Breach Recovery

There has been more confidential data exposed in 2019 than ever before

At 7.3 billion records, 2019 has already seen more information exposed in data breaches than ever before. [ 1, 2 ] Therefore, it is not surprising to see a push from many industry experts to adopt an “assume breach” mindset. To organizations, this means conducting everyday operations on the premise that the bad actors have already compromised system. Wouldn’t it be nice to know if these attackers (real or assumed) have made any changes to critical system and application files? How would you start the breach recovery process if they did? This is where File Integrity Monitoring (FIM) finds its niche, and why it’s so strongly recommended by regulatory bodies such as PCI or NIST. FIM products generally do a metadata comparison as well as a cryptographic analysis of a file at various points in time in order to determine whether an unauthorized modification has occurred.

How FIM can help

So, now you’ve discovered that there is a problem in the system and confidential information may have been exposed. Now what? Restore from backup? How do you know how far back the tampering goes? As a rule, the further back you recover from, the more current data you’ll lose. At the same time, you need to be sure that the attacker is no longer in the system and that any malware isn’t restored from a backup taken too recently. This makes finding the last known good configuration essential in increasing confidence and reducing redundant effort. FIM makes recovery a breeze by understanding the correct configuration and simply comparing the files.

FIM on the Mainframe

While FIM is standard practice in the distributed world; the mainframe has been slow to keep up. However, this is starting to change. In a recent article Breach Recovery -The Fast and the Furious, MainTegrity’s FIM+ product has been singled out as the only file integrity monitor for mainframes. With the upcoming release of version 2 of FIM+ come new features such as a fully functional GUI, enhanced querying of other software sources, and a bleeding edge auto-discovery system. See our datasheet for a full list of how FIM+ is an essential tool from threat hunting to breach recovery.

[1] [2] [3]