Monitoring change on the file system and in the system registry is a vital discipline that substantially improves corporate security and improves availability. Consider that:
- Most IT security and operations problems are related to, or result in, an unauthorized or unplanned change on the file system or in the Windows registry.
- A minor change to an executable or library file is often the only clue you have that something potentially dangerous has happened on the system.
- Compliance regulations such as PCI-DSS also require monitoring change on critical devices
Yet within the Windows architecture it is, for all practical purposes, impossible to detect what was changed, much less who changed it and when.
EventTracker automatically monitors and detects system changes over time and compares these changes with a previously recorded known or trusted state. It can also compare these changes with user definable policies and/or industry standard checklists.
The changes are then easily categorized:
- Authorized vs. un-authorized changes vs. harmless system changes
- Business knowledge vs. configuration changes
- Zero day attacks
- Undesired configurations or
- Known vulnerabilities
Another application is the detection of Zero-day Attacks
- Reactive anti-virus and rule-based firewall systems are insufficient
- Malware signatures are changing constantly
- Often the same malware can come back in a slight variation that is enough to elude anti-virus systems
File Integrity Monitoring is an effective way to help prevent costly damage from these new attack types.
- Most infections (Sasser, myDoom, Blaster) hide on your system by adding or modifying an exe or dll.
- To become infected, something on the system has to change, and EventTracker can detect these hidden changes and alert you.
- EventTracker enables you to quickly cut through the sheer number of executables and dll’s with misleading, innocuous names to zero in on the ones that have been added, deleted or modified.
