File Integrity Monitoring: Why Change Management is the Best Security Measure You Can Implement

Introduction

With the growing awareness that cyber security is an urgent priority for any business, there is a ready market for intelligent and automated security defenses. The silver bullet against malware and data theft is still unfolding (I promise!) But in the meantime there are hordes of vendors who will sell you the best alternative.

The problem is, who do you turn to? Based on, say, the guy at the Palo Alto firewall, his device is the main thing he needs to better protect his company’s intellectual property, although if you talk to the guy selling the FireEye sandbox later, he may very well be out of it. agree, saying you need one of your boxes to protect your business from malware. Even then, the McAfee guy will tell you that endpoint protection is where it is at – their Global Threat Intelligence approach should cover you for all threats.

In one respect, they’re okay, all at the same time – you need a layered approach to security defenses, and you can hardly ever have “too much” security. So is the answer as simple as “buy and implement as many security products as you can”?

Cybersecurity defenses: can you have too much of a good thing?

Before you compile your shopping list, keep in mind that this is all really expensive, and the idea of ​​buying a smarter firewall to replace your current one, or buying a sandbox device to augment what your MIMEsweeper already offers to a great extent, demands a pause. for thought. What is the best return on investment available, considering all the security products on offer?

Arguably the best value for money security product is not really a product. It has no flashing lights, not even a sexy-looking case that will look good in your communications cabinet, and the datasheet features don’t include any impressive packet-per-second ratings. However, what a good Change Management process will give you is complete visibility and clarity of any malware infection, any potential weakening of defenses, and also control over service delivery performance.

In fact, many of the best security measures you can take may seem a bit boring (compared to a new network kit, what doesn’t seem boring?) But, to provide a truly secure IT environment, best practices security are essential.

Change management: the good, the bad and the ugly (and the downright dangerous)

There are four main types of changes within any IT infrastructure

• Good planned changes (expected and intentional, which improve service delivery performance and / or improve security)

• Poorly planned changes (intentional, expected, but poorly or incorrectly implemented that degrade service delivery performance and / or reduce security)

• Good unplanned changes (unexpected and undocumented, usually emergency changes that fix problems and / or improve security)

• Incorrect unplanned changes (unexpected, undocumented, and unintentionally creating new problems and / or reducing security)

A malware infection, intentionally by an insider or outside hacker, is also included in the last category of incorrect unplanned changes. Likewise, a rogue developer implanting a backdoor in a corporate application. The fear of a malware infection – be it a virus, a Trojan, or the new malware buzzword, an APT – is often the CISO’s top concern and helps sell security products, but should it be?

An unplanned bad change that inadvertently makes the organization more prone to attack is a much more likely occurrence than a malware infection, as every change that is made within the infrastructure has the potential to reduce protection. Developing and implementing a hardened build standard takes time and effort, but undoing painstaking setup work only requires a clumsy engineer to take a shortcut or enter a typo. Every time an unplanned change goes undetected, once-secure infrastructure becomes more vulnerable to attack, so when your organization is hit by a cyberattack, the damage will be much, much worse.

To this end, shouldn’t we take change management much more seriously and beef up our preventative security measures, rather than relying on another device that will remain fallible when it comes to zero-day threats, spear phishing, and direct security incompetence?

The change management process in 2013: closed loop and full visibility of change

The first step is to get a change management process: for a small organization, just a spreadsheet or a procedure to send an email to all stakeholders to inform them that a change is going to be made, at least it provides some visibility and traceability if problems arise later. Cause and effect generally apply when changes are made; Whatever changed last is usually the cause of the last problem you experienced.

That is why, once the changes are implemented, some checks should be made that everything was implemented correctly and that the desired improvements have been achieved (which is what makes the difference between a Well Planned Change and a Poorly Planned Change).

For simple changes, let’s say a new DLL is implemented in a system, this is easy to describe and easy to review and verify. For more complicated changes, the verification process is also much more complex. Unplanned changes, good and bad, present a much more difficult challenge. What you can’t see, can’t measure, and by definition unplanned changes are usually made without documentation, planning, or knowledge.

Contemporary change management systems use file integrity monitoring, providing zero tolerance for changes. If a change is made, to the configuration attribute or to the file system, the changes will be logged.

In advanced FIM systems, the concept of a time window or change template can be predefined prior to a change to provide a means of automatically aligning the details of the RFC (Request for Change) with the actual changes detected. This provides an easy means of observing all changes made during a planned change and greatly improves the speed and ease of the verification process.

This also means that any changes detected outside of any defined Planned Change can be immediately categorized as unplanned changes and therefore potentially harmful. Investigation becomes a priority task, but with a good FIM system, all recorded changes are clearly presented for your review, ideally with “Who made the change?” data.

Resume

Change management is always featured heavily in any security standard, such as PCI DSS, and in any best practice framework such as SANS Top Twenty, ITIL, or COBIT.

If Change Management is part of your IT processes, or your existing process is not fit for purpose, maybe this should be addressed as a priority? Coupled with a good Enterprise File Integrity Monitoring system, Change Management becomes a much easier process, and this may be a better investment right now than any flashy new device.