The CIA Triad - Defining Integrity

The CIA Triad

The CIA Triad references basic security principles from the early 1990s specific to Confidentiality, Integrity, and Availability. These three pillars stand as the fundamentals of software security. Every security best practice or framework references the need for these three pillars either by title or described in principle within the various domains or safeguard definitions.

Over time, we’ve come to know and understand what confidentiality and availability mean from the likes of Gartner and other analysts. However, one overlooked element has been the lack of definition of what integrity means to the software security practitioner and industry at large. So, what does integrity mean?

Integrity is often associated with File Integrity Monitoring (FIM), but the problem with this concept is that integrity does not occur simply by simply detecting change. The real question is about the change itself. Was the change good or bad, expected or unexpected, malicious or accidental? 

This blog will discuss integrity and its importance to an overall security strategy and mitigation of risk.

FIM and the CIA Triad

Over the past two decades, the end game of FIM became stalled for a variety of reasons. The first integrity company became stagnant and lacked innovation which continued to fuel the markets’ perception of the complexity and difficulty of deploying an effective integrity management tool or platform that could determine if changes were good or bad. While the concept of determining good from bad seems simple in concept, the reality is that the detection of change is the trigger that kicks off a process that includes a series of detective controls that provide evidence that the change is either authorized or not. There is a multitude of controls that encompass a CIA framework where the most basic and foundational controls have become well documented in best practice frameworks and various other bodies of work.

As highlighted, what has not been very well established or discussed is the definition of “integrity.” If twenty different security experts were asked the definition of integrity, it is certain that there would be twenty different answers. Integrity is the confidence and certainty that the appropriate controls and workflow processes are in place to ensure the accuracy and consistency of data throughout its entire life cycle of operation. When there is a deviation to that data (i.e. change) and no checks and balances to determine if that change was authorized or not, that’s when we have integrity drift, and risk is introduced to the security posture of infrastructures.

One fundamental difference to delivering an integrity solution is that it must steer away from the traditional views that everything must be managed through the perspective of knowing and managing the bad to understand the good.  This has and never will work. We must manage from a state of good or authorized change, whereby default, everything else is either a circumvented or malicious change(s)…it’s that simple. The analogous reference is our human bodies. Our bodies don’t have a list of all that is bad.  Human bodies have white blood cells are a part of the immune system that protects the body from infection. These cells circulate throughout your body to respond to injury or illness by attacking any unknown organisms that enter your body. In software security speak…white blood cells are the baseline or integrity of the health of your infrastructure.

As highlighted, what has not been very well established or discussed is the definition of “integrity.” If twenty different security experts were asked the definition of integrity, there would certainly be twenty different answers.

Integrity is the confidence and certainty that the appropriate controls and workflow processes are in place to ensure the accuracy and consistency of data throughout its entire life cycle of operation.

When there is a deviation to that data (i.e. change) and no checks and balances to determine if that change was authorized or not, that’s when we have integrity drift, and risk is introduced to the security posture of infrastructures.

One fundamental difference to delivering an integrity solution is that it must steer away from the traditional views that everything must be managed through the perspective of knowing and managing the bad to understand the good.  This has and never will work. We must manage from a state of good or authorized change, whereby default, everything else is either a circumvented or malicious change(s)…it’s that simple.

The analogous reference is our human bodies. Our bodies don’t have a list of all that is bad.  Human bodies have white blood cells are a part of the immune system that protects the body from infection. These cells circulate throughout your body to respond to injury or illness by attacking any unknown organisms that enter your body. In software security speak…white blood cells are the baseline or integrity of the health of your infrastructure.

What is Integrity Management

Let’s dive into integrity and understand what those controls and processes look like. An integrity management platform must be able to provide the following controls and functionality with a workflow and ticketing system to create a closed-loop environment of change. This process can determine, after the detection of change, if that change was expected or unexpected.

• System Hardening - Validate and verify that your infrastructure is hardened and secure with either CIS Benchmarks or DISA STIGs as your root of trust.
• Configuration Management - The management and control of configurations and baselines for an information system to enable security and facilitate the management of risk.
• Change Control - The process of regulating and approving changes throughout the entire operational life cycle of an information system.
• Change Reconciliation - Compare observed changes against expected/authorized changes to highlight unwanted change(s) that are then malicious or circumvented.
• Change Prevention - Prevent changes entirely for those files and directories that should never change, avoiding the start of a security breach or problem.
• Roll-back and Remediation – Restore to a trusted baseline, NOT to be confused with reprovisioning...these two are very different!
• File Allow-Listing – Leverage a database of known and trusted files with a unique hash (fingerprint or signature) and metadata to validate and verify the integrity and authenticity of any file(s).
• File Reputation Services - Database of malware and signatures that can be used as ancillary data to identify and block malicious and dangerous files from execution.
• Digesting STIX/TAXII Feeds - Analyze and evaluate real-time security decisions and vulnerability risks with continuous streams of threat intelligence feeds.
• Workflow and Ticketing System – A process for managing change once a change has been detected.

Coupling the described controls above with a closed-loop workflow process enables security practitioners to achieve the fundamental business requirements of integrity while also reaping the benefits of increased availability, reliability, and ongoing compliance.

The Benefits of Integrity Management

• Detect security breaches/incidents in seconds as opposed to the industry average of 212 days.
• Contain security breaches/incidents in seconds as opposed to the industry average of 75 days.
• Early indication that there is a software supply chain security issue based on unauthorized changes occurring.
• Integrity functionality is the ONLY way to identify and prevent ransomware payloads from being added and executed.
• Detect zero-day breaches.
• Continuous compliance by capturing integrity evidence that demonstrates the controls are not only in place but operating as expected.

Incorporating integrity functionality as provided by CimTrak, the radar graph above depicts functionality and its alignment to integrity. To learn more about how CimTrak aligns and delivers a fully encompassing integrity management solution that aligns with the “I” in the CIA Triad, click the SANS WhatWorks link here to learn more about SANS and Cimcor uncovering the benefits of a Next-Gen FIM solution.