Recently, I had a meeting with a potential customer who was looking to invest in Tripwire’s portfolio. We got to talking about various aspects of information security – in particular, when companies react and investigate potential security breaches.

The conversation took me back to when I worked in information security as a technical security manager.

When the large organisation I worked for detected an incident or suspected breach, a war room was set up, a conference call was opened up, and a number of key stakeholders were invited to weigh in on the incident.

Initially, nobody had a clue about what had happened and why they were on the call. But slowly, as all the facts came together, the picture inevitably started to become clearer. As each department reported on what they knew, it became more apparent what the business impact was. Everyone was concerned but it was unlikely they knew the full extent of the exposure at that stage.

The incident manager always took charge of the call and asked,

“What systems have been impacted?”

Some believed they knew what systems were impacted, but the truth was no one really knew the full extent of the incident.

The incident manager continued:

“What logs do we have that will help understand how the breach occurred?”

Logs? What logs? Surely, if we needed logs to investigate a breach, wouldn’t that mean they would have to be enabled in the first place?

Good log management practices weren’t always easy to find, however. I’ve been on incident calls where a department lead stood up and said,

“We have logs turned on our systems, but they only collect the last 12 hours.”

Helpful. And let’s not forget there are logs on some systems that don’t help much as the wrong log level is set.

Alright, hands up now. Who has been on incident management calls and heard some of the questions and answers above? Speaking from personal experience and discussing this topic with other security professionals, I’ve seen nodding heads and grins of acknowledgment.

It’s no laughing matter, though. The organization’s security is at stake, and without adequate details of a breach, security teams have little hope of containing or responding to an incident.

By contrast, imagine how great it would be if the information security manager spoke up during the call and said:

“Fileservers alpha, bravo and delta were impacted. A number critical operating system DLL’s were altered last night at 04:10 on all three servers which caused app-service-a, app-service-b to stop functioning at 04:12. One of the DLL’s altered tested positive as malicious software. Oh, and by the way, I know the name of the user who made these changes.”

But wait, I thought you said there were no useful logs available? How does the security manager know this information?

The answer is a solution that can identify changes to files and systems, as well as pinpoint the user who made those modifications. It may be a privileged account was compromised, or a malicious employee could have hit the servers.

All of those changes should be detected in real time by sending the signature (hash) of a suspicious file to a threat intelligence provider. If there is no hash known, the solution should be able to send the file to the threat intelligence provider for further analysis.

In the meantime, the product should run customized command output capture rules (COCR) on each endpoint and integrate with ticketing systems so that it can determine what firewall changes were conducted outside of change control.

If you have this kind of solution, do you still need logs? Absolutely. It’s paramount that logging is enabled on your applications, operating systems, and network devices and that logs are reported back into a central log aggregator tool. Applying correlation rules to logs (intelligence), a system administrator can help identify how the breach in question occurred and look for patterns that occurred before and during the breach, such as a high number of failed logins.

Great. So, are there file integrity monitoring solutions out there that do everything I describe above?

There sure are. Tripwire Enterprise is capable of monitoring critical systems like network devices, databases, directory services and virtual infrastructures for changes in real-time.

The next time you’re invited to an incident management call, don’t just think about the “why’s” and “how’s” of incident management. Also, consider adding that extra layer of security by investing in Tripwire Enterprise Integrity Monitoring.