There’s a lot more to file integrity monitoring than simply detecting change. Although FIM is a common policy requirement, there are many FIM capabilities and processes you can elect to implement or not. These can vary from a simple “checkbox” compliance tool to the option to build effective security and operational controls. These decisions directly affect the value your organization gains from FIM.
This buyer’s guide helps you better understand:
- What is file integrity monitoring?
- What should be monitored?
- Key product requirements
- Operational and security requirements
- Integration and reporting requirements
Complete the form to gain insight into the type of FIM solution best suited for your organization’s security needs.
What Is FIM software?
In an IT network, a file can range from simple text file to a configuration script, and any change can compromise its integrity. A change to a single line item in a 100-line script could prove detrimental to the entire file or even operating system. For example, incorrectly assigning the wrong IP address to a startup script or a newly installed network printer could disrupt the network. Below are some examples of the type of configuration settings a file integrity monitoring solution detects and monitors:
File integrity monitoring (FIM) solutions, also called change auditing solutions, ensure the file for a server, device, hypervisor, application, or other element in the IT infrastructure remains in a known good state, even in the face of inevitable changes to these files. Ideally a FIM not only detects any changes to files, but also includes capabilities that help IT immediately remediate issues caused by improper change.
When IT deploys a system/component into its technology infrastructure, it typically does so with the knowledge that the component is initially configured appropriately. A FIM solution captures the known good state of the entire system’s IT configuration settings when it is deployed — or when it has been configured with recommended settings — and uses this state as a baseline configuration against which the solution can compare a later configuration. Many times this configuration state is referred to as a golden, compliance, or configuration baseline. A baseline-to-current-configuration comparison lets the solution immediately and automatically detect discrepancies caused by change.
Tripwire File Integrity and Change Detection Software
Given the rapid deployment of virtual machines, an ideal file integrity monitoring solution would also include in the baseline the configurations of virtual environment elements. These elements include the physical server, hypervisor, each guest OS, and all applications and databases running on a guest OS.
When the solution detects change, IT needs to determine whether or not the integrity of a file has been compromised and whether the change requires immediate attention. IT should have the ability to specify which devices and files are critical — and therefore require high-level, immediate attention — versus those that do not. For example the configuration file of an e-commerce site or a database populated with sensitive customer financial or medical data would warrant immediate attention, while configuration changes to non-critical systems could be given a “best effort” response.
Superior file integrity monitoring — FIM that includes compliance policy management — requires not only the detection and reporting of unauthorized changes, specific types of changes, changes made under certain conditions and user-specified severity of changes. It must also perform an assessment of how an existing (or just changed) configuration compares with established organizational and regulatory guidelines.