Scribd
Upload
28 views62 pages

FIM Slides V2

The document provides an overview of Qualys File Integrity Monitoring (FIM), including its activation, setup, and compliance with regulations like PCI DSS. It outlines the prerequisites for using FIM, types of changes monitored, and the workflow for implementing FIM with the Qualys Cloud Agent. Additionally, it discusses the management of events and incidents, as well as the integration of FIM with policy compliance measures.

Uploaded by

eastmothon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views62 pages

FIM Slides V2

The document provides an overview of Qualys File Integrity Monitoring (FIM), including its activation, setup, and compliance with regulations like PCI DSS. It outlines the prerequisites for using FIM, types of changes monitored, and the workflow for implementing FIM with the Qualys Cloud Agent. Additionally, it discusses the management of events and incidents, as well as the integration of FIM with policy compliance measures.

Uploaded by

eastmothon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

File Integrity Monitoring

Agenda

§ Qualys Compliance Solutions


§ Integrity Monitoring Overview
§ FIM Activation & Setup
§ Qualys FIM Application
§ FIM & Qualys Policy Compliance

2 Qualys, Inc. Corporate Presentation


Course Prerequisites

• Windows or Linux host with Qualys agent already installed.


• Complete the Qualys Cloud Agent Training Course to
successfully deploy a Windows or Linux agent.

3
Qualys Compliance Solutions

4 Qualys, Inc. Corporate Presentation


Qualys Compliance Solutions

IT Compliance PCI DSS IT Compliance File


CloudView Out-of-band
Technical Compliance Administrative Integrity Configuration
Controls Controls Monitoring
Automate PCI Generate inventory Assessment
compliance testing, Automate risk of assets across
Define and monitor IT Log and track file
reporting and management process for changes across public clouds
security standards Extract configuration
submission third parties like vendors, global IT systems
aligned to regulations data from host assets.
suppliers and Detect and respond
Benefit from the contractors. Out-of-the-box to misconfigurations
Out-of-the-box content For disconnected or
Approved Scanning profiles to meet and non-standard
to fast-track assessments air-gapped networks.
Vendor (ASV) Create campaigns deployments using
using industry best common
requirements that with pre-built and Cloud Security
practices compliance and
Qualys PCI fulfils custom templates audit requirements Assessment

5
Integrity Monitoring Overview

6 Qualys, Inc. Corporate Presentation


Principals of Data Security

• CONFIDENTIALITY – Protect data from

ITY
unauthorized disclosure.

IAL

INT
NT

EG
• INTEGRITY – Detect data alterations

IDE

RIT
and modifications. DATA

NF

Y
CO
• AVAILABILITY – Protect data from
obstruction.

AVAILABILITY

7
Types of Change

Accidental Change Control Violations Malicious Changes

Data Corruption Ignoring Policies Malware

Unexpected Configuration Replication Emergency Response System Compromise

Human Error Automation TCB Attacks

8
Hashing Algorithm

9
Business Use-Cases for File Integrity Monitoring

• Regulations & Standards - Some regulations, standards and mandates


(such as PCI DSS 10.5.5 & 11.5) require integrity monitoring and alerting.
• Change Control Management - Integrity monitoring helps to validate
scheduled and expected changes, while also detecting changes that violate
existing company guidelines and policies.
• Security (IoC) - Comparing file, directory and object hash values plays an
important role in detecting security breaches and compromised systems.

10
What You Need To Monitor

§ Critical Operating System Binaries


§ OS and Application Configuration Files
§ Web source content and other critical, custom files
§ Data stores and log files containing security events and audit trails
- Content checks here would generate much noise
- Focus on name changes, deletions, and changes to attributes and
security settings

11
Activation & Setup

12 Qualys, Inc. Corporate Presentation


Currently Supported OS
Technologies
Qualys Cloud Agent must be running
on:
§ Microsoft Windows
§ Red Hat Enterprise Linux
§ CentOS
§ Oracle Enterprise Linux
§ SUSE Linux Enterprise Server
§ Ubuntu
§ Amazon Linux
§ Amazon Linux 2

o https://www.qualys.com/docs/qualys-cloud-agent-getting-started-guide.pdf

13
Qualys FIM Workflow

1. Install Cloud Agent on target host.


2. Assign target agent host to a CA Configuration Profile that has FIM
enabled.
• Configuration Profile downloaded to agent host.

