Data breaches continue to dominate the headlines and organizations are often shamed for their inability to protect consumer information. Experts are quick to scrutinize how quickly the organizations identified the potential breach and the timeline from discovery to consumer notification. Being able to rapidly detect a data breach can significantly reduce the costs and the reputational damage that follow. When a breach remains undetected over time, the impact will certainly increase, as we saw with the 2015 Heartland Payment Systems breach of approximately 100 million credit card accounts that went undetected for 18 months.
In the past, criminals would often try to hack a system to steal whatever information they could access at that time for immediate financial gain. In recent years, organized group of criminals work more systematically to gain access to targeted systems using legitimate accounts. If they are successful, they can remain undetected over time and prolong their access to organizational resources. These attacks are known as an Advanced Persistent Threat (APT) and work when criminals add or modify software on the target network.
How can organizations identify this type of attack more quickly or, even better, prevent it?
Also known as change monitoring, file integrity monitoring (FIM) is a security control that involves examining files to identify modification to critical system files and the who, when, and how the changes were made. Organizations will often utilize FIM to monitor files for suspicious activities or modifications, and for detecting malware. If unauthorized software is installed or if any critical files are modified or accessed, an alert is generated. If a criminal was using a legitimate user’s account to access a critical file, the FIM system would trigger an alert to the responsible person or team. They would then quickly follow up with that person to confirm if it was indeed that staff member accessing the file or unauthorized individual was using their account.
Requirement 11.5 of the PCI DSS states that organizations must deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files, and perform critical file comparisons at least weekly. The organization must be able to document who made the change, what exactly was changed, when it was changed, what the value was before and after the change, and if the change was authorized.
Requirement 10.5.5 also requires that file integrity or change detection software is implemented on audit logs to ensure that existing log data for critical files cannot be changed without generating alerts.
There are different file integrity monitoring solutions available, so it is important to weigh the different features and determine what will be the best fit for your organization. Popular features include the ability to turn FIM on and off easily, and real-time detection of changes. You will also want to be able to effectively manage your FIM policy with the ability to apply monitoring granularly across systems and devices and easily edit policies according to individual requirements or restrictions. You may want to receive alerts even if certain files were just viewed and not changed. It is also important to verify that the solution can be updated quickly as new patches or system updates become available.
Once you ready to implement a FIM solution, you first need to define a relevant policy and identify which files on which systems need monitored. You will most likely want to start with the Windows system folders, plus the organization’s main applications within the CDE. All system and application executables, configuration and parameter files, centrally stored log and audit files, and any other critical files should be monitored. After the organization has established a baseline or reference point for each of the files, the organization can monitor all designated files for any unexpected changes.
You can run a daily inventory of all system files to detect any additions, deletions or changes. If an unauthorized change does occur, the process should notify the appropriate personnel so they can review the potential change and remediate if necessary. It is also possible to generate an alert when any files or folders are accessed and provide a full audit trail by account name of who has had access to the data. Without file integrity monitoring tools in place, unauthorized changes might otherwise go unnoticed and result in cardholder data or other sensitive information being stolen.
FIM is a critical tool in the prevention of data breaches that occur due to both criminal malware attacks and insider activities. Implementing an effective solution should help you not only meet your PCI compliance requirements, but also reduce time spent gathering information and significantly reduce the risk of data breaches. Please contact us if you have questions about how to ensure your organization has deployed an effective file integrity monitoring solution.
Some additional guidance from our Security Advisor team below:
[King]: FIM is extremely important in today’s environment. The 2017 Verizon Data Breach Investigation Report (DBIR) indicated that attackers can gain access to systems within days while it takes months for these attacks to be discovered and addressed. This delay allows the attacker plenty of time to gather and exfiltrate your data. The DBIR also reports that the most common method of detection is through fraud detection. This means a target is unaware of the compromise until the customer’s data is being actively used by an attacker. FIM allows you to detect these changes and shut down an attack before your customers and reputation are affected.