Detecting changes from a baseline established for files and file paths and receiving instant alerts about them is crucial to ensure security within a monitored environment. File tampering is an indicator of illicit activity, and authorized users must be alerted whenever changes in a critical file or file path occur. Hence, organizations must integrate file change monitoring into their continuous efforts towards maintaining safety and hygiene in the cyber security space, especially in environments where their IT systems contain highly sensitive data.
However, deciding the scope for what to monitor is a challenge for most security teams. If not configured correctly, teams would be inundated with event notifications, and identifying events of interest from amongst hundreds and thousands of events would be a huge effort. One must monitor files that are relevant to the important parts of the IT ecosystem – files that are not expected to change without a business requirement.
How Do You Decide What to Monitor?
It is important to be extremely methodical when deciding what to monitor. A well-thought out plan is vital to the success of your file monitoring practices.
Key factors to consider while making such decisions should be:
What is critical for the organization and must be put under continuous monitoring?
As mentioned earlier, it is not feasible for an organization to monitor all that’s happening in its IT environment. You must separate critical from important and have a defined demarcation to decide what must be monitored all the time.
What type of actions or activities should be monitored for specific file paths?
Certain files such as logs, and certain parts of an Operating System are continuously modified. So, monitoring them for all sort of activities would be highly inefficient as it won’t yield any valuable data. Hence, it is recommended that you track file removals and security settings.
What are the highly probable attack surface areas in the environment?
Take a step back and analyze your environment. Identify the areas of information that may be lucrative for an attacker, so that you know where you need to concentrate.
Superficial and inaccurate monitoring parameters give rise to nothing but scores of events with no context, rather than useful and actionable alerts. Assessing your network and environment, taking stock of inventory and determining the critical assets, establishing roles and authority for users – these are just a few things that you would be required to do before you establish the baseline. This is not only a time-intensive activity, but error-prone as well.
How Does Qualys File Integrity Monitoring Help You?
Qualys File Integrity Monitoring (FIM) contains its own library of out-of-the-box monitoring profiles. Qualys’ in-house security analysts, with their deep insight and rich subject matter expertise, provide you with a set of highly critical files and file paths that must be monitored for specific activities. This expertise helps you to kick-start your monitoring efforts and adhere to PCI-DSS (sections 10.5.5. and 11.5) and various other compliance standards such as NERC CIP (CIP 010), FISMA, SOX, NIST (SI7), HIPAA, CIS controls, and GDPR.
These profiles are based on accepted security standards, and they categorically exclude files that cause false positives.
The following screenshot shows the Qualys FIM library of out-of-the-box monitoring profiles.
Qualys highly recommends that you use the lightweight monitoring profiles from its library. With the help of the research and analysis carried out by Qualys’ team of security experts, the lightweight profiles have been created with a small set of extremely critical OS files such as boot loader, kernel parameters, configuration files, initialization files, system volume files, critical binaries, and authentication files that need to be monitored on a real-time basis for any kind of deflections/deviations from regular behavior.
These profiles ensure negligible load on the CPU and help you achieve compliance against various mandates for the associated assets.
Secure the CI/CD Pipeline
In the CI/CD workflow, when DevOps deploys golden images to run their workloads, Qualys Cloud Agent is baked-in with FIM for the images enabling the out-of-the-box FIM profiles for instances. This makes sure the file integrity monitoring as required for your compliance programs like PCI and FedRAMP is initiated before images go out in production. The user may also apply application-specific FIM profiles based on the workloads/applications deployed on the instance. Once the images are in production, FIM continuously monitors changes to the critical files paths per profiles.
Altogether, the out-of-the-box monitoring profiles have been devised to ease the mammoth task of monitoring the ever-changing files in your organization. These tightly configured profiles not only help you stay vigilant about changes in critical files but enable you to comply to some of the most important IT GRC regulations as well.
Lavish Jhamb, senior compliance research analysts at Qualys, provided technical guidance.