Professional Documents
Culture Documents
Legal Notice
Copyright 2013 Trustwave Holdings, Inc.
All rights reserved. This document is protected by copyright and any distribution, reproduction, copying,
or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this
document may be reproduced in any form or by any means without the prior written authorization of
Trustwave. While every precaution has been taken in the preparation of this document, Trustwave
assumes no responsibility for errors or omissions. This publication and features described herein are
subject to change without notice.
While the authors have used their best efforts in preparing this document, they make no representation
or warranties with respect to the accuracy or completeness of the contents of this document and
specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No
warranty may be created or extended by sales representatives or written sales materials. The advice and
strategies contained herein may not be suitable for your situation. You should consult with a professional
where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any
commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or
other damages.
Trademarks
Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used,
copied, or disseminated in any manner without the prior written permission of Trustwave.
Revision History
Table 1: Revision History
Table of Contents
Legal Notice i
Trademarks ................................................................................................................................i
Revision History ..........................................................................................................................i
List of Tables iv
1 Overview 5
3 Dashboard 7
3.1 Changes by Agent ................................................................................................................7
3.2 Filters ................................................................................................................................ 11
3.2.1 Critical or High Events ............................................................................................ 11
3.2.2 No FIM Report ....................................................................................................... 12
3.2.3 Reset .................................................................................................................... 13
3.2.4 Refresh ................................................................................................................. 13
3.3 Event Volume .................................................................................................................... 13
Table 4: Event Priority Breakdown ............................................................................... 14
4 Email Preferences 15
6 Exporting Data 19
7 Recommendations 20
7.1 Monitoring with Care .......................................................................................................... 20
7.2 Reacting to Findings ........................................................................................................... 20
Appendix A: Glossary 24
About Trustwave 30
List of Tables
Table 1: Revision History...................................................................................................................i
Table 2: Color Key for Event Groupings .............................................................................................8
Table 3: Data in Changes by Agent ................................................................................................. 10
Table 4: Event Priority Breakdown .................................................................................................. 14
Table 5: FIM Email Settings ............................................................................................................ 15
Table 6: All Events Table ................................................................................................................ 18
Table 7: Glossary ........................................................................................................................... 24
1 Overview
File Integrity Monitoring (FIM) is an essential part of any data security program. It detects changes to
your critical system files and directories. Early detection of malicious events limits (or prevents) the
damage that results from costly data incidents; ensures that your sensitive information is not altered
without permission; and ensures that no files are deleted from secure systems without your knowledge.
The Trustwave FIM service is delivered through the TrustKeeper Agent and helps users comply with PCI
requirements by monitoring critical system files, directories, and registry objects. FIM generates alerts
when these objects are modified in any way, and also delivers alerts through the TrustKeeper Portal.
Trustwaves FIM product also features:
Email digests delivered daily and/or weekly to inform users of changes to their files
Event priorities that help you focus on the most risky events
A simple heatmap data visualization which helps users quickly assess the state of their network
By leveraging our ample security and payment industry experience to craft our FIM solution while
focusing on a simple user experience, Trustwaves FIM will be a key component of your data security
program and ease management of your data management.
Overview
5 Copyright 2012 Trustwave Holdings, Inc. All rights reserved.
File Integrity Monitoring User Guide - August 2013
The FIM Dashboard provides a high-level overview of FIM activity captured by the TrustKeeper Agent.
Given the number of changes that any FIM tool will track, it is difficult to focus on the most important
events throughout an environment, but with Trustwaves new, highly interactive, heatmap visualization
driving the data presented in the Dashboard, Trustwave delivers an intuitive and holistic representation of
critical file changes in your network. By doing this, the user spends less time sifting through data and
more time investigating suspicious or unauthorized changes.
Changes by Agent
Filters
Event Volume
Agent and day would be our darkest blue, a stark contrast to the other cells to highlight how radically
different the counts are.
Seeing these relative differences is important to identify outliers on your network. A higher number of
changes could indicate a gap in your change control procedures, ineffective firewalling, non-compliant
users or malware infection whereas noticeably fewer changes could indicate a systems failure to receive
crucial updates. Using Trustwaves heatmap visualization, outliers are easily detected.
