Académique Documents
Professionnel Documents
Culture Documents
com
Brought to you by
http://www.logrhythm.com
Speaker
David Pack, Manager, Knowledge Engineering
2011 Monterey Technology Group Inc.
UltimateWindowsSecurity.com
2. Periodic comparison 3. Real time monitoring Demonstration of LogRhythms File Integrity Monitoring
UltimateWindowsSecurity.com
Native Auditing
Audit policy 2 levels
System
Win 2003: Object Access - Success Win 2008: File System - Success
File
Native Auditing
Who to audit? Everyone What operations? Delete Write Append Ownership Change permissions Apply onto Files only
UltimateWindowsSecurity.com
Native Auditing
Which files? Start with EXEs and DLLs
Native Auditing
Events Win2003
567 - Object Access Attempt
Win2008
4663 - An attempt was made to access an object
UltimateWindowsSecurity.com
Native Auditing
How to centrally manage audit policy?
Native Auditing
How to filter out false positives from system update agents? User selective auditing
auditpol /set /subcategory:file system" /user:updateagent /exclude /success:enable http://technet.microsoft.com/enus/library/cc781822(WS.10).aspx
UltimateWindowsSecurity.com
Native Auditing
Limitations Wont work for some application files such as MS Office documents Can be voluminous if misconfigured Work involved in configuring and interpreting
Other considerations
DLLs and EXEs are only part of the picture
PCI 11.5 Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. Note: For file-integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider). Windows configuration isnt stored in files and audit policy catches most security relevant changes Applications another matter
Get to know your applications
UltimateWindowsSecurity.com
Other methods
Periodic comparison Periodically read each file and compute a hash Repeat, comparing current hash to stored hash Report differences Advantages
Simple to implement
Disadvantages
Omits whodunnit Latency Reverse changes between observations? Periodic peaks in resource usage
Other methods
Real-time monitoring Monitoring application hooks into file system and is notified of changes in real-time Advantages
Can provide more informative/easy to read messages than native auditing No latency
Disadvantages
More intrusive Fear of stability issues
UltimateWindowsSecurity.com
Bottom Line
File integrity monitoring is required Compensating controls feasible for some situations Key challenges: Knowing which files, especially in applications, to monitor Dealing with false positives 3 methods available Real-time monitoring provides most functionality
Brought to you by
http://www.logrhythm.com
Speaker
David Pack, Manager, Knowledge Engineering