3. Activate FIM module on target agent host.


4. Assign target agent host to an “active” FIM Monitoring Profile.
• FIM Manifest downloaded to agent host.
• File and directory integrity monitoring begins.
5. Deactivate FIM module
FIM Workflow Diagram
Assign Target Host Configuration
to CA Config. Settings
Profile with FIM Downloaded to
enabled Target Host

Install Qualys Activate FIM Deactivate FIM


Cloud Agent on Module on Target Module on Target
Target Host Agent Host Agent Host

Assign Target Host FIM Manifest FIM Agent Begins


to an active FIM Downloaded to Monitoring Target
Monitoring Profile Target Agent Host Host
CA Configuration Profile

§ Assign target host to CA


Configuration Profile
that has FIM enabled
(within CA application).

§ Configure FIM Options:


1. Max event log size
2. Payload threshold time
3. Max. disk usage for
FIM data
Asset Tags & FIM Agent Configuration

• Add agent assets to their appropriate Configuration Profile, using Asset Tags.
Activate FIM Module for Target Host
• Deploy Cloud
Agent Activation
Key with FIM
module already
enabled.

OR
• Use the “Quick Actions” menu to
activate FIM for any agent host or
use the Qualys Cloud Agent API.
Linux “Audit-Compatible” Mode

o https://discussions.qualys.com/docs/DOC-7087
Asset Tags & FIM Monitoring Profiles

Operating System
• Windows
• Linux
• Debian
• Amazon Linux AMI

Application
• Internet Information Server (IIS)
• Apache Tomcat on Windows
• Web Server on Linux

• Create dynamic OS and application tags for “FIM Monitoring Profile” assignments.
20

20
FIM Configuration Alert

ü Watch for the FIM “alert” icon


within the CA application; FIM
configuration is incomplete.

ü Ensure that agent host assets are members of an ”activated”


FIM Monitoring Profile.

21 Qualys, Inc. Corporate Presentation


LAB

FIM Activation & Setup

22 Qualys, Inc. Corporate Presentation


Monitoring Profile

23 Qualys, Inc. Corporate Presentation


Assign Hosts

• Assign your host assets to one or more FIM Monitoring Profiles.

24 Qualys, Inc. Corporate Presentation


Out-of-Box FIM Monitoring Profiles

Operating System
• Windows
• Linux
• Debian
• Amazon Linux AMI

Application
• Internet Information Server (IIS)
• Apache Tomcat on Windows
• Web Server on Linux

25

25
Monitoring Profile Rules

Windows

§ Use the Windows “SET” command to display environment variables.

Linux

26 Qualys, Inc. Corporate Presentation


Directory & File Monitoring Options

§ Each separate rule will allow you to target and monitor changes to directory or file names,
content, attributes, and security settings, as well as directory or file creation/removal.

27 Qualys, Inc. Corporate Presentation


Data Stores and Log Files

• Content checks on files that are continuously updated would


generate much noise.
• Instead, focus on Changes to Attributes, Changes to Security
Settings, Name Changes, and File Removal

28 Qualys, Inc. Corporate Presentation


Advanced Options

§ Inclusion and Exclusion filters help to control the scope of “Directory” rule types,.
§ BEST PRACTICE: Tune rules for accuracy and efficiency using Inclusion and Exclusion
filters.

29 Qualys, Inc. Corporate Presentation


Inclusion Filter

§ Directory rule types allow for the INCLUSION of specific files or directories.

30 Qualys, Inc. Corporate Presentation


Exclusion Filter

§ Directory rule types allow for the EXCLUSION of specific files or directories.

31 Qualys, Inc. Corporate Presentation


LAB

FIM Monitoring Profile

32 Qualys, Inc. Corporate Presentation


Events

33 Qualys, Inc. Corporate Presentation


Events Section

1. All events detected across all your assets (excluding ignored events).
2. Events waiting to be reviewed; your options include:
• Ignore events
• Create incidents
3. Ignored events.

