There are seemingly countless regulatory and industry frameworks out there that organizations have to navigate and comply with. SOX (Sarbanes-Oxley), PCI-DSS (Payment Card Industry Data Security Standard), GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and many others that require maintaining a specified baseline of security. Compliance is a challenge in and of itself, but it is increasingly difficult to maintain compliance with accelerated DevOps lifecycles and complex, hybrid cloud environments.
Threat hunting, an often misunderstood but powerful security practice, is gaining traction, as more organizations reap benefits from it and get better at it. However, there is still a lot of room for adoption to increase and for practices to improve.
Those were key findings from the SANS Institute’s 2018 threat hunting study, which experts from SANS, Qualys and other companies discussed recently in the two-part webcast “Threat Hunting Is a Process, Not a Thing.”
“Over the past two to three years, threat hunting has been moving from a ‘What is it?’ discussion into a more formal mentality of: ‘This is what it is. Am I doing it right?’,” said Rob Lee, a SANS instructor. “But we’re still in a transition.”
For starters, there’s still considerable confusion about what threat hunting is. For example, it’s very common for many to equate it with reactive practices such as incident response. Rather, threat hunting is by definition proactive. It assumes that the organization’s prevention defenses have been bypassed, and the IT environment breached, without any alerts being triggered.
Using threat intelligence analysis and other tactics, hunters formulate and act on a hypothesis about where the intruders are likely to be lurking in silence while pursuing their nefarious goals.
File integrity monitoring, like other foundational security practices such as vulnerability management, helps organizations comply with the EU’s General Data Protection Regulation (GDPR). FIM specifically provides security controls in three key areas for GDPR:
- Ensuring integrity of data stored in filesystems
- Protecting confidentiality of data by detecting changes to filesystem access controls
- Detecting breaches
Qualys File Integrity Monitoring’s ability to quickly detect changes in all of these cases makes it a critical tool that helps you meet general security requirements of GDPR. This regulation goes into effect in late May and applies to any organization worldwide that handles personal data of EU residents.
What is FIM, anyway?
File integrity monitoring systems can help you to promptly detect a variety of changes stemming from normal IT activities, compliance and change control violations, or malicious acts such as malware attacks and configuration tampering. FIM systems use snapshot data and real time detection on the endpoints to identify when files on a system are changed, and when necessary, log the file changes so system administrators, compliance teams, and incident response teams can verify the events and determine if the activity was normal, a policy violation, or a sign of compromise.
Aside from compliance and breach detection use cases, FIM can be invaluable in making sure scripts used for automation and critical application configurations are not changed without proper change control and approval. That way, organizations can prevent downtime and enable fast recovery, both key to ensuring availability of critical applications.
This release of the Qualys Cloud Platform version 2.32 includes updates and new features for AssetView, EC2 Connector, File Integrity Monitoring, Indication of Compromise, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows. (Post updated 3/23 to include new FIM features for this release.)
You’ll be hard pressed to find file integrity monitoring on any list of cool, emerging, cutting-edge cybersecurity technologies. But if you choose to ignore this mature, foundational technology, it’ll be at great risk.
File integrity monitoring, or FIM, plays a key role in critical security and compliance scenarios. An effective FIM system can help you to promptly detect a variety of changes stemming from normal IT activity, compliance and change control violations, or malicious acts such as ransomware/malware attacks and configuration tampering. FIM can be your last line of detection for complex and evasive rootkits or mobile code. It is also invaluable in making sure validated scripts and configurations are not changed by insiders, malicious or not.
In this blog series, we’ll address the major uses for FIM, starting with regulatory compliance, and specifically the PCI DSS (Payment Card Industry Data Security Standard) mandate.
While FIM is an implicitly required control in many regulations for ensuring information integrity, it is explicitly mentioned in PCI DSS for any system handling personally identifiable information. The best practices and insights from those monitoring systems with FIM for PCI compliance are just as applicable to other regulations and mandates, such as HIPAA, GDPR and Sarbanes-Oxley.