🔒

Understanding File Integrity and DLP

May 26, 2025

Lecture on File Integrity Monitoring and Data Loss Prevention (DLP)

Introduction

  • Files associated with server or application instances fall into two categories:
    • Static Files: Rarely change unless the application is upgraded.
    • Dynamic Files: Change frequently (e.g., data files, cached information).
  • Monitoring file integrity is crucial for security.

File Integrity Monitoring (FIM)

Windows

  • System File Checker (SFC):
    • Built-in utility for on-demand file integrity monitoring.
    • Scans critical operating system files and replaces modified files with correct versions.

Linux

  • Tripwire:
    • Popular utility for file integrity monitoring.
    • Provides real-time monitoring of file changes.

Host-Based Intrusion Prevention Systems (HIPS)

  • Monitor file changes and block attacks against known vulnerabilities.
  • Differ from network-based systems: operate directly on the OS to monitor the file system.

Data Loss Prevention (DLP)

  • Purpose: Block the transmission of sensitive data in real-time.

DLP Types

Network-Connected

  • Monitors packets in real-time ("data in motion").
  • May be integrated into Next-Generation Firewalls or standalone appliances.

Endpoint DLP

  • Monitors data in active memory or "data at rest" on a local machine.
  • Controls data transfers, including USB restrictions.
    • Example: 2008 USB device ban in the US Department of Defense due to a worm virus.
    • Restrictions lifted in 2010 with new USB usage guidelines.

Cloud-Based DLP

  • Monitors traffic to/from cloud-based applications.
  • Blocks sensitive info before storage in the cloud.
  • Can detect malware and other malicious activities.

Email-Based DLP

  • Monitors email for sensitive information.
  • Inbound Email:
    • Detects keywords, spoofed or imposter emails.
    • Quarantine suspicious emails.
  • Outbound Email:
    • Blocks emails containing sensitive information like Social Security numbers.
    • Example: 2016 incident at Boeing with sensitive data in a hidden spreadsheet.

Summary

  • Effective monitoring tools include FIM and DLP solutions to ensure file integrity and prevent data breaches.
  • Different DLP solutions cater to network, endpoint, and cloud environments.
  • Importance of implementing DLP to protect sensitive information both internally and externally.

Full transcript