The vast majority of information security attacks prey on known vulnerabilities, according to research from the 2016 Verizon Data Breach Investigations Report (DBIR). Just ten vulnerabilities accounted for 85% of security incidents in the last year. As IT environments have become more complex, policy and knowledge aren't always enough to eliminate vulnerabilities.
Constant file and configuration changes are normal, and may not always signify malicious activity. Today's IT pros need the intelligence to distinguish between qualities of changes and maintain compliance in real-time. Join us as we review eight categories of changes that can signify a data breach in progress or other security issues.
1. File Contents
Sudden changes in the contents of critical system files can signify malicious activity in progress in your company's network. Cybercriminals may alter file contents or configurations to avoid detection after gaining entry to a network.
Red flags can include a sudden spike in the size of file contents, or unauthorized modification of files. Types of critical files that should be monitored include
- Application program files, and
- Operating system files.
2. File Configurations
Changes to critical file configurations can also be an attempt to disguise entry into a company's network in order to protect against detection. This can encompass changes to file contents by adding or deleting files or replacing files.
Targeting servers can be a tool for retrieving data or creating a denial-of-service attack by causing an organization's applications to cease operating. File integrity monitoring should cover physical, virtual, and cloud-based servers.
Negative categories of changes on monitored servers can include:
- OS files,
- System files,
- Data files,
- File attributes, and
- Windows Registry settings.
4. Network Devices
Changes in your network devices can leave your entire network vulnerable to attack, which necessitates real-time monitoring. Sudden changes in firewalls, routers, and switches can result from malicious insider or outsider activity.
More often, negative changes to network devices can also result from simple mistakes in normal configuration activities. However, gaining the intelligence to remediate negative changes in real-time can assist in maintaining compliance and security.
Your data is the lifeblood of your business. Sudden changes in your database activity can be a sign of normal business operations, or they can signify attempts at data retrieval and theft.
File integrity monitoring should observe database schema for signs of access and security changes, which can be indicative that retrieval attempts are in progress.
6. Active Directory
Active directory (AD) administration is complex, and the smallest changes can move your organization out of compliance in a matter of seconds.
In addition, AD logs are known for being difficult to decipher. Using an add-on tool, like a comprehensive file integrity monitoring solution designed for agent-based file integrity monitoring of AD is beneficial. With the help of file integrity software, organizations can gain insight into the quality of changes.
7. Point of Sale Systems
For retailers and other individuals who utilize point-of-sale systems, these devices can represent significant potential for vulnerabilities. Target and Home Depot are just two high-profile examples of point of sale-originated data breaches.
In most cases, IT professionals are responsible for achieving and maintaining POS security post implementation. This requires a tool for real-time observation in order to ensure your payments aren't vulnerable. Monitoring the security of these devices is crucial to protect against emerging vulnerabilities and threats.
8. VMWare Configurations
For organizations with virtualized environments, monitoring for negative changes in VMWare ESX and ESXi host configurations is crucial. Small changes can compromise hundreds of guest virtual operating systems.
File Integrity Monitoring: Beyond Pure File Attributes
Today's IT professionals and networks need real-time intelligence on a network-wide basis. While monitoring critical file attributes can offer insight into insider or outsider threats, it doesn't reveal the full picture about emerging vulnerabilities.
With the help of CimTrak, a real-time, agent-based file integrity monitoring solution that operates at the kernel level, you can gain real-time insight into your entire network. From databases to network devices, Cimcor enables IT teams to achieve full oversight and mitigate risks.
For more information on Cimcor's security products, click here.
July 20, 2016