By default, the event scale will have a maximum threshold of 100 events but the maximum threshold can
be increased to 1000 events if necessary. If no changes are reported, the appropriate cell will be white,
but if changes are reported there are five distinct shades of blue that are possible. See the below scale
for how events are grouped and shaded for the 100 and 1000 scales.
Table 2: Color Key for Event Groupings
100 1000
0 0
1-25 1-250
26-50 251-500
51-75 501-750
76-100 751-1000
101+ 1001+
Both thresholds can be used in the application at any time by selecting the desired threshold from the
dropdown menu to the right of the event scale. When a new threshold is chosen, the heatmap will
update with the new scale and new shadings.
Dashboard
8 Copyright 2013 Trustwave Holdings, Inc. All rights reserved.
Interacting with Changes by Agent Heatmap
There are several possible interactions with the Changes by Agent heatmap that help you stay on top of
changes detected by Trustwave.
In the Changes by Agent heatmap, the left-most column lists each Agent that is registered to your
account. The names of the Agent are set during installation of the Agent, and, unless changed during
installation, Trustwave will use the name of the computer as the Agent name. By clicking on an Agent
name in the heatmap, the row will be selected, highlighting the changes detected by the Agent over the
most recent 30 days.
In addition, you will see all changes sorted by priority in the Event Volume histogram and the ten most
important Critical or High changes will be listed in the Critical or High Events table on the bottom-right of
the Dashboard. (More information about the Event Volume histogram and Critical or High events table is
presented below.)
If, however, you would like to compare all Agents in your environment for a given day, you can click on
the columns header cell. As with selected a row, this will highlight the appropriate column and update
the data presented in the Dashboard to reflect your selection.
The Changes by Agent heatmap also allows you to see data for an Agent on a specific day by hovering
over, or selecting, a cell. The callout presented when hovering over a cell will display the date, Agent
name, number of Critical or High events (if applicable) and the number of total events for that day. If the
cell is selected, the data on the right-side of the dashboard will update in accordance with your selection.
Agent Agent name Left-most column If the Agent name exceeds the width of
of the Changes by the column, a tooltip will display the full
Agent heatmap name.
Changes Blue shading In each cell of the If no changes are reported, the cell will be
heatmap white.
Critical or Red circle Superimposed over For more information, select a cell to see
High Events heatmap cells details in the Critical or High Events table
where present on the Dashboard.
No FIM Black X Superimposed over No FIM report could indicate the machine
Report for heatmap cells is offline, the Agent has been stopped,
24 Hours where present etc.
Dashboard
10 Copyright 2013 Trustwave Holdings, Inc. All rights reserved.
3.2 Filters
Events on the heatmap can be filtered by Critical or High Events or no FIM reports to help you focus on
the most important events in your environment.
Filters
The Critical or High Events table located on right-hand side of the dashboard will also update to reflect
the filtered data shown on the updated heatmap.
Priority: The risk rating assigned by Trustwave to the change. Critical events are represented by
four red rectangles while High events are represented by three orange triangles.
Affected Object: The path to the file, directory, registry key or registry value affected by the Critical
or High event. For paths that are exceptionally longs, a tooltip will display the full path on hover.
If it is the case that this is not enough information to diagnose whether the change was expected, each
row in the table can be double-clicked to take you to a Details page where the event can be selected to
get all information for the event. You may also reach this page by clicking on the hyperlinked count of
Critical or High events presented above the Critical or High Events table. This page operates in the same
manner as the All Events page, which is described in more detail below.
As with the Critical or High Events filter, when the No FIM Report filter is selected only rows where at
least one cell displays a black x will be displayed in the heatmap, and the right-hand side of the
dashboard will update accordingly.
Note: Both filters can be selected simultaneously. In that case, we will show only rows in the
heatmap where Agents reported a Critical or High event in the last month OR did not send in
a FIM report for at least one day in the last month.
Dashboard
12 Copyright 2013 Trustwave Holdings, Inc. All rights reserved.
3.2.3 Reset
When a selection is made of a column or row, the data will be filtered down to meet the criteria of that
selection. By clicking the Reset button, all heatmap and filter selections will be cleared.
3.2.4 Refresh
The TrustKeeper Agent sends FIM data back to Trustwave four times a day, and as soon as the data is
processed it is available to be viewed in the heatmap. To update the data in the heatmap, the refresh
button can be clicked. If new data is available, the heatmap will be re-generated to show the latest
changes detected by Trustwave.
