It’s been over a decade that I’ve worked primarily in the world of File Integrity Monitoring and Secure Configuration Management, helping to ensure that hundreds of different companies are able to detect unauthorized or unexpected changes to their configurations.
Security has changed a lot over that period, and yet there’s been some surprisingly consistent experiences in the field that I will often end up spotting, even though I’ve ended up working in some incredibly diverse environments.
With a round figure like “ten years” behind me, it’s perhaps not surprising that I’ve ended up going through a “mental review” at various points about all that I have seen over the years – as well as feeling as if I’ve earned a decent vantage point to start to think about what the next 10 years might hold – so I figured now was as good a time as any to both look back and towards the future of these tools as I see them.
Hashes and Hardening
When I started out in the profession, we would often talk about hash comparison for change audit purposes, but the reality is that just comparing hashes and date stamps is rarely enough for an effective change review – fortunately, when implementing FIM (even back in my early years) we were rarely focused on these “table stakes” and instead ended up talking a lot more about the audit information that can be collected alongside those hash changes.
Capturing who made changes to key systems, what processes were behind the change, and looking at other attributes has, over the years, proven to be a very effective framework for allowing companies to understand what changed, and why – leading to faster change reviews and a deeper understanding during security incidents.
Doing this at scale isn’t an easy job, but once you’re comfortable with the tools and information you’ve collected it can sometimes feel like a superpower. Do you need to know how a machine was configured 3 months ago? Who updated that web service configuration file? Why one server seems to be missing a hotfix? When did that antivirus get disabled?
Searching through configuration files and change history can help you feel like a master of time and the wielder of a lasso of truth. (This past decade has also had plenty of superhero stories too, which may have influenced my perception of this somewhat!) Used effectively, knowing you’ve got this information to hand can help change the way you approach security incidents and hardening your systems effectively.
One size won’t fit all – but everyone needs an audit trail that can be customized
The organizations that I’ve found to be most successful are those who have taken the time to fully customize their workflows around FIM and SCM – be it a simple “line in the sand” approach to alerting that ensures compliance never drops below a particular threshold, to developing a weekly program of hardening improvements, or building out a focused audit trail report that delivers just what security teams are looking for – each of these required minimal effort to set up in reality with our tools, but they did require a bit of planning in advance.
The best aspect of delivering successful use cases like these is that it leads to security teams that are excited to engage with more aspects of monitoring and leveraging the monitoring tools to do more. My career in IT has taught me that getting people excited about a tool isn’t always easy – but if it helps you get things done that little bit easier and gives you some extra peace of mind it’s probably a worthwhile investment.
Integration is still key
For all I hear of consolidation in the world of security tools, the reality I’ve seen in the field is very different, with many organizations still managing multiple agents and various vendors, and I’m coming around to thinking this is a benefit rather than a downside.
All too often, an SCM review would reveal gaps in antivirus which was assumed to “just be working,” or we would integrate with a SIEM, and an endpoint could show firewall logging alongside authentication and integrity monitoring events. This would help to quickly determine what was actually taking place when the firewall logs alone didn’t shed quite enough light.
Alert fatigue is real – but gaps in monitoring are behind a lot of the security breaches I’ve seen in the real world. The maxim that “less is more” isn’t always the correct answer.
What that means is you need to find the tools that integrate cohesively; the ones that share data with your SIEM, and that give added context to your other alerts. And you’ll want to make sure you’ve got flexibility if alert sharing alone isn’t quite enough. I’ve spent plenty of time enriching client’s experiences with our tools through integrations so that workflows in one tool can inform another and help people to do more without having to work harder.
Misconfigurations remain a common cause of breaches – and change control processes aren’t improving quickly
Misconfigurations, whether intentional or not, remain another common cause of breaches. The number of misconfigurations, leading to system compromise has grown as organizations have gained the ability to more easily manage massive environments resulting in increased surface areas. The opportunities for simple slip-ups has led to a rise in more costly events.
For those that are hoping that AI tools and automation will save the day, these solutions are currently inadequate, and they can’t compensate for missing foundational controls – these need to be applied intelligently and with key business context that AI security solutions often lack.
In a recent encounter with an AI powered tool, it was the traditional FIM audit trail that spotted the glaring error of a configuration roll out, rather than the AI tool itself, further highlighting that automation only gets you part of the way towards your security goal, and that whether or not you’re automating the hardening tasks, it won’t matter if you aren’t taking the time to also conduct auditing to ensure things play out the way you expected.
Change Audit in the world of Immutability
I have seen an exciting uptick in immutability solutions, which makes me hopeful for “secure by default” becoming the “new normal.” But, strong change controls and configuration auditing will remain relevant even with those immutable solutions. If you aren’t checking your machines from start to finish, immutability isn’t a guarantee of security.
Recently I have been helping a lot of clients explore how they evaluate workflows like these, and it’s been encouraging to see how people are now appreciating the importance of change control processes that help deliver security and stability in a robust and helpful way.
The next 10 years will bring… change
A lot of the trends I’ve mentioned here started many years ago and appear ready to continue, and that’s a great thing. We’re slowly bringing up standards, while getting better and smarter.
We have not fixed all the problems, and we probably won’t do so in the next ten years either. The only thing we can be certain of is change. After more than a decade working in the profession, my top tip is probably still just to “keep watching those changes.” Whether that’s your files changing or the IT security threats that you face, knowing what’s changing is a key piece of the puzzle to being better prepared.
Fortra® Can Help — Let's Talk!
Need to consult with experts on ways to strengthen your security posture or looking for advice about a specific cybersecurity challenge? We can help.
