Introduction. Top file monitoring tips for IT security teams.
Security teams won’t be using file integrity monitoring (FIM) as their first line of defense for network protection. Tools like daily vulnerability audits and twice-yearly penetration testing will be the main border control assets that you employ.
But just like a country can find it has leaky borders, it’s good practice to make sure that your IT assets don’t have any blackhat activites lurking within your network. And one of the final ways of checking every neighborhood in your network is FIM.
File Integrity Monitoring is a delicate balancing act.
Of course the problem is that you will have millions of files on the network, and the vast majority of them are being changed regularly for legitimate purposes. So where should you focus your efforts in order to find the telltale signs of an attack?
The security experts at SecludIt have drawn up a shortlist of the most important files for you to monitor on Windows and Linux Operating systems. But it’s hard to get the sweet spot with FIM:
– Monitor too many files and your efforts will result in a lot of false positives, plus the amount of files to monitor could become impractical.
– Monitor too few files and you could miss the evidence of an attack taking place.
Here’s the insights from SecludIT, separated into Windows and Linux networks.
Windows Networks. The most important files to monitor (or exclude).
Windows. Files to INCLUDE in FIM:
The following files in C:\:
The following folders (no files and subfolders):
– C:\Documents and Settings
– C:\System Volume Information
The following folders (including files and subfolders) in C:\:
All files and folders under C:\WINDOWS, and in particular the following folders (no files and subfolders):
Windows. Files to EXCLUDE from FIM:
Folders in “C:\WINDOWS” listed below, which basically contain log files (the reason is explained below), cache files and other unimportant files:
Windows update. SecludIT is developing a FIM for Log Files technology.
Log files should be monitored in order to make sure that no unauthorized changes have been made. Unfortunately, standard file integrity monitoring tools do not cope well with log files since, by nature, they are subject to frequent changes.
In particular, if a log file has been modified, then a standard FIM tool is not able to distinguish an unauthorized behavior from a normal one. It is not able to detect whether a log file has been tampered with (e.g. some lines have been removed in order to cover an attack) or not (e.g. some lines have been appended).
SecludIT is currently working on File Integrity Monitoring specifically for log files. When launched, our FIM technology for Log Files will monitor the integrity of log files without affecting the performance of production servers.
Please subscribe to our newsletter if you’d like to know when our new technology is available.
Finally, for those who wonder, we’re also investigating how to secure the Windows registry. More details coming soon. Stay tuned!
Linux Networks. The most important files to monitor (or exclude).
Linux. Files to INCLUDE in FIM:
– monitor the permissions
Monitor the permissions, the access/modification time and the content of all files (except logs and cache files) in the following folders:
– /root, /etc
Some Linux attacks try to gain privileges by modifying the configuration of your grub file, therefore it must be properly monitored /boot/grub/grub.conf
Linux. Files to EXCLUDE from FIM:
– Exclude log files (e.g. /var/log) – see Linux update below.
– Exclude cache files
Linux update. SecludIT is developing a FIM for Log Files technology.
As with Windows networks, log files should be monitored in order to make sure that no unauthorized changes have been made. Unfortunately, standard file integrity monitoring tools do not cope well with log files since, by nature, they are subject to frequent changes.
Depending on the services running on your server, you should also monitor all those files that are critical for those services. For instance, if your server is hosting an Apache web server, you may want to monitor all files (except those uploaded by users such as images, videos, etc.) under the root web folder /var/www
SecludIT is currently developing a File Integrity Monitoring technology specifically for log files. When it launched, our FIM For Log Files technology will monitor the integrity of log files without affecting the performance of production servers.
Please subscribe to our newsletter if you’d like to know when our new tool is available.
Keeping your network secure with a daily vulnerability audit.
Although it is important as the last line of defense, File Integrity Monitoring can be time consuming and complex.
An efficient first line of defense is the Elastic Detector application from SecludIT. Elastic Detector as an automated way to check your network for vulnerabilities every day. We add an average of 20 new vulnerabilities daily to our threat list, which minimizes the window of opportunity for hackers.
Highlights of our Elastic Detector program are:
– It works on clones of servers, so network performance is not degraded.
– The list of security threats is updated on a daily basis, with prioritized reporting.
– SecludIT provides remediation sheets and fix tips. So even non security specialists can implement fixes.