Mike Shinn is Atomicorp CEO and will be presenting at the upcoming OSSEC Conference on using OSSEC for FIM. He recently sat down for a Q&A on the history of FIM and why OSSEC is becoming an increasingly popular option for enterprises.
Tell us about how FIM originated and what it is used for?
Mike Shinn: FIM standards for file integrity monitoring. It is designed to track changes in system files and it’s been around for a very long time. It is arguably the second oldest security software category. One of the first technologies out there was Tripwire. It was originally open source and OSSEC remains open source and has the a native FIM capability to monitor changes.
FIM became a regularly cited requirement in most cyber security standards because it was available and had direct security benefits. PCI DSS, NIST, the Nuclear Regulatory Commission and many others all have it spelled out in their standards. I would argue it was one of the first true intrusion detection capabilities because it worked independently of the operating system. That was pretty revolutionary at the time. It gave you visibility into your system and changes that were being made.
How has FIM evolved over time?
Shinn: One of the first big changes to FIM was to monitor the changes in real-time. Previously, the technology ran on a schedule. Maybe an hourly or daily schedule was set and it was often resource constrained. You had to run against all of the files and couldn’t rescan again until they were all scanned. That might take hours. So, there was a need to detect when files changed and only inspect them when they changed to speed up the process. It took some time before operating systems had the capabilities to enable this, but now most FIM tools do this in real-time, including OSSEC.
What about alerting?
Shinn: All of the FIM solutions out there now allow you to define the scope of what you want to be alerted about. For example, you don’t need to know in most case that entries are being added to a log file. That is its job. However, you might want to know if a log file has been truncated. You might also want to know if a log file is deleted, replaced or shrinks in size, which a log file shouldn’t do.
For other parts of the system, you might want to know precisely what has changed such as a file that defines the security settings for the system. You want to know every single time that changes whether it is authorized or not because you need a record for auditing purposes. It is important to note that these technologies have evolved from just being intrusion detection tools to forensics tools that are now even utilized for operational tasks.
How is OSSEC different than Traditional FIM solutions?
Shinn: A neat capability of OSSEC compared to traditional FIM is that it will tell you not just that a file has changed, it will indicate in some cases what precisely changed. For example, if you have graphics files and someone made a change to that file it is challenging to represent that change in a way a human can understand. However, if you have something like a configuration, password file or registry or anything in a structured format, even text, it will indicate precisely what has changed. And, it will keep a copy of all of those changes. That gives you a tremendous forensics capability and really a configuration management capability.
If you have configuration changes on the system or software updates, it will keep a copy of as many changes as you want. This gives you the ability to roll back and analyze changes on a much deeper level than just telling you that a file changed or which user made the change. It is not uncommon for a malicious person to make changes to a system to cover their tracks or by accessing information. FIM is a tool to identify and track these activities.
How does OSSEC compare to Tripwire?
Shinn: OSSEC is certainly a one-for-one replacement for Tripwire in the sense that you can do the same things. It has the same reporting and forensics capabilities for example. There are presentation layer technologies that can be applied to OSSEC to give you reports in almost any format that you want. However, OSSEC has many more capabilities as well. For example, there are logging, malware detection and active response features that you won’t find in traditional FIM such as Tripwire.
And, OSSEC is very extensible. We have seen in some very large enterprises that OSSEC is definitely used to do a lot more than just FIM. In some cases they are using it along with orchestration tools in order to roll back configuration changes because it is a good automatic backup system.
Have you seen organizations shifting over from Tripwire to OSSEC for FIM?
Shinn: We have definitely seen people do it. The simplest explanation is cost. OSSEC is the leading open source solution out there that is effectively free. We should be careful about saying free because everything has a cost. You still have to deploy it, manage it and so on, but you don’t have the high licensing cost.
Since OSSEC also does a lot more than just File Integrity Monitoring there are also other reasons people use the solution. In some instances, enterprises are using OSSEC for something else such as logging or active response and then discover that it can also do FIM. At that point, some people look at their portfolio an decide they don’t really need the other FIM tool and switch over to OSSEC.
To learn more about using OSSEC for FIM, you can attend Mike’s presentation the OSSEC conference in early April 2018. Click the button below to find out more.