When I read these two lines from Andrew Storms over at the nCircle blog, I got a little pissed off. Then I read them again and said, “Oh, yeah!” The post subject is the Heartland Payment Systems data breach and how there is little excuse for the lack of detection:
Many well performing products are available on the market today to perform system integrity monitoring. A basic email alert to an IT systems administrator could have done much to dam the flow.
Of course, quickly reading I missed that he is talking about a small slice of a security posture, but one that is exceedingly important when it comes to malicious software installs on server: system integrity monitoring (aka file integrity, digital integrity, etc).
Sadly, this is a slice that I don’t think is present enough, especially in the Windows space. I believe Tripwire Linux is still free, as are possibly others, but pretty much anything for Windows beyond homegrown scripts is yet another budget cost. My last two companies have not had any digital integrity software in place beyond your normal AV/AM pieces. Of course, anything that already has an agent on the server should be putting this in as a feature, eh? Well, as long as they aren’t one of the Big Boys who get disabled or thwarted as a first step in an attack…
This is yet again all part of a layered defense. Yes, people should not be doing much on servers such as browsing anything or installing much beyond what is needed. Yes, the network should have controls to limit access whether that be direct or pivoted (like Skoudis’ latest hacking challenge answer from McGrew). Yes, there should be network monitoring to find anomalies in egress and ingress, let alone some sort of IDS presence (come on, all that pilfered data had to either be sent out or stored in some constantly growing file!). Yes, server roles should be limited as much as possible, if only to allow regular deletion and rebuilding nodes in a cluster when they become inconsistent or “weird” as we call it. Blah, blah, system monitoring, blah, change management, blah, blah…
Why is it difficult to get this integrity monitoring? I can only guess. Money for yet another tool? Someone to install it on all the servers and tune it to ignore all the normal things like Windows patches? Lack of trust that ninja-like malware will get in underneath and root down lower than these checks?* Someone to watch all the alerts that come in and check them out? Maybe a lack of technical knowledge in someone who is “just watching alerts?” Or lack of knowledge to look far enough to explain an alert rather than write it off as yet another “Windows just being Windows?” Who knows, but all of these reasons don’t surprise me.
* Really, how often have we seen or heard of cutting edge techniques truly being used by people in the Crazy-Fu level of black hat criminal demigods? Maybe they don’t get caught, but my guess is that everything else is still so easy that there is no need to bother!