Your organization has had a data breach. You’ve managed to confirm that it’s not a false alarm, it really is an issue. And now you need to recover from it. What do you do?
The US Commerce Department’s National Institute of Standards and Technology (NIST) has produced a Framework for Improving Critical Infrastructure Cybersecurity, aka the Cybersecurity Framework. That might be a good place to start. And, to be honest, every site takes regular back-ups, plus many use mirrored disks and hot recovery sites, so the recovery won’t take long, will it?
Let’s just take a look at what actually needs to be done for the recovery process to take place. In terms of restoring files, the first thing you need to know is which ones have been affected. You need to know when they were affected – no point restoring a corrupted file, and no point going back too far into the past to recover the file. And you need to know where those files are stored. So, that means identifying all the components that need to be replaced, what the right backup versions are, and then you need to build the recovery jobs to run them.
And you need to do all this very quickly!
Of course, you may be thinking that it’s not that big a deal. You can let HRECOVER, DFDSS, or FDR restore all the components. You just need to build the control jobs for those tools, and they can do all the heavy lifting required. That’s sort of true, but how do you know the last date when those components you’re restoring were correct?
Simple event monitoring may give you basic detection by screening hundreds of millions of records to look for suspicious activity. But what it can’t tell you is the last date that a program or config file was reliable, and it there’s no way it can reveal content changes.
Another annoying exposure is that events are point in time based – they occur once and then disappear. If you have ever lost an event log, or you are monitoring the wrong things, or the intelligence you try to build in to isolate a single bad action amongst millions of events, isn’t perfect, a big problem can slip through.
What can you do? If you handle credit cards in your business, then you need to be compliant with The Payment Card Industry Data Security Standard (PCI DSS). And PCI DSS 3.2.1 calls for File Integrity Monitoring. DSS V4.0 will extend this requirement further and the PCI Best Practices already suggest FIM (File Integrity Monitoring) processing to support even more controls. Similarly, the NIST (National Institute of Standards and Technology) protocols, which cover HIPAA (Health Insurance Portability and Accountability Act) and FISMA (The Federal Information Security Management Act) compliance, require corroborating evidence to verify that event records are complete.
So, what can FIM software do for you? Firstly, FIM should identify every component with content that has changed. By using the automated compare function, you can see exactly what lines have changed and identify what the real impact is. That information will show what systems and lines of business are affected.
And when we were talking about backup and restore software, smart FIM software will be able to build the control jobs for them. And FIM will also know the last date when those components were correct. Intelligent scans write a success record when all the components match the desired state. That is how FIM determines the interval of attack in the first place, and can, therefore, eliminate so many redundant access records during the forensics step. When building the recovery jobs, FIM can just ensure that the restore selects a backup immediately prior to the attack interval. Now you can feel secure that you’ve got the right components back. Just run the restores and you should be back in business.
In addition, there are no more problems with lost event logs or isolating activities. FIM can work retroactively. It does not matter if the event that caused a breach was ignored or not, the content comparison process is simply not prone to point in time errors. Further FIM actually allows you to fix sins of the past before they become a problem of the future. And, if everything matches the desired state, there’s been no breach, and your auditors can see that you are compliant.
So, what should you do now? I’ve found only one software vendor that provides modern mainframe FIM software – MainTegrity. Their product is called FIM+. I leave it to you to find out whether it’s inexpensive to own, easy to implement, and protects your mainframe against malicious hackers and internal errors. Using FIM software means that you recover from a breach quickly (the ‘fast’ part of the title). Whereas if you don’t use FIM, you’ll find the whole process time-consuming, tedious, and you may still not be compliant at the end of it (which will make you ‘furious’).