoring?
Real-time change detection represents the next generation of file integrity monitoring and is aligned to meet the unique needs of modern enterprises. CimTrak was the first file integrity solution to operate at the kernel level.
This means instead of "polling" files against baseline hashes, the technology works to intercept file changes at the operating system level. This improves security while reducing the number of committed resources by detecting only the files that are changed in real-time. The net result of change detection-based file integrity monitoring is lower CPU cycles and disk I/O, with higher accuracy and forensics compared to a polling-based solution.
Advantages of Change Detection-Based File Integrity Monitoring
- Improved security through real-time change detection
- Lower resources utilization
- Allows your business to exceed PCI requirements
- Can help detect a data breach in progress
- May offer human-readable reporting and built-in intelligence
Disadvantages of Change Detection-Based File Integrity Monitoring
- It May be higher cost than a polling-based FIM solution, especially OS options
- Some sophisticated FIM solutions offer a steep learning curve
What are Some File Integrity Monitoring Solution Red Flags?
Making a decision about the right file integrity monitoring solution for your business is more complex than polling vs. change detection-based, though this factor is often a good place to start. Ultimately, the right FIM solution for your organization is one that offers inherent security and reduces risk to an acceptable level. If your solution has inherent security flaws or is not "robust enough", you could be at risk.
Red flags to consider should include:
- Unsecured Communications. Are all communications between components of the FIM software secured with encryption?
- Hash storage. It is common among some FIM solutions, particularly OS options, to require users to design a storage solution for hashes. Without appropriate database encryption, details of your critical files could be left open.
- Audit Logs. Audit logs should be encrypted, and more importantly, protected by built-in accountability that prevents administrative users from modifying audits or "turning off" audit logs for any period of time.
Is Polling or Real-Time Change Detection Best?
The right file integrity monitoring solution for your organization varies according to your needs, resources, risk tolerance, and other factors. However, for most organizations, a polling-based file integrity monitoring tool does not reduce risk to an acceptable level. In some other cases, certain open-source solutions can increase risks by leaving communications unsecured or allowing audit logs to be "turned off."
CimTrak is the only file integrity monitoring solution to offer true real-time change detection, built-in intelligence, and the ability to remediate negative changes. Download our Definitive Guide to File Integrity Monitoring to learn more today.
July 7, 2016