File Integrity Monitoring: Using Lacework’s SaaS Solution for SaaS Environments
April 2, 2019
One of the critical distinctions about Lacework is in our approach. While all cloud security vendors talk about things like security posture and identification of threats, we have actually constructed a methodology that is tactically applied to finding issues, alerting on them, and preventing issues. We also realize that the best way to deliver security is to understand the environments in which it’s being used. Therefore, we are committed to using the cloud to secure the cloud.
The essence of our automated SaaS solution is baked into the concept of anomaly detection. Lacework identifies anomalies for almost every activity happening within a cloud environment by baselining, and then analyzing, the actions of applications, networks, users, and all different types of resources. By doing it this way, as opposed to relying solely on rules and signatures, we’re able to help an organization identify where there are behavioral abnormalities that indicate a vulnerability.
One of the ways we do all of this is through file integrity monitoring (FIM), which is a process performed by our agent that checks and analyzes application, OS, storage, database, and other types of files to determine their legitimacy. When changes to these files are identified, they are analyzed to create a baseline, and from that, to determine changes that should be alerted on. One of the key distinguishing features of FIM is its flexibility in how it audits and reports on activity – it identifies issues through investigations and through rules-based monitoring.
File tampering is a critical indicator of compromise so it’s easy to understand why FIM is a critical requirement in most compliance mandates. Lacework recognizes that FIM is more than a compliance checklist item, so we identify the instance of malicious files and other anomalies in cloud and container environments, as well as the actors who are involved, and then delivers contextual alerts.
Where FIM Improves Your Security Visibility
Most aspects of security are looking for a specific “a-ha!” moment. FIM is doing the same, but it’s applying thorough analysis to get really specific about where and how a threat is impacting your cloud and/or container environment. Especially in hybrid environments where application data is traveling among different assets and sources, FIM provides an important measure of scrutiny because it’s looking for the activity within the activity.
There are typically three key areas that are critical to automated file detection:
Compliance configuration changes: Compliance frameworks like SOC2, HIPAA, PCI, CIS Benchmark, and others provide a structure for how enterprises organize and secure their content and resources. For security and compliance teams, the issue is a mathematical one. Every configuration change, added user, API call, file download, and any of millions of potential actions can have hidden implications. FIM provides a way to investigate things like the addition and removal of users and groups from ACLs, access exceptions, configuration updates, and other file changes (or merely file change attempts) for compliance frameworks.
Context for file alterations: The value of a cloud environment includes the ability to be flexible, agile, and to capitalize on change rapidly. Therein, however, is a conundrum for security teams who need to make sense of all that change and in how it applies to security posture. Changes are made in order to integrate with new data sources, update users, or manage workload requirements, yet due to the volume of activity and lack of formal requirements, some of those changes are inadvertent and can lead to vulnerabilities. Some of these issues seem small, so they are not identified as potential threats. But any change can open holes in an environment. Lacework is looking for all activity, not just actions that are codified within a rules-based system. Therefore, the color around file changes is analyzed, not just the file changes themselves.
Making sense of cloud and container activity: Breaches and attacks take on many different forms, but they all involve an attacker finding a hole and exploiting in. Identifying that is one thing, but Lacework recognizes that the other part of this is understanding what was breached, how it was breached, and what and where the damage is. Our customers talk about their anxiety at not knowing if files have been altered for malicious purposes. This is a problem point for them because even when an attack is isolated and shut down, damaged files can continue to cause damage if they live undetected within the environment. We apply FIM to monitor and detect any changes within files specifically so users can understand if breaches have infiltrated at the file level, and to pinpoint precisely where they exist
Applying Automation to File Detection
Lacework deploys an agent into users’ cloud and hybrid environments, and in orchestration systems to automate the process of collecting and recording files. The agent records new files as they are added and records the hashes of the files as they change, displaying the old and new for easy comparison. The agent streams this data back to the cloud platform to ensure that the information is reliably collected and stored.
Additionally, Lacework identifies any files that are known to be malicious; this is all done using external threat feeds. Once the hashes have been collected, the checksum is compared against curated threat databases to ensure that no known malicious files exist within the monitored environment. If a known malicious file is found within the environment, Lacework will trigger a critical alert. From there, you can investigate quickly to determine what systems does this file exist on and also can do additional research on the files linking back to VirusTotal database for threat summary. This expedites the process of identifying files as well as the research needed to understand the impact of the malicious file.
FIM in Lacework
FIM is one of the essential use cases within Lacework, so customers are able to use file integrity signals to complement the other platform events and threat detection within Lacework.
When a malicious file is identified, Lacework initiates an alert with related has information about the file:
Detailed analysis and context of the issue are reported, so security teams can drill down into the affected files and initiate whatever incident response is needed:
Additionally, an investigation report offers actionable insights:
Ultimately, FIM offers users a level of insight and awareness that can prevent undetected and possibly ongoing issues happening at the file level. Lacework applies FIM in cloud and container environments and operates file monitoring functionality across all major platforms and in hybrid systems. Customers get analysis of file-related activity and events to make sense of, and remediate, issues at the host level.