What is FIM?
FIM, also known as a change detection solution, is one of the requirements for PCI DSS which verifies whether an application, operating system, or registry has not been compromised. FIM is very useful when the server gets compromised and the attacker starts installing unauthorized applications or malicious code, malware, spyware, or changes in OS and application files. Microsoft Defender for Cloud can be the savior here as it provides FIM for Azure VM and non-Azure Servers.
How FIM helps in becoming PCI DSS compliant
PCI DSS Requirement 11.5 describes FIM and the details given below are from the official PCI web page pcisecuritystandards.org.
|PCI DSS Requirements||Testing Procedures||Guidance|
How to achieve FIM using Defender for Cloud
Microsoft Defender for Cloud (previously Azure Security Center) comes with two plans. Plan one is free and the other one is paid. If we use the paid plan of Defender for Cloud then we will get workload protection features (also known as advanced features). FIM is one of the premium features of the paid version of Defender for Cloud.
The technology behind FIM here in Azure are Log Analytics agent, Log Analytics workspace, and Azure Change Tracking. Log Analytics agent uploads data to Log Analytics workspace of the current state of the items. FIM uses Azure Change Tracking to track and identified the changes in those servers. Now we will see in detail how the PCI DSS requirement 11.5 can be achieved using Defender for Cloud.
Log in to the Azure portal (portal.azure.com) and go to Defender for Cloud->Workload protections->File integration monitoring.
Choose the correct workspace name and click on Enable button. The server should be connected to the Log Analytics workspace. In the below image, we can see 5 servers are connected to the selected workspace.
Click on the File Integrity Monitoring button. FIM will be enabled for these 5 servers and will start tracking changes in Windows files, registry, and Linux files. We can modify these settings (add/remove change tracking for specific registry value, add/remove change tracking for specific Windows/Linux file path) as per our needs.
This is the FIM dashboard where we can see all the detected changes. When any changes will happen we can see it here. Right now everything is zero. It will take some time to reflect on the changes for the first time.
Now we have to do some registry and file changes so FIM can detect them and show them to the dashboard. For example, add a new registry value. We add a new value to the registry named FIMTEST, FIMTEST1, FIMTEST3, and FIMTEST4.
Another example, install Wireshark on the server. The installation wizard changes files in Program Files and will be detected by FIM.
FIM has detected the both registry's new value and file changes on a certain location. FIM dashboard is showing the changes as shown in the below image.
Here, Value Before is blank and Value After has data (FIMTEST). It means FIMTEST is a new entry to the registry and it could be a malicious entry by a bad actor and should be reviewed.
Here, both Value Before and Value After haveing data but the data is not the same. It means the existing registry value has been modified. It could be modified by malicious applications or bad actors.
We can check specific changes using the Log Analytics query. For example, we are looking for all the changes under the registry key HKEY_LOCAL_MACHINE. Below query shows the multiple new entries that we added previously.
ConfigurationChange | where RegistryKey == @"HKEY_LOCAL_MACHINE"
If we want the alert should be triggered whenever any such events occurred then we can create an Alert that is also one of the items in requirements 11.5. Click on the New alert rule and follow the wizard.
The triggered alert will be shown in Alets's dashboard of Azure Monitor. It's saying the registry value has changed.
SecMon team should have deeper look at the alerts and investigate if it's malicious and unauthorized. we can see the details of the alert including the cafeteria of the alert triggered. We can see the query behind the alert.
There are many more scenarios for alerting, below are a few more queries that we use for more alerting.
ConfigurationChange | where ConfigChangeType == "Files" and FileSystemPath contains " c:\windows\system32\drivers\"
ConfigurationChange | where FieldsChanged contains "FileContentChecksum" and FileSystemPath == "c:\windows\system32\drivers\etc\hosts"
ConfigurationChange | where ConfigChangeType == "WindowsServices" and SvcName contains "w3svc" and SvcState == "Stopped"
ConfigurationChange | where ConfigChangeType == "Daemons" and SvcName contains "ssh" and SvcState!= "Running"
ConfigurationChange | where ConfigChangeType == "Software" and ChangeCategory == "Added"
ConfigurationData | where SoftwareName contains "Monitoring Agent" and CurrentVersion!= "8.0.11081.0"
We can see all the requirements like identifying and tracking the changes on the registry, file, and services are tracked and in case of any suspicious activity, an alert will be triggered, and hence, PCI DSS requirement 11.5 can be easily achieved by Defender for Cloud's FIM.
Hope this was helpful, contact me on Twitter @sakaldeep for any queries.