- File Integrity Monitoring – File integrity monitoring (FIM) refers to an IT security process and technology that tests and checks operating system (OS), database, and application software files to determine whether or not they have been tampered with or corrupted. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted “baseline.” If FIM detects that files have been altered, updated, or compromised, FIM can generate alerts to ensure further investigation, and if necessary, remediation, takes place. File integrity monitoring encompasses both reactive (forensic) auditing as well as proactive, rules-based active monitoring.
Companies can leverage the control to supervise static files for suspicious modifications such as adjustments to their IP stack and email client configuration. As such, FIM is useful for detecting malware as well as achieving compliance with regulations like the Payment Card Industry Data Security Standard (PCI DSS).
FIM is important for Windows-based environments as well as for Linux and Unix systems. Windows uses the registry for most of its configuration, combined with the Win32 API, which is a tightly controlled and restricted area. In Linux and Unix environments, configurations are much more exposed as part of the overall file system. This makes Linux and Unix more vulnerable to direct attacks and hacked binary executables. Updating and replacing core files in Linux or Unix means that attackers can easily inject malicious code. File integrity monitoring examines various aspects of a file to create a “digital fingerprint.” It then compares this fingerprint to a known, good baseline fingerprint. While native auditing tools exist, these generally all suffer from shortcomings, such as decentralized storage of the security logs from multiple domain controllers, lack of information within the log entry regarding the old settings, and inability to recover the object/configuration from the audit log, to name few. For these reasons, organizations with moderately to highly complex IT environments generally rely on proven enterprise solutions. FIM can be carried out on a continual, snapshot, or regular basis. It can happen randomly, or to any other rules that the security team sets up.
Database Activity Monitoring (DAM) is an important part of a large organization’s security and compliance strategy. DAM monitors database activity continuously in real time, and creates alerts and reports based on the aggregated information it oversees. When paired with encryption, organizations have a robust security posture that protects database data from an array of threats ranging from privileged insider risk to physical theft.
DAM solutions are designed to monitor data access in real time and use policies to prevent unauthorized access and provide additional layer of security and protection in opposition to malicious attacks. While there are clear advantages to this approach, organizations face a broad range of risks that fall outside the scope of what a DAM is designed and asked to do.
Security and compliance professionals are facing more data, regulations, and security tools than ever before – with obstacles to sensitive data protection growing larger every day. Solving database security problems was the genesis of the DAM market, but compliance is what drives adoption of the technology today. While there is overlap with other security and management platforms, database activity monitoring offers features and functions found nowhere else.
Database activity monitoring is done by combining several techniques such as network sniffing, memory scraping and reading system tables and database audit logs. Regardless of the methods used, DAM tools enable data correlation so as to provide an accurate picture of all the activities in the database.
These tools also allow relevant authorities to detect, identify and take corrective measures against threats and attacks, and provide forensic evidence when a data breach occurs. Depending on the configuration of the DAM tools, an administrator or auditor may be able to reconstruct data or restore it to a previous state.
- Data Loss Prevention – Data Loss refers to an event in which important data is misplaced or gets missing from the company’s database. These losses can be caused by several factors which may include; virus intrusion, system malfunction among several others. Data loss prevention focuses on preventing unwanted or unauthorized transfer of data outside organizational boundaries.
It is also the practice of detecting and preventing data breaches, or unwanted destruction of sensitive data. DLP software application is mostly used by organizations to protect and secure their data and also to comply with rules and regulations.
It can also be used for the following:
Protect Intellectual Property critical for the organization
Achieve data visibility in large organizations
Protect Personally Identifiable Information (PII) and comply with relevant regulations.
Secure data on remote cloud systems
Secure mobile workforce and enforce security in Bring Your Own Device (BYOD) environments
Below are three common causes of data leaks:
Unintentional or negligent data exposure: Several data leaks occur as a result of employees who lose sensitive data in public, provide open Internet access to data, or fail to restrict access per organizational policies.
Insider threats: A malicious insider who has compromised a privileged user account, abuses their permissions and may also attempt to move data outside the organization.
Extrusion by attackers: Several cyber-attacks have sensitive data as their target. Attackers penetrate the security perimeter using techniques like phishing, malware or code injection and gain access to sensitive data.
How to prevent data leakages.
Standard security tools can be used to defend against data loss and leakage. For instance, an Intrusion Detection System (IDS) can alert about an attacker attempt to access sensitive data. Antivirus software can also prevent attackers from compromising sensitive systems. Firewall can also block access from any unauthorized party to systems storing sensitive data.
It is advisable for members of large organizations to use designated DLP tools or solutions to safeguard the company’s data. Tooling in the Security Operations Center (SOC) can also be used to assist with DLP. For example, a Security Information and Event (SIEM) system can be used to detect and correlate events which might constitute a data leak.
- EndPoint Protection and Management – Endpoint security management is a policy-based approach to network security that requires endpoint devices to comply with specific criteria before they are granted access to network resources. Endpoints can include PCs, laptops, smart phones, tablets and specialized equipment such as bar code readers or point of sale (POS) terminals.
To ensure that your infrastructure is protected against external threats, it’s critical to not only secure the infrastructure at the perimeter, but also at the endpoint. Most organizations already have some endpoint security controls implemented such as firewall, antivirus and patch management, but the endpoint security market has massively evolved and new products have made it much more complex than these three basic technologies.
The landscapes of today’s enterprise networks are radically different than they were 10 years ago. IT staffs no longer have control over every endpoint connecting to the network, leading to a host of problems where access control is weak or nonexistent, and the endpoints are not properly secured. Hence, insecure endpoints can act as an open door to malicious users or hackers looking to cause harm to your network. Therefore considering, endpoint security should be an essential component of every organization’s network access control strategy.
Antimalware protection has evolved to include the use of complex endpoint security suites with multiple malware detection techniques and features, such as host-based intrusion prevention (HIPS) and full-disk encryption. Endpoint security suites offer multiple malware detection techniques and data protection features, which are especially appealing to midmarket IT organizations.