Every organization’s worst information security nightmare can involve a cyber-crime attack, malware, or information theft, when left undetected becomes a full-blown crisis. Security attacks can occur 24/7, which is why using technology for regular viewing of user and file activity can be crucial to detecting unusual patterns or spikes in behavior. Using critical file integrity monitoring for Windows isn't just required for Payment Card Industry Data Security Standards (PCI-DSS) compliance. It's necessary for information security practices at organizations of any size.
What is File Integrity Monitoring?
Post-implementation, file integrity monitoring software performs an initial scan of critical files. On a periodic or real-time basis, the same files are scanned to compare configurations to the original version. If any changes are detected, it results in an alert which is logged and sent to the administrator for review.
Depending on the specifications and scope of your software, the scan may include file contents, security attributes, permissions, registry settings, security policies, drivers and services, local users, and groups. Weekly scanning is required by Payment Card Industry Data Security Standards 10.5.5 and 11.5. However, an organization who is not required to comply with PCI-DSS can still benefit from the security layer associated with file integrity monitoring software.
What is File Integrity Monitoring for Windows?
For Microsoft network security, file integrity monitoring tracks changes to configurations, files, and file attributes. Monitored assets include:
- Web configuration
- Database (DB)
- Dynamic-link Library (.dll)
- Executables (.exe)
- Other critical system files
When a system is compromised, cyber criminals will typically alter certain key files to prevent detection while gaining access to personal information, financial statements, card transactions, and other protected information. An agent-based file integrity monitoring tool for Windows network security will continually review Windows system files, including program files, DLLs, drivers, and installed programs, to detect changes in real-time.
Depending on your solution and configuration changes, your tool may continually notify you of changes that include:
- Files modified
- Files deleted
- Permission changes
- Audit changes
- Files Copied
In addition to these basic criteria, it's important to consider aspects that include ease-of-use and configuration, and total cost of ownership (TCO) before purchase.
1. Reporting Quality
If any changes are detected, your administrator needs the information to quickly take action. There's a lot of data that results from the daily operations of your servers, active directory settings, network devices, and other components of your IT infrastructure. Ideally, it should be easy for administrators to tell the difference between positive changes, neutral changes, and changes that are reflective of risks.
2. Affordable Cost of Ownership
Software licensing or initial cost of purchase isn't the only factor to consider when calculating lifetime ownership costs.
Do installation and setup require hours of expertise from an infrastructure engineer, or can it be done quickly and easily? Will you be able to begin receiving reports on scans within minutes, or can you anticipate your IT admins requiring hours of vendor-led training?
Evaluating the product's ease-of-implementation and its learning curve can reveal true insight into the total cost of ownership.
Your security tools should never introduce network vulnerabilities. Evaluate how the components of file integrity monitoring interact and the layers of protection around the reporting. File integrity monitoring should work with your security staff to protect critical files, not build pathways to access it.
4. Additional Features
Does your solution offer integrity monitoring only or complimentary services? Examples of features that can enhance your security response can include:
- Proactive Incident Response
- Change control
5. Automatic File Discovery
The concept of automatic file discovery may also be referred to as "agent-based vs. agentless" monitoring. Agent-based, or automatic file discovery, software has the potential to discover changes in real-time. Agentless, or non-automatic file discovery, runs at periodic intervals that are set by the software manufacturer or a member of the IT team.
The second option can introduce a significant amount of risk, particularly if the scheduled period between scans is lengthy. Ultimately, the decision between agent-based versus agentless monitoring should depend on your organization's needs and risk tolerance.
6. Flexible Scan Scheduling
PCI 11.5 calls for file-integrity monitoring software to identify changes on a weekly basis. For organizations who do not purchase an automated or agent-based file monitoring solution, it may be wise to select a product with flexible scan scheduling. This feature can allow you to control scan frequency.
7. Remote Management
Your system administrator or IT staff who review the results of your file integrity monitoring may not always be located on-site. Does your software include cloud-based remote access for real-time response to reporting?
Your admin should have the capability to remotely perform each of the following actions:
- Review and assess changes
- Reverse file changes
- Completely prevent file changes
8. Ease of Use
When it comes to sophisticated software products, like file integrity monitoring, ease of use may be closely tied to the total cost of ownership. Your software should not exceed your staff's ability to:
In addition to providing enough ease-of-use, vendor support offerings such as live support and documentation can have a significant impact on quality of experience.
9. Exceeding PCI Compliance Requirements
By utilizing a product which scans critical files more than once per day, businesses can increase security, reduce risk, and exceed PCI requirements. With a file integrity monitoring solution that is designed with the latest PCI guidelines in mind, organizations can ensure file settings meet or exceed compliance standards. Ideally, your solution should detail PCI requirements in implementation, to facilitate easy compliant configuration.
To maintain Windows network security and meet PCI requirements, file integrity monitoring software can provide organizations with the ability to detect and reverse changes in real-time. By considering factors that include cost of ownership and ease-of-use before implementation, you can ensure that your solution meets your needs.
Cimcor's CimTrak is the leading choice for easy-to-use, affordable file integrity monitoring for Windows. CimTrak offers the unique feature of real-time change reversal for security administrators. To schedule a product demo, click here.
May 3, 2016