While Trustwave maintains and updates the priority calculations, knowledge of your particular
environment is crucial for making sense of the data. The Changes by Agent heatmap will allow you to
identify trends, outliers and frequencies for your Agent population, which will help you determine what
behavior is normal for your network. This understanding is critical for using the raw data to identify
trends within the raw change data made available to you in the Trustwave FIM application.
Examples:
High High events may not be associated with known attack vectors but
are still suspicious and should be investigated with urgency.
Examples:
Medium Medium changes may be standard but could also violate change
control policies. Changes that grant extra privileges to critical files
or ownership changes
Examples:
Low Low changes appear to be normal behavior and, while they must
be monitored, present are almost certainly innocuous.
Examples:
Directory creation
Dashboard
14 Copyright 2013 Trustwave Holdings, Inc. All rights reserved.
4 Email Preferences
Within the Trustwave FIM application, you can choose between three options for receiving email. By
default, all users will receive a daily email summary of FIM activity which can be used to review the
previous days events. You may also choose to receive a weekly digest that presents data collected from
the previous week, or you may choose to receive email notifications only when a Critical or High event is
recorded.
These settings apply only to emails sent as part of the Trustwave FIM application. The following table
describes how to set your FIM application email preferences.
Table 5: FIM Email Settings
I dont want any FIM Ensure Receiving Email No FIM email will be sent. Do note that
email. box is un-checked events must be reviewed at least weekly
to satisfy PCI 11.5.
I only want a daily or Check Receiving Email An email will be sent at the beginning of
weekly email. each day or week.
Check Daily or Weekly
I only want daily or Check Receiving Email An email will be sent at the beginning of
weekly email IF a Critical each day or week only if a Critical or
Check Daily or Weekly
or High event is detected. High event is detected.
Check Only Receiving
Critical and High Severity
Events
I want every email. Check all boxes except An email will be sent at the beginning of
the Only Receiving each day and at the beginning of each
Critical and High Severity week.
Events
Events Severity (Daily/Weekly) a breakdown of all events by priority. Each sum is linked so
that clicking the link in the email will direct you to TrustKeeper for further investigation. If you need
your username, it is included in the email next to the Username label.
Agent Activity (Daily/Weekly) Statistics regarding the number of Agents installed that have
FIM, the number of Agents that contributed to the report and the number of Agents gone quiet,
meaning Agents that did not send in a FIM report for the day in question.
Notable Hosts (Daily) Any host on which we detect a Critical or High event is a notable host, and
to start your investigation we present the internal IP address, Agent name, object (e.g., file) for
which we detected the Critical or High event(s) and the number of Critical or High events on that
object. A host may have multiple objects that report a Critical or High change so all objects reporting
Critical or High events on a given host will be presented in the same table.
Events by Day (Weekly) Available only in the weekly email, the Events by Day table shows how
many of each priority we detected for each of the past seven days to allow you to identify trends.
Agents Gone Quiet (Daily/Weekly) If an Agent did not send in a FIM report for the date of the
email digest, we will list the Agent name and IP address in this section.
Email Preferences
16 Copyright 2013 Trustwave Holdings, Inc. All rights reserved.
Sample Weekly Email
Note: All emails are sent from Trustwave FIM Service at noreply@trustwave.com. If you
receive an email purporting to be a Trustwave FIM email, do not open the email and please
forward to FIM@trustwave.com.
Event Object The file, directory, registry key or registry value that was modified.
Event Type The type of change detected on a given object. Sample event types include
file removal, file change, new directory.
Priority A color-coded icon that represents the relatively risk associated with the
change according to Trustwaves recommendations.
Source The name of the TrustKeeper Agent that reported the event.
1. To export data from any of the tables in the Trustwave FIM application, click the gear icon above the
table and click Export.
You are then prompted to select the columns to include in your exported report, as well as the
format of the report. Report format options include:
Excel
CSV
HTML
XML
2. After you have made your selections, click Export and your report will be downloaded automatically.
To help you organize your reports, TrustKeeper will name all exported reports in the following
fashion:
FIM-[Table Name]_[Start Date of Data Pull]-[End Date of Data Pull]
As an example, if you export all data from the Event Summary table from 2012-05-06 to 2012-06-05
to an Excel file, then the file is named FIM-Event-Summary_20120506-2012-0605.xlsx.
