Video: Data Protection and The Art of Layered Security

The Contemporary Cyber-Threatscape

Your organization is under attack right now.

The range of techniques and battlefronts is bigger than ever and while Cyber Security incidents being in the headlines isn't new, this year has been unprecedented in terms of headlines in the mainstream press.

The number of new malware samples identified each year exceeds 25 million and this number is increasing by over 20% each year. With phishing attacks on the increase too, how will Anti Virus Systems ever keep pace?
Hacktivist groups, using cyber-attacks against government and corporate targets are a new phenomenon, looking to cause disruption to any target they see as a cause celebre. Threatened cyber attacks are a common corporate blackmail weapon employed by organised crime, and as such, more companies will be exposed to this type of highly organised attack.
But the more common issue for any organization is the Insider Threat. What defences do you have against a trusted employee gone rogue. One with the privileges to access business critical systems. This could be a simple malicious revenge attack by a disgruntled ex-employee, or someone duped or coerced into assisting criminal activity.
And then we have the Advanced Persistent Threat or APT. So far the APT has largely been viewed as Government sponsored cyber-espionage. However the leading edge of technology usually becomes the norm a year later, so expect to see APT techniques reach the mainstream and be exploited by business competitors undertaking industrial-espionage for intellectual property theft.

So despite our defenses being better than ever before, all automated security technologies still suffer with security blind spots. Signature based technologies will always be prone to zero day threats, while phishing attacks will always catch enough suckers. We aren't saying that Anti Virus technology and firewalls are of no use, but it is time to recognise they will never be fully effective against all cyber threats, especially the inside man scenario or the more elaborate APT attack.

File Integrity Monitoring – At The Core of A Layered Security Strategy

The NNT view is that there is an art to delivering effective security. By recognizing there will always be gaps in modern automated security defenses, it becomes clear that there is an essential need for fundamental security measures. File Integrity Monitoring, combined with best practice processes in device hardening and change management, are the only way to maintain truly secure systems.

NNT Change Tracker provides protection against threats by ensuring all security best practise measures are in place at all times. If any weakening of defences is detected, these will be clearly identified, including any changes to system files and significant configuration settings.

Compliance Dashboard – How Vulnerable Is My Estate?

FIM and Breach Detection

Configuration Drift And The Hardened Build-Standard

Once systems have been hardened it is essential to maintain this configured state – the Change Tracker Changes Dashboard serves as a visual check for whether any config changes have been made – these should be minimal and only when essential. The Dashboard records changes as either Planned or Unplanned. Where changes need to be made, either for system enhancements or maintenance they should be approved in advance and entered into the system as a Planned Change.

With Change Tracker this process is made simple and is ideal if you are an organization just getting to grips with the adoption of Change Management processes. For more mature organizations we offer an API to integrate Change Tracker with your existing Service desk or Change Management system.

Simply enter the type of changes expected, the reference for the Planned Change and any description of the changes intended. Change Tracker's Closed Loop Change Management operation means that any changes made will be recorded and reconciled with the Planned Change Record. We then fix a start time and duration – just 5 minutes for this quick demo change.

All Planned Changes are recorded in the Planned Changes repository – here's the one I just added. It goes against my login ID as I entered it – Change Tracker offers controlled, Role Based access so some organizations choose to appoint one user as 'Change Approver' while others distribute authority to create Planned Changes to all system admins.

During a Planned Change window, all changes for tagged devices are recorded and assigned to the Planned Change record, but Change Tracker actually co-ordinates the whole process. As the Planned Change window opens, an entry is recorded as an event for the devices concerned and this is communicated to the assigned engineer via email. It's a useful reminder that scheduled work is required to start now.

Change Tracker is easily powerful enough to track all changes to all system attributes and file system changes, however it is more usual to assign a configuration policy to devices specifying which attributes need to be tracked. Let's take a look at the policy for the device specified for the Planned Change – this is stored as a template so it can be edited and saved then applied to groups of similar devices.

File Integrity Monitoring Templates for Windows

File Integrity Monitoring Templates for Linux and Unix

Agentless and Agent-based FIM

For Linux and Unix systems there are options for agent-powered and Agentless FIM as well as a File Contents tracker for text-based configuration file change tracking. Similar options apply – specify a path to track, any files or types to exclude and whether subfolders should be tracked. Change Tracker includes pre-defined templates for all significant security files governing system access, operation, password policies and so on. The Agentless FIM Over the LAN tracker works neatly in conjunction with the File Contents tracker – FIM Over the LAN tracks file attributes only so is a 'light touch' tracker but if it detects a change, it can trigger the more detailed Contents Tracker to run to show exactly what changed within the file.

We need to make our Planned Change as the Change Window is nearly up – I have RDPed onto the target system for the change which in this case is going to be a change to a key system file in the System32 path. But I am going to copy in a pre-built Trojan file – I am going to use the cover of the Planned Change to make an Insider change. In this case the file sizes are different but I will always see a difference in the file secure hash value even if the files were manipulated to make them look the same. Note that I am logged under my Admin account which gave me the rights to change a core system file. Once the Planned Change finishes all the changes detected are recorded against the record and it is neatly presented in a single screen making it very easy to review. Good change management relies on system governance so a QA Testing or Post Implementation Review Phase should always be in place to ensure even Planned Changes are good changes, executed as expected.

The details of the exact changes detected are presented clearly – the file change detected and its associated attributes are exposed, and crucially, the name of the user who made the change are also recorded. If this was a Trojan added by a stealthy insider they would still be caught.

Similarly for Linux or Unix file changes, the same Planned Change record presentation is used, exposing all changes made. Here I get three changes recorded, just because I am using the three different FIM options available for Linux – Agentless and agent-based FIM, plus the File Contents tracker option in this case as the changes affected a text based Message of the Day banner. Note the change says it was Reconciled Retrospectively – we'll see how this works in a moment.

FIM for File Contents Changes – Linux Config File Change Tracking

Scheduled FIM Reports By Email