Winston Churchill once said “To improve is to change; to be perfect is to change often”. While that might have been a smart way to justify his changing of political party allegiance (and true when it comes to passwords!), it obviously doesn’t sit quite so well when it comes to critical files and configurations on your HPE NonStop!
Integrity monitoring of critical and sensitive system files has always been a best practice in the NonStop security world, but with the advent of PCI-DSS and countless other important security standards, file integrity monitoring (FIM) is now mandated by most security auditors and regulators.
Thomas Jefferson famously said “…all men are created equal…”, but the same unfortunately can’t be said of third-party integrity checkers. There are some which were considered the industry standard and even cutting edge 15 years ago when they were first released, but fast forward to 2022, many NonStop users will find themselves relying on tools that aren’t fit for purpose by today’s far higher security standards.
In this article, we’re going to suggest seven highly recommended features for anyone in the market for a new integrity checking solution. If your organization already has a legacy integrity checker deployed, it’s well worth cross-checking what you have with this list to see if you’re meeting today’s modern security and compliance standards.
- Continuous 24x7x365 monitoring
Some checkers work by only comparing one snapshot/baseline to another. In that scenario, if baseline values are read at say 8.00, then a file is maliciously changed at 8.10, then (once the damage is done) changed back to its original state at 8.20, the next baseline read will show as everything is fine and unchanged! We recommend you choose a ‘continuous’ (real-time) integrity checker which catches everything, including changes made and then reversed, between each read cycle.
- Audit Everything
Believe it or not, some compliance checkers exist that have alarmingly low levels of user auditing. What’s the point of even taking baseline reads if a user can make changes and then reset the baseline values without the changes or even the re-baselining appearing in any audit trails?! Ensure your monitoring solution audits all user actions.
- All on the NonStop
Some solutions require cumbersome additional server hardware to host the application and database, meaning additional unnecessary expense, lost time setting that up, and increased security risks. You have the best computer in the world, so why not use it?!
Choose a monitoring solution that is hosted on the server it’s actually monitoring; your NonStop. The Database should be hosted there too, that way both the application and database can be secured and audited via Safeguard.
- User Friendly
Some solutions are unnecessarily time-consuming and complicated to set up and configure, sometimes requiring hours of tedious repetition. If you value your time, choose a solution that is quick and easy to deploy, requires no extra hardware, and can be up and running in a matter of minutes.
- Real-Time Alerts and SIEM Integration
Some tools monitor only in batch mode and take an age to complete scans, often managing just one check per day. To make matters worse, one common solution provides almost no alerting, instead requiring someone to log in to an application and personally read the feed to see if there’s anything they should be concerned about! All modern integrity tools should integrate with your enterprise SIEM solution and should additionally provide alerts via EMS.
- Strong Hashing
MD5 and SHA-1 hashing are both deprecated and are considered weak. They’re also non-compliant with PCI-DSS. SHA-256 hashing for FIM is a strong algorithm, in compliance with PCI DSS – so check to ensure that’s what your current or prospective Integrity Monitor is using.
- Beyond FIM
What’s the point in monitoring a critical program object file if its corresponding Pathway serverclass can be directed to a malicious, alternative object file without detection?! When it comes to the NonStop, monitoring subsystem configurations (such as Pathway, Netbatch, Safeguard objects, SSH, and many more) is just as important as File Integrity Monitoring – the two should go hand in hand. Comprehensive file and subsystem integrity monitoring should be your default requirement. Ideally, your tool should also have the ability to monitor any third-party applications that contain a COM interface, giving you the flexibility to monitor the configuration of all critical subsystems on your NonStop (such as data replication tools).
If your integrity monitoring tool doesn’t do all of the above, perhaps it’s time to seek one out that does?
This article was written by 4tech Software, which created Integrity Detective (ID) – the most feature-rich, continuous (real-time), file and subsystem integrity monitoring solution available today on the HPE NonStop server.
ID was designed and engineered in direct collaboration with the HPE NonStop system and security admins who actually use it, ensuring the kind of user-friendly features and attention to detail that you’d include if you were designing it yourself.
ID is available exclusively via your HPE NonStop representative. Further product information is available via the HPE Data Sheet: www.hpe.com/psnow/doc/a50004936enw
Or via the 4tech website: www.4tech.Software