As you have built your organization's security infrastructure, you've probably focused first on the essentials: malware detection and management, intrusion detection and prevention, host and network firewalls, and logging and auditing. Once you have these critical foundational elements in place, you may wish to turn your attention to another powerful security and troubleshooting tool: host integrity monitoring software.
Host integrity monitoring packages watch for and alert administrators to any unanticipated changes in the state of a system or the files stored on it. This functionality offers tremendous benefits to security professionals, as unanticipated system changes may be the only way to detect the effects of a zero-day attack or insider malfeasance that would otherwise escape your monitoring systems. Host integrity monitoring also provides administrators with a valuable troubleshooting tool, allowing you to identify all changes that took place on a system prior to a failure.
Over the past few years, the host integrity monitoring marketplace has expanded significantly, and there are now many quality products available both commercially and in the open source arena. The grandaddy of them all,
Tripwire now has many competitors available in both commercial and open source varieties. As you select a product for your organization, you may also wish to look at products such as nCircle Inc.'s File Integrity Monitor, Osiris and Samhain, to name a few.
Once you've selected and licensed a product, it's time to begin deploying it in your organization. Integrity monitoring software functions by taking a baseline snapshot of a system and then monitoring for deviations from that baseline. Normally, it's ideal to integrate this into your system build process and take a baseline snapshot when the system is first developed, before it is connected to the network and while it remains in a known good state. The danger with deploying integrity monitoring software on a production system is that the system may already be compromised, and your baseline snapshot will include the compromised state.
Unfortunately, you probably don't have the luxury of rebuilding all of your systems as you install your integrity monitoring product. The next best thing is to run a full malware scan and verify the security configuration of each system before you take the baseline. Once you've completed the baseline, you may turn on the monitoring software and begin receiving alerts when it detects changes.
Tuning and tweaking for performance
If you deploy a host integrity package with out-of-the-box monitoring policies enabled, you'll quickly notice that you're receiving a ton of alerts! There's good reason for this, as the day-to-day activity of your server probably involves a large number of changes that the system detects and reports. Trying to investigate each one of these changes would quickly overwhelm your security team, so it makes sense to tune the policy until it reaches a manageable state that reflects the operational realities of your computing environment.
It's great to start with a policy template, if one is available. Many integrity-monitoring software vendors make these templates available preconfigured for systems in a variety of roles (e.g. email servers, file servers, workstations). These policies will monitor only critical files and settings, and they will ignore files that are known to change on a regular basis (such as the Temporary Internet Files folder).
Once you've deployed a template, you'll probably still need to customize the policy for your systems. The best way to do this is by monitoring changes over time and analyzing alerts for their root cause. You'll likely discover application directories and other locations that routinely change as part of your normal operations. You'll want to either exempt those from your policy or create specific policies for them. For example, if you have an application log file, you know it will grow in length every day, so a policy that alerts when the file changes wouldn't be very useful. On the other hand, a policy that alerts when the log file shrinks in size could be quite helpful at detecting malicious activity.
The day will finally come when you've declared your tuning complete, and your host integrity monitoring software is sending a manageable number of alerts. It's important to keep an eye on those alerts and monitor your system on a regular basis. After all, integrity monitoring software that goes unwatched is essentially useless! If your organization uses a security incident management (SIM) tool, you may find that it natively supports your host integrity monitoring software and can simply feed it the alerts to analyze as part of its normal operations. (If you do use a SIM, you'll want to make compatibility with your system a key criteria when evaluating integrity monitoring products.)
Host integrity monitoring is a powerful tool in the hands of security analysts. It allows you to identify potential signs of malicious activity or other unexpected system modification for investigation by security managers. While it may not be the first tool on your list as you build your security infrastructure, it's definitely a great weapon to have in your arsenal.
Send comments on this technical tip firstname.lastname@example.org.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in January 2010