Many people assume CimTrak is an Intrusion Detection System. Most Intrusion Detection Systems (IDS) are deployed as a Network-Based Intrusion Detection System (NIDS).
CimTrak can more appropriately be referred to as an Intrusion Prevention System (IPS), and more specifically, a Host Based Intrusion Prevention System (HIPS) or a System Integrity Verifier (SIV).
A Network Based IDS is certainly a valuable tool, but what happens when something gets past your NIDS or a threat is internal and already inside your network?
First, let’s examine Network-Based Intrusion Detection Systems. A Network Based IDS generally monitors network traffic by examining the packets that pass through it. A NIDS operates using one of two methods, or uses both simultaneously. The first method is signature-based detection, which functions much like an anti-virus program. The second method is statistical anomaly detection. In statistical anomaly detection, the NIDS gathers information about the network traffic upon deployment. Once it has gathered enough information about the traffic, it calculates what is “normal” network traffic, and what is “abnormal” and potentially harmful to the system.
Network-Based Intrusion Detection Systems can be circumvented in a number of ways. First, NIDS cannot detect intrusions that are in encrypted traffic and can be overwhelmed with network traffic, causing it to not examine all of the packets that are passing through. This can allow a potentially malicious payload to enter your network. Further, if a NIDS is not kept current with the latest signature updates, or if the NIDS fails to recognize an anomaly, a vulnerability will exist.
With the exponential rise of malicious code being produced today, new attacks originate on an almost daily basis. New malicious code (a zero-day attack) may not be recognized by the IDS, as it has no information on this new attack. Further, once the code is released and recognized, someone will have to program the NIDS to watch for the attack in the future, otherwise the attack can again compromise the system in the future. What this means for your enterprise is that someone will need to regularly spend time updating the NIDS to recognize new attacks in order for the NIDS to function optimally. A NIDS that utilizes anomaly detection may fail to recognize an anomaly, allowing a malicious payload into your system. A hacker can also evade the discovery of their malicious code by using various techniques that cause an attack to evade detection by an IDS. One simple way of doing this is to purposefully trigger a large number of alerts, which can disguise an actual attack.
While Network-Based Intrusion Detection Systems can be helpful in some cases, they generally require a great deal of human intervention to function optimally. Possibly the largest negative for a NIDS is its’ inability to proactively respond to an attack. The NIDS simply alerts personnel who have to a) decide if the alert is a genuine threat, and b) if it is, determine and execute a response. Intrusion Prevention Systems (IPS) can help address this shortfall by actively responding to potential intrusions.
CimTrak can be broadly defined as a Host Based Intrusion Prevention System (HIPS). Because CimTrak is host based, it is much more effective at detecting and remediating risks to individual systems. CimTrak protects files on the system and has the capability to instantly restore files to their authoritative state. After initially telling CimTrak what files to monitor, CimTrak requires no further user input to effectively mitigate changes to a monitored file. CimTrak does not use signatures or rely on detecting anomalies. CimTrak works by monitoring a hash of the monitored file(s). If the hash changes, CimTrak knows that the file has changed and can immediately take corrective action. CimTrak stores the hashed files in an encrypted database which ensures that the hashed files are secure and can not be altered as a means of circumventing the system. CimTrak does not distinguish nor is it concerned with whether a change is made from an internal or external connection. It has the ability to stop changes such as those occurring as the result of a zero-day attack, through the introduction of malicious code by a disgruntled employee, or an accidental change that would hobble a critical business application. CimTrak can stop intrusions that may escape detection by an IDS or IPS making it an invaluable part of a security in depth strategy.
Do you have the confidence and trust with your FIM software?
