Sep 17, 2019
Announcing Hybrid Mode for Integrity Monitor: Building a Foundation for the FutureBy Jim Wojno
Tanium Integrity Monitor hybrid mode
Today we’re excited to announce that Tanium Integrity Monitor offers extended compliance and reporting capabilities with a new hybrid mode. Hybrid mode completes hashing support for Windows and Linux machines, with redundant hashing and event recorder data. The hashing routine and the event recorder now work together as two complementary and mutually-reinforcing technologies, making sure compliance via Tanium’s Integrity Monitor is maintained.
Integrity Monitor has simplified industry compliance and file integrity monitoring for Tanium customers for nearly two years. With Integrity Monitor, you can:
- Monitor critical operating system, application, and log files at enterprise scale and generate granular reports
- Link file integrity monitoring with active alert investigation, configuration compliance, vulnerability scanning, and other aspects of endpoint management and security
- Natively integrate with existing incident management workflow tools such as SIEM and enterprise dashboards to provide alerts and reports on observed events
How hybrid mode can make an impact
Often, File Integrity Monitoring (FIM) point products rely on a single driver or event recorder to monitor and record changes. This can produce false-positive results when files are opened with write privileges set, causing misleading alerts and reporting. By comparing recorder events with filesystem checksum changes, Integrity Monitor’s hybrid mode performs sanity checks designed to eliminate false positives.
There are other scenarios where the event recorder may not be functioning, such as maintenance modes like single user for Linux or Safe Mode for Windows. In these modes, the kernel is purposely running with reduced or minimal functionality to allow for maintenance functions like patching or emergency remediation or recovery. Changes made in this mode can be missed by solutions relying solely on a driver that may be disabled as a result of running in this mode. Adding an independent file checksum capability provides a backstop so that changes can be monitored and reported, providing overall coverage.
Because hybrid mode with Tanium Integrity Monitor reports the MD5 hash for changed files, users can easily incorporate this into existing threat intelligence correlation rules they may be using with their SIEM or other enterprise correlation tools. Standard Tanium Connect-based connectors can extend reputation services from within the Tanium console to IM-observed events.
To learn more about Tanium Integrity Monitor and this latest release, please reach out to your account executive, or schedule a demo today.