In cybersecurity, the CIA Triad—Confidentiality, Integrity, and Availability—defines the three pillars of information security. Integrity, however, is often the least understood. So, what does integrity in the CIA Triad actually mean?
The CIA Triad
The CIA Triad references basic security principles from the early 1990s, specific to Confidentiality, Integrity, and Availability. These three pillars stand as the fundamentals of software security. Every security best practice or framework references the need for these three pillars either by title or described in principle within the various domains or safeguard definitions.
Over time, we’ve come to know and understand what confidentiality and availability mean from Gartner and other analysts. However, one overlooked element has been the lack of definition of integrity for software security practitioners and the industry at large. So, what does integrity mean?
Integrity is often associated with File Integrity Monitoring (FIM), but the problem with this concept is that integrity does not occur simply by detecting change. The real question is about the change itself. Was the change good or bad, expected or unexpected, malicious or accidental?
Integrity in the CIA Triad means ensuring that data remains accurate, consistent, and trustworthy across its entire lifecycle.
How Does File Integrity Monitoring Relate to the CIA Triad?
Over the past two decades, the end game of FIM became stalled for various reasons. The first integrity company became stagnant and lacked innovation, fueling the market's perception of the complexity and difficulty of deploying an effective integrity management tool or platform that could determine if changes were good or bad.
While the concept of distinguishing good from bad seems simple, the reality is that the detection of change is the trigger that kicks off a process that includes a series of detective controls that provide evidence that the change is either authorized or not.
There is a multitude of controls that encompass a CIA framework. The most basic and foundational controls have become well-documented in best practice frameworks and various bodies of work.
As highlighted, the definition of “integrity” has not been very well established or discussed. If you were to ask twenty different security experts the definition of integrity, there would certainly be twenty different answers.
Integrity is the confidence and certainty that the appropriate controls and workflow processes are in place to ensure the accuracy and consistency of data throughout its entire lifecycle of operation.
When there is a deviation to data (i.e. change) and no checks and balances to determine whether that change was authorized, integrity drift occurs, and risk is introduced to the security posture of infrastructures.
One fundamental difference in delivering an integrity solution is steering away from traditional views - no longer assuming that you need to manage the bad to understand the good. That does not and will never work. We must manage from a state of good or authorized change, where, by default, everything else is considered a circumvented or malicious change.
Take the human body, for instance. Our bodies don’t have a list of all that is bad. Human bodies have white blood cells, a part of the immune system that protects the body from infection. These cells circulate throughout the body to respond to injury or illness by attacking any unknown organisms that enter. In software security speak, white blood cells are the baseline, or integrity, of your infrastructure's health.
What is Integrity Management?
Let’s dive into achieving integrity and understand what those controls and processes look like.
Integrity management focuses on maintaining and safeguarding the trustworthiness and reliability of data and systems. This is accomplished by preventing unauthorized changes and effectively combating breaches.
An integrity management platform must be able to provide the following controls and functionality with a workflow and ticketing system to create a closed-loop environment of change. After a change is detected, this process can determine if that change was expected or unexpected.
- System Hardening - Validate and verify that your infrastructure is hardened and secure with either CIS Benchmarks or DISA STIGs as your root of trust.
- Configuration Management - The management and control of configurations and baselines for an information system to enable security and facilitate the management of risk.
- Change Control - The process of regulating and approving changes throughout the entire operational life cycle of an information system.
- Change Reconciliation – Compare observed changes against expected/authorized changes to highlight unwanted change(s) that are then malicious or circumvented.
- Change Prevention – Prevent changes entirely for those files and directories that should never change, avoiding the start of a security breach or problem.
- Roll-back and Remediation – Restore to a trusted baseline. This is not to be confused with reprovisioning—these two are very different!
- File Allow-Listing – Leverage a database of known and trusted files with a unique hash (fingerprint or signature) and metadata to validate and verify the integrity and authenticity of any file(s).
- File Reputation Services – Database of malware and signatures that can be used as ancillary data to identify and block malicious and dangerous files from execution.
- Digesting STIX/TAXII Feeds – Analyze and evaluate real-time security decisions and vulnerability risks with continuous streams of threat intelligence feeds.
- Workflow and Ticketing System – A process for managing change once a change has been detected.
Coupling the described controls above with a closed-loop workflow process enables security practitioners to achieve the fundamental business requirements of integrity while also reaping the benefits of increased availability, reliability, and ongoing compliance.
What are the Benefits of Integrity Management?
- Detect security breaches/incidents in seconds as opposed to the industry average of 181 days.
- Contain security breaches/incidents in seconds as opposed to the industry average of 60 days.
- Early indication that there is a software supply chain security issue based on unauthorized changes occurring.
- Integrity functionality is the ONLY way to identify and prevent ransomware payloads from being added and executed.
- Detect zero-day breaches.
- Continuous compliance by capturing integrity evidence that demonstrates the controls are not only in place but operating as expected.
These benefits all begin with establishing a secure baseline through system hardening, which ensures your environment starts from a trusted state before monitoring and remediation take place.
The radar graph above illustrates the integrity functionality delivered by CimTrak and how those capabilities align with the "I" in the CIA Triad. To learn more, view the SANS WhatWorks interview, where SANS and Cimcor highlight the real-world benefits of a Next-Gen FIM solution.
