How to Reduce False Positives and False Negatives Using OSSEC FIM - Atomicorp - Unified Security Built on OSSEC

How to Reduce False Positives and False Negatives Using OSSEC FIM

There is no such thing as perfect security. Therefore, having robust detection capabilities is key to determining if you have been hit with a cyber attack that evaded your protection capabilities. One of the most important detection and compliance capabilities today, file integrity monitoring (FIM) provides the ability to detect signs of intrusion or improper data usage by determining what objects in an environment have changed. It detects modifications on endpoints, desktops, laptops, servers and cloud workloads, and across files and data stores containing sensitive data. It also monitors configuration information and software native to the operating system, such as registries, binary files, and libraries, as well as infrastructure components like the configuration of network and cloud devices, web servers, and firewalls.

FIM detection captures the timestamp and nature of the changes, informing real-time protection measures and aiding post-incident analysis. By analyzing these system change artifacts, malicious system activity and lateral movement can be traced and responded to, either through automated means or through threat containment activities. 

A challenge with FIM is the volume  of data collection. This can make screening and prioritization for effective response a challenge. In other words, FIM can be ‘too good’ at monitoring files and system activity, providing an overload of security information for security information and event management (SIEM) and analysis tools.

Determine False Positives, False Negatives BEFORE the SIEM: DevSecOps

Join Us at OSSEC Conference 2021 to:

  • Learn how to rule out false positives using FIM in the Atomic OSSEC intrusion detection system. Select thresholds and the files you want to monitor, and filter out the less important stuff. This empowers more accurate detection, which should include known threats and evolving ones as well. Monitor incidents based on smarter, narrower criteria in our interface, and then learn how to reduce unnecessary false positives and uncover and resolve false negatives. 
  • Root out false negatives, too. Learn how to increase Windows and Linux FIM coverages to detect the signs of an attack. But monitoring more of the file system tends to generate more noise. No sane administrator has time to chase down all of these items. This is where Atomic OSSEC comes in. Because Atomic OSSEC analyzes not only the event itself, but the content, context, and adjacency to other events, it enables security personnel to effectively monitor a more verbose security logging environment to detect and deter malicious lateral movement that is trying to hide in plain sight. 
  • Thwart unauthorized sharing of administrative privileges and the scheduling of tasks intended to harm the organization. A lot of this functionality is needed to root out and stop the likes of Sunburst, the SolarWinds hack malware. Sunburst moved laterally by taking a number of steps that only SEEMED routine. Traces of the intrusion were there to be found by using deeper security rules and inspection tools.
  • Employ active response. Deep inspection should include automated response, where the target of the cyberattack can repel the assault through pre-programmed or on-the-fly processing segmentation, device hardening, virtual patching, and air gapping. 
  • Keep your organization safer and more compliant with privacy laws, while relieving the toll of manually searching file logs and the overall cost of SIEM. Atomicorp provides a security and compliance platform for CIS, NIST, JSIG, HIPAA, and more, and is PCI-DSS compliant right out of the box.

Atomic OSSEC: FIM and Beyond: Log Decoding, Smart Agents, and Powerful Ruleset

FIM is a key piece of your host-based protection strategy, and Atomic OSSEC FIM is a lightweight, low-cost alternative to other FIM vendors. However, Atomic OSSEC does not stop there, it contains a number of powerful host-based detection and protection features as well.

It starts with Atomic OSSEC’s very powerful log decoding capability, which has the native ability to decode over 130 log formats out of the box, and you can easily write XML-based decoders for any crazy log format you have. This means that your ubiquitous and diverse logs can be easily understood by a single technology. It also does not require the installation of complex or resource-intensive clients.

Atomic OSSEC agents are smart. They know how to perform significant log reduction and aggregation. This reduces their output to a fraction of other products. And this also helps them play well with other intrusion detection products that charge based on bandwidth.

Finally, they have a powerful ruleset (more than 5,000 rules) that helps them to extract meaning from all of this data. These rules do not rely on filenames, or hashes, or any other indicator that could easily be obsoleted by a change in tools or operators. Atomic OSSEC rules are based on the behavior of systems under active attack, and are able to detect dangerous scheduled tasks, privilege escalations, and other suspicious activity from a high-performant zero trust design.

Is active response in your host-based intrusion detection system (HIDS) a must? With the Atomic OSSEC HIDS, active response can be enabled for any rule, and the response can be any action or collection of actions you can think of. You can kill a process, change permissions, shun an IP address, log out a user, or all of these at once. You can even isolate a computer from the rest of the network. All of this can happen even before you get the notification that something has occurred.

Register for the Atomic OSSEC Conference 2021.

Sign up for special in depth training, where you can replicate your computing environment and orchestrate advanced security.