File Integrity Monitoring: Why Change Management is the Best Security Measure You Can Implement
Introduction
With the growing awareness that cyber security is an urgent priority for any business, there is a ready market for intelligent and automated security defenses. The silver bullet against malware and data theft is still developing (I promise!), but in the meantime, there are hordes of vendors who will sell you the next best thing.
The problem is, who do you turn to? According to, say, the guy at the Palo Alto firewall, your appliance is the number one thing you need to better protect your company’s intellectual property, though if you then talk to the guy selling the FireEye sandbox, he might disagree. and tell you that you need one of their boxes to protect your business from malware. Even then, the McAfee guy will tell you that endpoint protection is where it’s at: your Global Threat Intelligence approach should cover you for all threats.
In one respect, they’re fine, all at once: You need a layered approach to security defenses, and you can almost never have “too much” security. So is the answer as simple as ‘buy and deploy as many security products as you can’?
Cyber Security Defenses: Can You Have Too Much of a Good Thing?
Before you make your shopping list, keep in mind that all of this is really expensive, and the idea of buying a smarter firewall to replace your current one, or buying a sandbox appliance to augment what your MIMEsweeper already provides greatly, requires a pause to think. What is the best return on investment available, considering all the security products on offer?
Arguably the best value for money security product isn’t really a product at all. It doesn’t have flashing lights, not even a sexy-looking case that would look good in your comm cabinet, and the datasheet specs don’t include any impressive packet-per-second throughput ratings. However, what a good change management process will give you is complete visibility and clarity into any malware infection, any potential weakening of defenses, as well as control over service delivery performance.
In fact, many of the best security measures you can take may seem a bit boring (compared to a new network kit, what doesn’t seem boring?) but, to provide a truly secure IT environment, best practices security are essential.
Change Management: The Good, the Bad, and the Ugly (and the Downright Dangerous)
There are four main types of changes within any IT infrastructure
- Good planned changes (expected and intentional, that improve service delivery performance and/or improve security)
- Poorly planned changes (intended, expected, but poorly or incorrectly implemented that degrade service delivery performance and/or reduce security)
- Good Unplanned changes (unexpected and undocumented changes, usually emergencies that fix problems and/or improve security)
- Incorrect unplanned changes (unexpected, undocumented, and unintentionally creating new problems and/or reducing security)
A malware infection, intentionally by an Inside Man or an external hacker, also falls under the last category of bad unplanned changes. Similarly, a rogue developer who implements a backdoor in a corporate application. Fear of malware infection, whether it’s a virus, a Trojan, or the new malware buzzword, APT, is often a CISO’s top concern and helps sell security products, but should it be?
A bad unplanned change that unintentionally makes the organization more prone to attack is much more likely than a malware infection, as every change that is made within the infrastructure has the potential to reduce protection. Developing and deploying a hardened build standard takes time and effort, but undoing the laborious configuration work just requires a clumsy engineer to take a shortcut or enter a typo. Every time a bad unplanned change goes undetected, once-secure infrastructure becomes more vulnerable to attack, so when your organization is hit by a cyberattack, the damage will be much, much worse.
To this end, shouldn’t we be taking change management much more seriously and beefing up our proactive security measures, instead of relying on yet another device that will remain fallible when it comes to zero-day threats, spear phishing and direct security incompetence?
The change management process in 2013: closed loop and full visibility of change
The first step is to get a change management process in place – for a small organization, just a spreadsheet or procedure to send an email to all stakeholders to let them know that a change is going to be made at least provides some visibility and some traceability if problems arise later. Cause and effect generally applies when making changes: whatever changed last is usually the cause of the last problem experienced.
That is why, once the changes have been implemented, some checks must be made to ensure that everything was implemented correctly and that the desired improvements have been achieved (which is what makes the difference between a Well-Planned Change and a Poorly Planned Change).
For simple changes, say a new DLL is implemented on a system, this is easy to describe and simple to review and verify. For more complicated changes, the verification process is also much more complex. Unplanned changes, good and bad, present a much more difficult challenge. What you can’t see, you can’t measure, and by definition, unplanned changes are typically made without documentation, planning, or knowledge.
Contemporary change management systems use file integrity monitoring, which provides zero tolerance for changes. If a change is made, either to the configuration attribute or to the file system, the changes will be logged.
In advanced FIM systems, the concept of a time window or change template can be predefined prior to a change to provide a means of automatically aligning RFC (Request for Change) details with actual changes detected. This provides an easy means of observing all changes made during a planned change and greatly improves the speed and ease of the verification process.
This also means that any changes detected outside of any defined planned changes can be immediately classified as unplanned and therefore potentially harmful changes. Research becomes a priority task, but with a good FIM system, all logged changes are clearly presented for review, ideally with “Who made the change?” date.
Summary
Change management always features heavily in any security standard, like PCI DSS, and any best practice framework, like SANS Top Twenty, ITIL, or COBIT.
If change management is part of your IT processes, or your existing process is not fit for purpose, perhaps this should be addressed as a priority? Paired with a good enterprise file integrity monitoring system, change management becomes a much easier process, and this may be a better investment right now than any flashy new gadget.