The CIA Triad - Defining Integrity

Mark Allers
by Mark Allers
February 14, 2023
Table of Contents
Table of Contents

The CIA Triad

The CIA Triad references basic security principles from the early 1990s specific to Confidentiality, Integrity, and Availability. These three pillars stand as the fundamentals of software security. Every security best practice or framework references the need for these three pillars either by title or described in principle within the various domains or safeguard definitions.

CIA Triad

Over time, we’ve come to know and understand what confidentiality and availability mean from Gartner and other analysts. However, one overlooked element has been the lack of definition of what integrity means to the software security practitioner and industry at large. So, what does integrity mean?

Integrity is often associated with File Integrity Monitoring (FIM), but the problem with this concept is that integrity does not occur simply by simply detecting change. The real question is about the change itself. Was the change good or bad, expected or unexpected, malicious or accidental? 

This blog will discuss integrity and its importance to an overall security strategy and mitigation of risk.

 

FIM and the CIA Triad

Over the past two decades, the end game of FIM became stalled for a variety of reasons. The first integrity company became stagnant and lacked innovation which continued to fuel the markets’ perception of the complexity and difficulty of deploying an effective integrity management tool or platform that could determine if changes were good or bad. While the concept of determining good from bad seems simple in concept, the reality is that the detection of change is the trigger that kicks off a process that includes a series of detective controls that provide evidence that the change is either authorized or not. There is a multitude of controls that encompass a CIA framework where the most basic and foundational controls have become well documented in best practice frameworks and various other bodies of work.

CIA_Triad

As highlighted, the definition of “integrity” has not been very well established or discussed. If twenty different security experts were asked the definition of integrity, there would certainly be twenty different answers.

Integrity is the confidence and certainty that the appropriate controls and workflow processes are in place to ensure the accuracy and consistency of data throughout its entire life cycle of operation.

When there is a deviation to data (i.e. change) and no checks and balances to determine whether that change was authorized, integrity drift occurs, and risk is introduced to the security posture of infrastructures.

One fundamental difference in delivering an integrity solution is that it must steer away from the traditional views that everything must be managed through the perspective of knowing and managing the bad to understand the good. This has and never will work. We must manage from a state of good or authorized change, whereby default, everything else is either a circumvented or malicious change.

The analogous reference is our human bodies. Our bodies don’t have a list of all that is bad. Human bodies have white blood cells, which are a part of the immune system that protects the body from infection. These cells circulate throughout the body to respond to injury or illness by attacking any unknown organisms that enter it. In software security speak—white blood cells are the baseline or integrity of the health of your infrastructure.

 

What is Integrity Management

Let’s dive into integrity and understand what those controls and processes look like. An integrity management platform must be able to provide the following controls and functionality with a workflow and ticketing system to create a closed-loop environment of change. This process can determine, after the detection of change, if that change was expected or unexpected.

  • System Hardening - Validate and verify that your infrastructure is hardened and secure with either CIS Benchmarks or DISA STIGs as your root of trust.
  • Configuration Management - The management and control of configurations and baselines for an information system to enable security and facilitate the management of risk.
  • Change Control - The process of regulating and approving changes throughout the entire operational life cycle of an information system.
  • Change ReconciliationCompare observed changes against expected/authorized changes to highlight unwanted change(s) that are then malicious or circumvented.
  • Change PreventionPrevent changes entirely for those files and directories that should never change, avoiding the start of a security breach or problem.
  • Roll-back and RemediationRestore to a trusted baseline, NOT to be confused with reprovisioning...these two are very different!
  • File Allow-ListingLeverage a database of known and trusted files with a unique hash (fingerprint or signature) and metadata to validate and verify the integrity and authenticity of any file(s).
  • File Reputation ServicesDatabase of malware and signatures that can be used as ancillary data to identify and block malicious and dangerous files from execution.
  • Digesting STIX/TAXII FeedsAnalyze and evaluate real-time security decisions and vulnerability risks with continuous streams of threat intelligence feeds.
  • Workflow and Ticketing SystemA process for managing change once a change has been detected.

Coupling the described controls above with a closed-loop workflow process enables security practitioners to achieve the fundamental business requirements of integrity while also reaping the benefits of increased availability, reliability, and ongoing compliance.

 

The Benefits of Integrity Management

  • Detect security breaches/incidents in seconds as opposed to the industry average of 212 days.
  • Contain security breaches/incidents in seconds as opposed to the industry average of 75 days.
  • Early indication that there is a software supply chain security issue based on unauthorized changes occurring.
  • Integrity functionality is the ONLY way to identify and prevent ransomware payloads from being added and executed.
  • Detect zero-day breaches.
  • Continuous compliance by capturing integrity evidence that demonstrates the controls are not only in place but operating as expected.

CIA_Triad_alignment

Incorporating integrity functionality as provided by CimTrak, the radar graph above depicts functionality and its alignment to integrity. To learn more about how CimTrak aligns and delivers a fully encompassing integrity management solution that aligns with the “I” in the CIA Triad, click the SANS WhatWorks link here to learn more about SANS and Cimcor uncovering the benefits of a Next-Gen FIM solution.

New Call-to-action
Tags:
SANS File Integrity Monitoring,
Mark Allers
Post by Mark Allers
February 14, 2023
Mark is the VP of Business Development at Cimcor and is responsible for driving the strategic focus and alignment with industry initiatives and partnerships. Mark has held executive management positions at six enterprise software companies and one venture capital firm over the past two decades.
Follow me on LinkedIn

About Cimcor

Cimcor’s File Integrity Monitoring solution, CimTrak, helps enterprise IT and security teams secure critical assets and simplify compliance. Easily identify, prohibit, and remediate unknown or unauthorized changes in real-time

Definitive Guide to FIM
THE DEFINITIVE GUIDE TO FIM

Protect Files.
Prevent Breaches.
Promote Integrity.

Get The Guide

Related Blog Posts

File Integrity Monitoring: Fact vs Fiction
  • Mark Allers
    |
     
  • May 2, 2023
File Integrity Monitoring: Fact vs Fiction

6 min read

How Does File Integrity Monitoring Work?
  • Mark Allers
    |
     
  • July 13, 2023
How Does File Integrity Monitoring Work?

4 min read

PCI DSS v4.0 At A Glance: The Vital Role of Integrity Management
  • Mark Allers
    |
     
  • January 23, 2024
PCI DSS v4.0 At A Glance: The Vital Role of Integrity Management

4 min read