File Integrity Monitoring
Once you have properly configured a workload and hardened it against an attack, it’s important to keep it that way. You need to be alerted if something changes, for example, an important file changes, or a user account is added, or an important function like the firewall is turned off. Any of these changes could indicate that the integrity of the workload is no longer 100%, which means it is no longer as hard as you thought it was against an attack. The change might have been made by someone on your staff, unintentionally, or it might have been made by a malicious attacker.
Halo Detect includes file integrity monitoring (FIM) which starts by generating a cryptographic hash of each file on each of your important workloads. Every hour, Halo generates a new hash and compares it to the baseline value. Even the smallest alteration in the file, such as changing the capitalization of a single character or adding or deleting a space, will cause the new hash to be different from the baseline value.
Unlike traditional FIM products, Halo Detect has been designed to operate efficiently in any environment, including dynamic environments that are characterized by fast rates of change and DevOps deployment toolchains. Halo Detect uses an ultra-lightweight agent that can be deployed automatically in any combination of data centers, private clouds or public clouds.
Log-based Intrusion Detection
Halo Detect monitors server log files for important event occurrences. It detects selected events that have been recorded in any number of system or application log files on any of your servers or cloud-based workloads. If you also enable Halo alerting, you can receive near-real-time alerts when the highest-priority events are logged.
A key advantage of log-based intrusion detection vs. other techniques that attempt to detect intrusions is its light impact. Because only specific, high-value events are logged into Halo, the massive gathering, storage, and analysis of voluminous events from hundreds to thousands of log files is avoided.
Halo Detect includes pre-built policy templates for Windows and Linux. For example, the template for Windows contains 43 pre-built rules that, if triggered by an event, may be an indication that your workload has been compromised. You can also easily add your own rules to the pre-built templates.