fim winsecylogs
TRANSCRIPT
-
8/13/2019 FIM WinSecyLogs
1/8
UltimateWindowsSecurity.co
2011 Monterey Technology Group Inc.
File Integrity Monitoring
with the Windows Security Log
2011 Monterey Technology Group Inc.
Made possible by:
Brought to you by
Speaker
David Pack, Manager, Knowledge Engineering
http://www.logrhythm.com
2011 Monterey Technology Group Inc.
-
8/13/2019 FIM WinSecyLogs
2/8
UltimateWindowsSecurity.co
2011 Monterey Technology Group Inc.
Preview of Key Points
File Integrity Monitoring
1. Native auditing
Audit policy
Events
Limitations
2. Periodic comparison
3. Real time monitoring
Demonstration of LogRhythms File Integrity
Monitoring
2011 Monterey Technology Group Inc.
File Integrity Monitoring
Native auditing
Audit policy
Events
Limitations
2011 Monterey Technology Group Inc.
-
8/13/2019 FIM WinSecyLogs
3/8
UltimateWindowsSecurity.co
2011 Monterey Technology Group Inc.
Native Auditing
Audit policy
2 levels
System
Win 2003: Object Access - Success
Win 2008: File System - Success
File
Native Auditing
Who to audit?
Everyone
What operations?
Delete
Write
Append
Ownership
Change permissionsApply onto
Files only
-
8/13/2019 FIM WinSecyLogs
4/8
UltimateWindowsSecurity.co
2011 Monterey Technology Group Inc.
Native Auditing
Which files?
Start with EXEs and DLLs
Native Auditing
Events
Win2003
567 - Object Access Attempt
Win2008
4663 -An attempt was made to access an object
-
8/13/2019 FIM WinSecyLogs
5/8
UltimateWindowsSecurity.co
2011 Monterey Technology Group Inc.
Native Auditing
How to centrally manage audit pol icy?
Native Auditing
How to filter out false positives from system
update agents?
User selective auditing
auditpol /set /subcategory:file system"
/user:updateagent /exclude /success:enable
http://technet.microsoft.com/en-
us/library/cc781822(WS.10).aspx
-
8/13/2019 FIM WinSecyLogs
6/8
UltimateWindowsSecurity.co
2011 Monterey Technology Group Inc.
Native Auditing
Limitations
Wont work for some application files such as MS
Office documents
Can be voluminous if misconfigured
Work involved in configuring and interpreting
Other considerations
DLLs and EXEs are only part of the picture PCI 11.5 Deploy file-integrity monitoring tools to alert personnel to
unauthorized modification of critical system files, configuration files,or content files; and configure the software to perform critical filecomparisons at least weekly. Note: For file-integrity monitoringpurposes, critical files are usually those that do not regularlychange, but the modification of which could indicate a systemcompromise or risk of compromise. File-integrity monitoringproducts usually come pre-configured with critical files for therelated operating system. Other critical files, such as those forcustom applications, must be evaluated and defined by the entity
(that is, the merchant or service provider). Windows configuration isnt stored in files and audit policy catches
most security relevant changes
Applications another matter
Get to know your applications
-
8/13/2019 FIM WinSecyLogs
7/8
UltimateWindowsSecurity.co
2011 Monterey Technology Group Inc.
Other methods
Periodic comparisonPeriodically read each file and compute a hash
Repeat, comparing current hash to stored hash
Report differences
Advantages Simple to implement
Disadvantages Omits whodunnit
Latency
Reverse changes between observations? Periodic peaks in resource usage
Other methods
Real-time monitoring
Monitoring application hooks into file system and is
notified of changes in real-time
Advantages
Can provide more informative/easy to read messages
than native auditing
No latency
Disadvantages More intrusive
Fear of stability issues
-
8/13/2019 FIM WinSecyLogs
8/8
UltimateWindowsSecurity.co
2011 Monterey Technology Group Inc.
Bottom Line
File integrity monitoring is required
Compensating controls feasible for some
situations
Key challenges:
Knowing which files, especially in applications, to
monitor
Dealing with false positives
3 methods available
Real-time monitoring provides most functionality
2011 Monterey Technology Group Inc.
Brought to you by
Speaker
David Pack, Manager, Knowledge Engineering
http://www.logrhythm.com