File Integrity Monitoring, Why Your Security Is Compromised Without It: It is critical to employ File Integrity Monitoring for system files as a backup to antivirus software while attempting to identify malware. When it comes to configuration files, enterprise-level FIM takes a step further, not only detecting and reporting changes to configuration settings, but also identifying potential vulnerabilities.
What is the effectiveness of anti-virus software in detecting malware?
But there are a number of concerns with utilising these checklists to remove vulnerabilities, or in other words, to harden a system, which should be taken into consideration. For starters, examining a system for the existence of vulnerabilities is a time-consuming and labor-intensive endeavour. It will take enormous resources to repeat the operation over a complete estate of hundreds or thousands of servers.
The Vulnerability Scanner is a programme that scans for vulnerabilities.
The usage of scanning systems, such as those developed by Nessus, Rapid7, eEye, and Qualys, may be used to automatically investigate a system and discover whether or not vulnerabilities are present. While a vulnerability scanner helps alleviate the time and resource constraints associated with vulnerability discovery, it also introduces a whole new set of issues, while leaving one major shortcoming unaddressed: the lack of a comprehensive vulnerability management strategy.
Scanning is the process of interrogating servers and workstations via a network, generally through the use of an automated sequence of scripts, which are performed using psexec or ssh, and which operate in combination with a dissolvable agent.
The first issue is that the dissolvable agent must be transferred over the network to each host, and since it is dissolvable, this must be done for each scan on each host, which must be repeated for each host. This consumes a lot of bandwidth and server resources.
It is possible to query configuration settings and dump the contents of configuration files by using the dissolvable agent, while the dissolvable agent enables an MD5 or SHA1 hash to be produced for each file in order to create a ‘DNA Fingerprint’ for each file. And this creates a new challenge for the situation.
Because the scanner login must have root or near-root privileges in order to validate the integrity of critical system files and critical configuration files, it is important for the scanner login to have root or near-root privileges. To put it another way, before you can assess the security posture of your hosts, you must first reduce protection and enable a root network-login!
Last but not least, the findings must be processed by the scanning appliance, which requires redistributing all of the data obtained across the network, adding further strain to the network. As a result of scanning distant systems, the issue of bandwidth utilisation and congestion is exacerbated even more.
Therefore, scans must always be planned outside of typical working hours in order to reduce server load and to be as gentle on the network infrastructure as feasible.
At most, this implies that a scan for essential servers may be conducted once a day, however in a 24/7 business, there will never be a convenient moment to scan.
This leaves a number of significant considerations to be taken.
Are you willing to put a significant amount of additional strain on your critical network infrastructure and host systems? How long would you be willing to allow your mission-critical systems to remain susceptible to attack? How long do you feel safe allowing malware to remain undiscovered on your critical hosts?
Agent-Based FIM vs. Agentless Scanner: Which Is Better?
Agent-based vulnerability detection solutions, such as Tripwire and NNT Change Tracker, are designed to address these issues via the employment of agents. Because an agent is resident on a host, there is no longer any requirement for the host to be interrogated across a network, and therefore there is no need to provide further admin or root access to secure hosts.
The FIM agent also reduces the amount of time that the host and network must spend scanning. Once a baseline has been established, only qualifying file modifications will need any action on the part of the agent and, therefore, any usage of host resources.
A last feature of an agent is that it has the capacity to identify threats in real time. Ideally, the finest corporate FIM agent will have kernel monitoring capabilities and be able to keep an eye on all filesystem activity, logging changes of particular relevance as soon as they occur. Typically, this is true for Linux, Windows, and Solaris, but the finest FIM solutions will also work on Mac OS X, as well as Android and iOS devices, among other platforms.
Although FIM is well-established as a method of identifying vulnerabilities, there are still other solutions available on the market today. Agentless scanners and agent-based FIM solutions are often used in conjunction with one another, and choosing which technology is best for your network is seldom an either/or choice. In reality, the majority of enterprises recognise the value of obtaining a’second opinion’ on vulnerabilities, which can be accomplished by using a vulnerability scanner in combination with a continuous FIM solution.
Founded in the United Kingdom, New Net Technologies (NNT) is a supplier of IT security and compliance software solutions with locations in the United States and a worldwide network of partners. NNT’s integrated SIEM, CCM, and File Integrity Monitoring Software solution, which was first introduced in 2005, has evolved to meet the ever-changing needs of the security threat landscape and to ensure compliance with policy, regulation, and legislation, such as the Payment Card Industry Data Security Standard (PCI DSS). The system, which is simple to scale, is utilised by a diverse range of companies, from well-known brand-name enterprises to small and medium-sized firms.