Note: PCI requirement 11.5 requires a formal review of FIM reports on at least a weekly
basis. You should also review FIM activity in the TrustKeeper Portal on a daily basis. If you
have a QSA performing a PCI assessment, they may require these reports to demonstrate
your compliance with requirement 11.5.
7 Recommendations
Trustwave has several recommendations for getting the most out of your FIM service.
1. All objects in and under the Sys32 directory. Sys32 contains the core operating system files. Hackers
very commonly modify these contents after successfully compromising a device.
2. The following registry objects:
a. HKEY_LOCAL_MACHINE (A.K.A. HKLM)
i. SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ii. SOFTWARE\Wow6432Node\Microsoft\WindowsCurrentVersion\Run
iii. SYSTEM\CurrentControlSet\services
b. HKEY_CURRENT_USER (A.K.A. HKCU)
iv. SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run
The above registry objects are modified to allow programs to run at system startup. It is common
for malware to modify these objects in order to run at startup and begin the collection of data or
system compromise.
If you do suspect a suspicious change or system compromise, Trustwave recommends running the object
through anti-virus. One helpful tool called VirusTotal (https://www.virustotal.com/) will run the object
through several different anti-virus scanning engines to see if the file is infected. Another helpful, free
tool is MalwareBytes (http://www.malwarebytes.org/). MalwareBytes will scan your computer and search
for, and remove, identified malware.
Recommendations
20 Copyright 2013 Trustwave Holdings, Inc. All rights reserved.
Additionally, suspicious activity should motivate you to check your other computer security settings. The
TrustKeeper Agents PCI bundle (see Other Agent Services on page 22) offers several checks that will
help you ensure that Windows automatic update and Windows Firewall are turned on, which is crucial to
protecting your computer. Security policy checks run by the Agent will inform you if password lockouts
and minimum password lengths are set securely. The TrustKeeper Agent will also scan your file system
for storage of credit card data. Storing credit card data is a risky practice, and identifying where this data
is on your system is a crucial first step in reducing your overall risk of a data compromise.
You should also check your file systems access control lists if you suspect malicious activity. Each object
has an access control list that dictates who has access to the object. Without access, a user account
cannot use the object in question. Windows Sysinternals provides tools that help you audit your access
control lists. One helpful, free tool that helps you manage permissions is AccessEnum, and is available at
http://technet.microsoft.com/en-us/sysinternals/bb897332.
Lastly, if there are changes that do not agree with corporate policy, you may decide to restore your
system to a previous backup. This, of course, relies upon having consistent system backups.
IP Address Beacon Module: The primary purpose of this module is to install the Agent for our PCI
Compliance based customers. It will detect the current external IP address for the network that the
local machine is connected to at that time and report it to TrustKeeper every 5-10
minutes. Merchants can then set up their external scanning services to reference the IP from the
Agent.
System Security Detection Module: This module is responsible for detecting the following on the
local machine where the Agent is installed: if Windows Firewall is currently on; if an anti-virus
software is installed; and if Windows Update is turned on. Some older versions of Windows may not
allow the Agent to correctly determine some of these values.
POS Compliance Detection Module: This module is responsible for checking what version of POS
software is installed on the local machine. It will check the version against the PA-DSS list of
compliant payment applications. If the application is not found, the merchant has the ability to report
that their POS is missing on our list. This will cause the agent to go into recon mode for the next
inspection and send us more information about their POS software. In turn, this will allow us to
update the Agent with signatures to detect that piece of software in the future. If a POS is
successfully detected by this module, it will automatically be added to the merchants Products and
Services screen with Agent listed under the Added by column for that entry.
Track Data Scanner Module: This module is responsible for scanning the local machine's hard disk
drive for track data (magnetic stripe) being stored electronically. It is very useful for double checking
that the merchant does not store credit card track data, or if third-party applications may be storing
information without the merchants knowledge. The module has been written to also ignore certain
file types where many false positives could be found, such as picture files.
