With the National Cybersecurity Center of Excellence (NCCoEThe National Institute of Standards and Technology has published a number of data integrity practice guides. Data integrity refers to the fact that data has not been modified in any way. Tripwire was proud to collaborate with other vendors and contribute to the development of these practice guide.
Data Integrity Challenges
Ransomware, destructive malware and malicious insider activities, as well as honest errors, all create the conditions for organizations to respond quickly to any event that could compromise data integrity. Companies must ensure that such events are quickly identified and addressed appropriately.
Attacks against an organization’s data can impact business operations, revenue, and reputation. Data integrity attacks can include the unauthorised insertion, deletion or modification of corporate data such as email, customer information, financial records and employee records.
Some systems have suffered systemic attacks which forced operations to stop. Ransomware continues to be the most common attack method. However, there are other methods that can cause data integrity problems. These attacks target computers and propagate laterally over networks. This behavior is often targeted at multiple files simultaneously. For most companies, a hostage situation with a single file would have little effect. High impact is more important than subtlety for most attackers. With the proper monitoring tools, the event can be easily detected.
NIST Cybersecurity Framework
NIST has published Version 1.1 of its Cybersecurity Framework, April 2018, to give guidance in developing resilience and protecting critical infrastructure. In a simple, clear graphic, the five core functions of this framework are described.
- Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
- Take precautions – Develop and implement appropriate safeguards to ensure the delivery of critical services.
- You can detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
- Take action – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
- Get Recovered – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident
NIST SP 1800-25: Identifying and protecting assets against ransomware and other destructive events
This Cybersecurity Framework can be used to ensure data integrity. practice guide Information for organizations how to Protect your data from any potential attacks on integrity and understand the consequences. how to Manage data integrity risk and put in place the necessary safeguards.
NCCoE developed a solution that isolates cybersecurity risks and implements remediation strategies. The solution also uses data from cybersecurity incidents and applies it to protect IT infrastructure. The following core capabilities must be present in order to accomplish this:
- Inventory
- Manage vulnerability
- Enforcement of policy
- Monitoring integrity
- Logging
- Backups
- Secure storage
- Protect your network
It all begins with an inventory of every device in the environment. A vulnerability management system facilitates the scanning of all devices in an environment and uncovering weaknesses throughout the organization. An effective vulnerability management system should identify the priority of these exposures according to severity and exploitability. It also needs to log any resolved vulnerabilities. Information from vulnerability management can be used to either fix discovered vulnerabilities, or to quarantine affected systems until they are resolved.
Figure 1. Protecting high-level architecture. Source: NIST SP 1800-25
In contrast to vulnerability management and integrity monitoring, integrity monitoring allows for the testing, understanding, and measurement of any alterations made on files and other components in the organization. Establishing an integrity baseline is crucial for all enterprise files and systems. To detect any deviations from the optimal system state, a baseline is established. Integrity monitoring is valuable both before and after events.
Alarms can be created to alert the security staff to take action when suspicious changes are made to files or systems. These include changes made in unusual times, or changes by users who usually do not make modifications to assets. The information generated by integrity monitoring systems may be useful in helping to recover files and data. It provides information such as when the change occurred, what program was involved, what the results were, and what the consequences of the changes.
Logging capabilities are fed with the results of integrity monitoring and vulnerability management. The architecture of protecting assets and identifying vulnerabilities has several purposes. Each component in the enterprise logs.
NIST SP 1800-26, Detecting Ransomware and Other Destructive Events
Additionally, there is a NCCoE that offers services. practice guide To assist organisations about how to Data integrity attacks can be quickly detected and dealt with. Multiple systems are integrated to quickly detect and respond to cybersecurity events that threaten data integrity. This document also contains guidance on how to Response to the identified event These functions can be addressed together to give organizations the tools they need to respond to a data integrity breach.
When the following capabilities are combined, it is possible to respond and detect attacks on data integrity.
- Monitoring integrity
- Event detection
- Manage vulnerability
- Reporting capability
- Mitigation and containment
Integrity monitoring in conjunction with event detection can not only be used to assist recovery but they also serve as indicators of compromise. These records are used by event detection to alert others of suspicious actions and take the appropriate steps through the other parts of reference architecture.
Figure 2. Detecting and Responding to High-Level Architecture. Source: NIST SP 1801-26
Logging records information such as event detections and integrity monitoring. This data can then be used to support response functions. Containment and mitigation can be used to prevent future attacks from affecting the system. Analytics/Forensics allows the analysis of logs to help the organization learn from an incident. Reporting allows you to record information and make it available for those who need it, both before and after the incident.
Information gleaned from such records may be used to identify products in the Cybersecurity Framework’s Identify function. These will be used to determine whether there are any security vulnerabilities that require remediation.
Use the practice guides to your advantage
NIST also published the Practice Guides before the release of the new practice guides. NIST SP 1800-11 guide, “Recovering from Ransomware and Other Destructive Events.” These practice guides to data integrity can help your organization:
- Develop a plan for responding to, recovering, and protecting data integrity cybersecurity events.
- To provide comprehensive protection, prompt response and effective detection of adverse events. This will allow for a smoother recovery after an adverse event, which can be used to support business operations, revenue generation activities, and maintain operation.
- manage enterprise risk.
Tripwire Solutions has many benefits
Tripwire is proud to have been part of the NCCoE Project. Tripwire’s functionality has been viewed by companies as a crucial component in successfully implementing NIST Cybersecurity Framework. The controls provided by Tripwire solutions support all five functions.
Tripwire IP360 was used by the NCCoE to carry out vulnerability management functions. Tripwire IP360 can be used as a vulnerability scanner or management tool. It scans hosts for known vulnerabilities, and reports on its findings. The tool also allows security personnel to assign risks to vulnerabilities and manage them, which makes it easy to manage all vulnerabilities in an enterprise.
Tripwire Enterprise was chosen for integrity monitoring. Tripwire Enterprise monitors file integrity and establishes a baseline to track activity in the enterprise. The baseline helps to identify and notify on potential threats within an enterprise, as well as assist in recovery if needed.
Tripwire Log Center served as a logging tool. Tripwire Enterprise and Tripwire IP360 logs were collected by Tripwire Log Center and transformed and sent to Tripwire Log Center.
To learn how Tripwire solutions could help you implement data integrity functions in your company, get in touch with the experts.
* The NCCoE is a public-private partnership that brings together industry organizations, government agencies and academic institutions under cooperative research and development agreements to collaborate in the creation of practical cybersecurity solutions that address the needs of specific industries as well as broad, cross-sector technology challenges. NIST has not evaluated commercial products or services under the project.