From Host Integrity Monitoring Using Osiris and Samhain

Introduction

Threats to hosts are everywhere. They include software such as remote exploits, viruses, and poorly written software applications. A threat can also be a malignant administrator, a malicious user, or even uncontrolled physical access. This chapter focuses on the threats that host integrity monitoring looks for, specifically insider threats and rootkits. We also look at some successful worms and their effect on the hosts they infected. Finally, we look at threats to host integrity monitoring (HIM) tools and discuss ways to mitigate them.

Before you can establish a plan for monitoring the integrity of your hosts, you must understand their environment and the threats to that environment. This process includes defining what the threat is and its potential impact on the environment. Once you understand the impact, you can define symptoms that will indicate if a threat has been realized. Those symptoms are used to establish a plan for monitoring the environment.

An example of this is the training required to become a doctor. Even though most doctors eventually specialize, their medical training still requires them to understand basic anatomy. This background proves helpful when detecting things that are out of the ordinary. In addition, doctors study the nature and effects of diseases to learn how they behave and to be able to detect them. Like all analogies, this one eventually breaks down, but effective host integrity monitoring requires an understanding of the host environment, how it can be attacked, and how those attacks can be detected.

Malicious Software

Copyright Syngress Publishing, Inc. 2005 under license agreement with Books24x7

Products & Services
Anti-malware Software
Anti-malware software is designed to protect and repair computer systems against damage from malicious software code that is installed without the owner’s consent. Anti-malware applications provide real-time protection against malware such as viruses, worms, trojan horses, spyware, and adware.
Security Software
Security software programs are used to restrict access to data, files and users on a computer or server.
Scheduling Software
Scheduling Software is Software used to program and schedule processes and tasks.
Network Security Services
Network security services determine vulnerability of networks to outside intruders, as well as maintain anti-viral and firewall updates and usage.
Performance Management Software
Performance Management Software is used for reporting and analysis of tracking your Key Performance Indicators (KPIs), incident data and other variables or a project, employee or enterprise.

Topics of Interest

Introduction One of the most important steps in deploying a host integrity monitoring system (HIMS) is to plan ahead. Every deployment scenario is different; however, all are driven by the demands...

Introduction Samhain is one of the most successful open source host integrity monitoring systems available today. This chapter examines all of the steps involved in a successful deployment of...

Incident Investigation When an instance of a threat occurs, it is referred to as being an incident. Incidents are unexpected or unwanted events that can threaten security, and have the ability to...

Introduction At this point, you have successfully deployed either Osiris or Samhain and are now generating log data and alerts that detail changes to your host environments. The next step is...

Introduction to Host Integrity Right now, you are settling down to read this book, and I am reading your e-mail. Not really, but how can you know for sure? If you are like most people, you have taken...