Security Configuration Detection Module: This module is responsible for checking security settings
within Windows that correspond to questions asked on the SAQ (any of the full 12 requirements,
even if they did not take SAQ D). For example, it will check the password requirements when a user
logs in incorrectly. PCI requires that the user be locked out of the system after not more than six
failed attempts to enter their password for a minimum of 30 minutes. If either condition is not met,
the agent will flag the instance and report it. It is designed to double check your answers on the SAQ
for questions relating to system settings.
Network Inventory Scan Module: This module is responsible for inventorying any device that is
currently on the same network segment as the local machine (that the agent is installed on) and
Windows Log Monitoring (WLM): Works in conjunction with Windows Logging to report Windows logs
to Trustwave for monitoring purposes.
Appendix A: Glossary
Following is a glossary of FIM related terms.
Table 7: Glossary
Term Definition
ACLs Access Control List. Each object has an ACL that determines who
has permission to interact with the object. Trustwave's FIM service
will monitor changes to ACLs to inform you of permission changes
to your files.
Alert Alerts are generated by events and reported in the FIM Application
available in the TrustKeeper Portal.
All Events The All Events screen lists each individual event as opposed to
aggregating events as is done in the Event Summary table. The All
Events data provides more information about each event and is
meant to further more in-depth analysis of object modifications.
Additions
Deletions
Content Changes
Permissions Changes
Ownership Changes
Event Object The file, directory, registry key or registry value that was modified.
The user can find a path to the object in both the Event Summary
and All Events tables.
Event Type The type of change detected on a given object. Event types
include:
Directory Changed
New Directory
Directory Removed
File Changed
New File
File Removed
Registry Changed
New Registry
Registry Removed
Unknown
FIM Application The online application where a user can see all FIM data reported
by their TrustKeeper Agents.
FIM Module Each TrustKeeper Agent function is offered in a module. The FIM
Module is what allows and executes the Trustwave File Integrity
Monitoring service.
In order to see results from the FIM module, you must have access
to the FIM Application available in the TrustKeeper Portal. Access to
the FIM Application and deployment of the FIM Module is controlled
by the Trustwave Provisioning team.
Group Groups are logical collections of users, and, like file owners, can
govern access to a given object.
Term Definition
Last Change A timestamp of the modification of the event object. In the Event
Summary table, this will be the latest modification time as changes
are aggregated by Event Type and Event Object in this table.
Files
Directories
Registry Keys
Registry Values
Owner The user account that owns an object, which mainly stipulates who
has access to a given object and can edit it.
Priority A severity ranking for an event. There are four different priority
levels:
Low
Medium
High
Critical
Registry Key A registry key is similar to a folder and can contain registry subkeys
as well as registry values.
Sys32 The Sys32 folder and its subfolders contain the core operating
system files for the Windows operating system.
Total Events The number of events since the FIM module last ran. By selecting
the event entry in the Event Summary table and clicking View
Details, the user can see each individual change.
TrustKeeper Agent Also referred to as the Agent. The TrustKeeper Agent is the
software used to deliver the Trustwave FIM service. Other services
available from Trustwave run via the TrustKeeper Agent include:
Term Definition
computers.
TrustKeeper Portal This is Trustwave's cloud-based portal through which all Trustwave
data is presented and accessed. The Trustwave FIM Application is
available within the TrustKeeper Portal, meaning FIM data can be
managed anywhere that a client can access the Internet. The
TrustKeeper Portal and all customer applications can be accessed at
https://login.trustwave.com.
Windows Explorer The GUI used to navigate the Windows file system. While most
navigation is done by clicking on icons that represent locations on
the computer, paths can be pasted into the Windows Explorer
address bar for quick access. The Trustwave FIM Application
provides the full path to each object in the All Events screen when
an individual event is clicked.
About Trustwave
Trustwave is a leading provider of information security and compliance management solutions to large
and small businesses thought the world. Trustwave analyzes, protects and validates an organizations
data management infrastructure from the network to the application layer to ensure the protection of
information and compliance with industry standards and regulations such as the PCI DSS and ISO 27002,
among others. Financial institutions, large and small retailers, global electric exchanges, educational
institutions, business service firms and government agencies rely on Trustwave. The companys solutions
include on-demand compliance management, managed security services, digital certificates and 24x7
multilingual support. Trustwave is headquartered in Chicago with offices throughout North America,
South America, Europe, the Middle East, Africa, Asia, and Australia.