34 Qualys, Inc. Corporate Presentation


Finding Events

35
Event Details

File Security Event:


1. User, process
and file involved
in the event.
2. Permissions
before and after
event.

3. Monitoring
Profile and Rule
that triggered the
event capture.

4. Potential actions
to be taken.

36 Qualys, Inc. Corporate Presentation


Find Similar Events

When viewing the details


of any event, use the
“Actions” button to find
other events that have the
same:
1. Process
2. User
3. Filename
4. Path
5. Rule

37 Qualys, Inc. Corporate Presentation


Ignore and Whitelist

§ When you “whitelist” an


event, its originating
Profile/Rule is updated
with an Exclusion Filter.
§ This option is
unavailable for events
already added to an
Incident, or events
triggered by the “File”
rule type.

38 Qualys, Inc. Corporate Presentation


Restore Ignored Events

§ Any “Ignored” event can be restored, returning it to the ”All


Events” and “Event Review” tabs.

39 Qualys, Inc. Corporate Presentation


LAB

FIM Events

40 Qualys, Inc. Corporate Presentation


Incidents

41 Qualys, Inc. Corporate Presentation


Managing Events

1. Ignore and Whitelist Events*


2. Add Events to an Incident*
• An “Incident” contains related events (e.g., patching, log rotation,
suspicious activity, malicious activity, etc...).
• Incidents can be approved or unapproved

* FIM ”Responses” can alert you to events or incidents you have singled-out or deemed critical.

42 Qualys, Inc. Corporate Presentation


Event Review

§ Select available check boxes and use the “Actions” menu to ignore events in bulk, or
§ Search for targeted events and click the “Create Incident” button
• The “Create Incident” button does not work with check boxes.

43
Correlation Rules

§ Automate the creation of incidents.


§ Use queries (i.e., QQL) to identify targeted events.
§ Are scheduled to run during a specified time
window and frequency.
• All targeted events captured during this time window are added to a
single incident.

§ Provide the option to approve/disapprove


incidents, either manually or automatically.

44 Qualys, Inc. Corporate Presentation


Correlation Rules
§ Are designed to automatically create incidents.
§ Use queries (i.e., QQL) to target specified events.

§ Are scheduled to run during a specified time window.


• All targeted events captured during this time window are added to a single incident.

45
Correlation Rule Incident Approval Types

§ A Correlation Rule can be configured to create incidents that must be


approved/disapproved manually, or
§ It can be configured to automatically approve/disapprove incidents it creates.

46
LAB

FIM Incidents

47 Qualys, Inc. Corporate Presentation


Responses

48 Qualys, Inc. Corporate Presentation


Rules

• Build rules to alert you, when:


1. Events are captured, or
2. Incidents are created

49 Qualys, Inc. Corporate Presentation


Sample Queries

• Construct your own


custom queries
OR
• Use the sample
Event and Incident
queries provided.

50 Qualys, Inc. Corporate Presentation


Trigger Criteria

1. Generate an alert for each matching Event or Incident.


2. Generate an alert, when a specified number of matches occur within a given time
window (any time of day).
3. Generate an alert for matches occurring between a specific start-time and end-
time, on a daily, weekly, or monthly schedule.
51 Qualys, Inc. Corporate Presentation
Actions
• Send to PagerDuty
• Send Email (via Qualys)
• Post to Slack

52 Qualys, Inc. Corporate Presentation


LAB

FIM Responses

53 Qualys, Inc. Corporate Presentation


FIM & Policy Compliance

54 Qualys, Inc. Corporate Presentation


Cloud Agent & FIM Module OS Support

§ Host OS must be supported by both Qualys Cloud Agent and the FIM
module.
§ The Qualys Policy Compliance module provides additional OS coverage.
55

55
User Defined Control (UDC)

§ Qualys Policy Compliance has four “User Defined Control” types that
perform file and directory integrity checks.

User Defined Control (UDC) - custom controls created by users.

System Defined Control (SDC) - controls provided by Qualys.

56
Scan Parameters

57
Use Scan Data as Expected Hash Value

§ “Use scan data as expected value” to compare the hash value from the
previous scan to the hash value of the latest scan.

58 Qualys, Inc. Corporate Presentation


Additional OS Support

and more...

59
Policy Compliance Training

qualys.com/learning
60
Data Collection Comparison

Policy Compliance FIM

Qualys Sensor(s) Scanner Appliance and Cloud Agent, only.


Cloud Agent.
Timing & Frequency File and directory integrity Continuous collection of
checks are performed at file and directory changes,
scheduled frequencies. as they occur.

61
Thank You

[email protected]

62 Qualys, Inc. Corporate Presentation

You might also like