fim winsecylogs

8/13/2019 FIM WinSecyLogs

1/8

UltimateWindowsSecurity.co

2011 Monterey Technology Group Inc.

File Integrity Monitoring

with the Windows Security Log


Made possible by:

Brought to you by

Speaker

David Pack, Manager, Knowledge Engineering

http://www.logrhythm.com



2/8



Preview of Key Points


1. Native auditing

Audit policy

Events

Limitations

2. Periodic comparison

3. Real time monitoring

Demonstration of LogRhythms File Integrity

Monitoring



Native auditing

Audit policy

Events

Limitations



3/8



Native Auditing

Audit policy

2 levels

System

Win 2003: Object Access - Success

Win 2008: File System - Success

File

Native Auditing

Who to audit?

Everyone

What operations?

Delete

Write

Append

Ownership

Change permissionsApply onto

Files only


4/8



Native Auditing

Which files?

Start with EXEs and DLLs

Native Auditing

Events

Win2003

567 - Object Access Attempt

Win2008

4663 -An attempt was made to access an object


5/8



Native Auditing

How to centrally manage audit pol icy?

Native Auditing

How to filter out false positives from system

update agents?

User selective auditing

auditpol /set /subcategory:file system"

/user:updateagent /exclude /success:enable

http://technet.microsoft.com/en-

us/library/cc781822(WS.10).aspx


6/8



Native Auditing

Limitations

Wont work for some application files such as MS

Office documents

Can be voluminous if misconfigured

Work involved in configuring and interpreting

Other considerations

DLLs and EXEs are only part of the picture PCI 11.5 Deploy file-integrity monitoring tools to alert personnel to

unauthorized modification of critical system files, configuration files,or content files; and configure the software to perform critical filecomparisons at least weekly. Note: For file-integrity monitoringpurposes, critical files are usually those that do not regularlychange, but the modification of which could indicate a systemcompromise or risk of compromise. File-integrity monitoringproducts usually come pre-configured with critical files for therelated operating system. Other critical files, such as those forcustom applications, must be evaluated and defined by the entity

(that is, the merchant or service provider). Windows configuration isnt stored in files and audit policy catches

most security relevant changes

Applications another matter

Get to know your applications


7/8



Other methods

Periodic comparisonPeriodically read each file and compute a hash

Repeat, comparing current hash to stored hash

Report differences

Advantages Simple to implement

Disadvantages Omits whodunnit

Latency

Reverse changes between observations? Periodic peaks in resource usage

Other methods

Real-time monitoring

Monitoring application hooks into file system and is

notified of changes in real-time

Advantages

Can provide more informative/easy to read messages

than native auditing

No latency

Disadvantages More intrusive

Fear of stability issues


8/8



Bottom Line

File integrity monitoring is required

Compensating controls feasible for some

situations

Key challenges:

Knowing which files, especially in applications, to

monitor

Dealing with false positives

3 methods available

Real-time monitoring provides most functionality


Brought to you by

Speaker

David Pack, Manager, Knowledge Engineering

http://www.logrhythm.com

fim winsecylogs

Documents