Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • To Detect or Not to Detect, Is that the Question?
  • Data Breach
  • Malware

To Detect or Not to Detect, Is that the Question?

5 years ago Michael Betti
To Detect or Not to Detect, Is that the Question?

Tripwire Enterprise (TE) is at its heart a baselining engine. It’s been built to take information, create a baseline of it, and show when that baseline has changed. (It’s called a “version” in TE terms.)

TE starts with a baseline version designated by an organization’s security teams. At some point, a change version with new information (file, registry entry, RSoP, command output, or data captured in some other way) emerges. If the change was expected, TE helps customers to promote the change to the baseline. The current state of the information then becomes the new baseline.  The baseline for each system is the current system state.

Change Management: Not All Changes Are Equal

When it comes to change management (aka file integrity management), however, not all changes are equally interesting for security, risk and compliance, or IT. There are files that change on a system constantly. These include log files, cache files, database records, and the like. Are there any security implications when those files change? Are there any change management implications of changes to those files? 

Why yes, yes there are important reasons to track changes to those files. But not so much for the content changes. For log files, you should have processing in place to immediately send those to a centralized logging and alerting solution (like Tripwire Log Center, for instance). That way, even if someone tampers with the logs on a system, Tripwire Log Center or another solution has already received, hashed, and secured the real logs. This helps to preserve the real log files as the source of truth, thereby recognizing that cache files and temporary “tmp” files are not normally tracked for content changes.  

Given that the logs are preserved, do you even need to track the log files?  Well, if the ownership or permissions on those volatile files change, that should be known, tracked, and approved. Generally, the permissions of logs and temporary files are not modified once they are set. It goes without saying that those permissions should be set as securely as possible. 

How Tripwire Can Help

You can monitor those log files with Tripwire, but if you’re using the Tripwire Event Generator that watches for file changes in real time, you can end up generating more load on the system than you might be willing to sacrifice. 

So, how can you track files that constantly change for permission changes without adding a lot of load to your system?

The Tripwire Command Output Capture Rule (COCR) is the safest way to handle log tracking. By running a command to list the file permissions of the log files you need to monitor, you get a baseline of how the permissions are currently set. You should have a Tripwire secure configuration management (SCM) check, as well, to ensure the permissions meet your security standard for those log files. The COCR rules in Tripwire are not seen by the Event Generator. They won’t run in real time, and they won’t generate load on your system. You use a Tripwire Task to check the files on a scheduled basis and ensure the permissions stay secure. If the permissions have changed, they’ll show up in the COCR and produce a difference. 

In reality, this type of change event doesn’t happen often, so there should be a check for it. If and when such an event does happen, then it’s important to check into it, as log permissions shouldn’t be changing to anything less secure. If they are made more secure and that change was expected, then you can approve the change and go on.

Permission changes to system log files open the door to allowing malware or malicious hackers to cover their tracks, so ensuring your log files are as secure as possible is one very important risk-reduction step that Tripwire can help you track. Some Tripwire customers in the past turned off log file tracking because they used the file system rules, which added too much load to their systems. Using the COCR rule method gives you the ability to secure the log files without putting undue load on your systems. If you need real-time tracking of the log file permissions, now you understand the trade-offs getting the “who” information brings.  Check with your Tripwire Systems Engineer if you need direction in identifying which logs should be monitored and for getting those COCR rules in place.  

Want to learn more about how tracking changes can help you to prevent a data breach? Join Tripwire on September 21 at 10 a.m. PT for “Tripwire Tips and Tricks: Change Reconciliation.” I will lead the discussion and walk attendees through steps for ensuring configurations meeting organizational standards, detecting changes across your entire IT service stack, and setting up workflow to automate the review of those changes, even in real-time.

You can register for the webinar here.

The post ” To Detect or Not to Detect, Is that the Question?” appeared first on TripWire

Source:TripWire – Michael Betti

Tags: TripWire

Continue Reading

Previous Partnerships – The Key to Navigating the Industrial Security Landscape
Next Airline Credential-Theft Takes Off in Widening Campaign

More Stories

  • Cyber Attacks
  • Data Breach

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

10 hours ago [email protected] (The Hacker News)
  • Malware

AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion

15 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Malware

Bearlyfy Hits 70+ Russian Firms with Custom GenieLocker Ransomware

17 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks

19 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

LeakBase Admin Arrested in Russia Over Massive Stolen Credential Marketplace

2 days ago [email protected] (The Hacker News)

Recent Posts

  • Apple Sends Lock Screen Alerts to Outdated iPhones Over Active Web-Based Exploits
  • TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files
  • Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks
  • AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion
  • We Are At War

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT