In information security world, we always use the buzz word “Defense in Depth”. Though the concept is simple, it is difficult to implement. Organizations that carry out a proper risk analysis have a clearer picture in terms of cost/benefit analysis. In this article, we shall discuss how a FIM solution can supplement anti-malware solutions and become a part of defense in depth.
FIM: As it stands for File Integrity Monitoring, it monitors the critical system and applications files for any modifications/changes, be it authorized or otherwise. In addition to monitoring files, it can recursively check the whole directory for any addition/deletion. FIM solutions also provide additional information about WHO made the changes that can be useful in accountability.
Malware: It stands for malicious software, mostly spread through drive-by-download now-a-days. The sources of malware have increased manifold, starting initially from extremely skilled developers to any Internet user “script kiddie” who does not realize the extent of damage or sometimes does not even know the target audience. Most of anti-malware solutions are signature-based. Malware includes many but not limited to viruses, Trojan horses, worms, and logic bombs. Even if we employ an updated anti-malware solution, malware is still causing a lot of concerns in terms of its damages. Following are some of the types and reasons why malware is bound to get past anti-malware solutions:
- Virus Technologies: Viruses can propagate and infect in many different ways including multipartite, stealth, polymorphic, and encryption, to name a few. These techniques can easily cheat anti-malware solutions while scanning for their signatures.
- Logic Bombs: This malicious code lies dormant and hidden in the system and uses a trigger to activate. Hence, anti-malware solutions do not detect these as active threats.
- Trojan Horses: Trojans are programs that seem legitimate and also use a system’s regular naming convention. These may appear as our anti-malware programs as well.
- Zero-day Malware: These are most dangerous, as their signature is either unknown to anti-malware vendors or there is a delay in updating the signature database by end-users.
- Hoaxes: Though these are not genuine malware, they do cause panic and interruption of regular business activities while carrying out a complete audit of one’s network.
Malware generally exploit your critical system files, registries, and other sensitive processes to create back doors, install root kits, corrupt master boot records, infect/encrypt files, and cause maximum damage. Once a malware escapes your anti-malware solution, it can easily propagate in the entire network.
Here comes the FIM solution to your rescue. Once you have configured your FIM to monitor your directories/files of interest, it will generate an alert that something has been modified, added, or deleted, or you can customize these settings to create rules for alerts. Another advantage of a FIM solution is that it will save a lot of space and resources where you do not have to deploy it on every end-point and can monitor centrally. A properly configured FIM solution can help you contain the propagation of a malware and thus associated damages. It is, therefore, recommended as a very good resource not only in terms of configuration and change management but also combating malware and providing an early detection of an infected system.
For information on how Tripwire’s FIM solution can help protect your organization, click here.