The Value of True File Integrity Monitoring

A Critical Control for Protecting Data Integrity


File Integrity Monitoring (FIM) is a technology that monitors for changes in files that may indicate a cyberattack. In many organizations, however, FIM mostly means noise: too many changes, no context around these changes, and little insight into whether a detected change actually poses a risk.

What does file integrity monitoring do? FIM, and often referred to as “change audit” was around long before its early reference in the ever-evolving PCI standard. So, here we are years later… Where is FIM now? Is it still relevant or important? Does it really protect data and improve security?

FIM is still around—in fact, it’s now part of almost every IT compliance regulation and standard as well as every IT security standard. And some still refer to it as change audit. Yes, FIM is still relevant and important—although many organizations that must use FIM solutions complain that the term “FIM” is now synonymous with “noise,” due to the huge volume of changes these solutions detect and report on.

Download your copy of this whitepaper discussing the key attributes of truly effective file integrity monitoring, including:

  • Detecting changes in real-time
  • Identifying exactly what changed and by whom
  • Determining which changes increase risk
  • Determining which changes result in non-compliance
  • Distinguishing between authorized and unauthorized changes

FIM protects data and improves security—but only when FIM has specific capabilities and only when the information it provides is truly actionable.

FIM Use Cases and the True Intent of File Integrity


Knowing only that a file has changed is of little value unless you know what about or within the file has changed. Each file has dozens of attributes that, if changed, could indicate or cause trouble. Capturing these attributes can provide information essential in determining if the change is harmful or harmless—it tells you exactly what within a file changed so you can quickly determine if the change was high-risk and provides the information required to fix the issue. A true FIM solution will be able to harvest this level of information, including changes to configuration files and even character-for-character differences to human-readable file types like Word documents or PDFs.

In addition, knowing who made a change is often key to determining if a change is suspect or low-risk. But capturing the “who” data is not easy, and most FIM solutions are unable to provide this important information. Most FIM solutions available today need to enable OS Auditing on the monitored device to harvest this information; yet most IT professionals will not allow this due to concerns about security. The use of real-time detection agents installed on each monitored device overcomes this issue.

Many changes are intended to make improvements or to correct problems. However, just because a change is proposed and scheduled does not mean that it was actually made or made correctly. Being able to confirm that a change has successfully been made is critical, otherwise improvements that you think were made are not always realized and problems remain when you think they have been resolved. A true FIM solution needs to detect a change and compare that change against what was expected, providing independent confirmation of change processes and policies.

What is the Purpose of File Integrity Monitoring?


File integrity monitoring is technology that monitors and detects changes in files of all types—changes that can lead to increased risk of data compromise. Unfortunately, many organizations subject to FIM in their regulatory requirements have lost sight of its intent and spirit. For them, FIM means noise: too many detected changes, no context around those changes, and very little insight into whether or not a given change poses a risk or is just business-as-usual. It’s hard to argue with this criticism given their experience with typical FIM tools.

FIM actually is a critical control in the fight against data compromise. However, a true FIM tool must provide additional information. That information—or intelligence—would allow it to alert security teams only to changes that pose increased threat to protected data, and not to the hundreds of thousands (or even millions) of changes that occur daily across large, enterprise-level IT infrastructure.

PCI DSS File Integrity Monitoring & Integrity Checkers


PCI DSS (the Payment Card Industry Data Security Standard) requires merchants to “…alert on unauthorized modification of critical system, content or configuration files…” but the term “unauthorized” is fairly misleading. Many interpret the term to mean that they must measure how well the organization adheres to change process policy. In fact, the intent of the term in the requirement is for organizations to be alerted to changes that are undesirable and could put cardholder data at risk of compromise. The 11.5.b Testing Procedure that was added in version 2.0 of the security standard clarifies that it is an audit requirement to “Verify the tools are configured to alert personnel to unauthorized modification of critical files…”

Whether a detected change can be reconciled to some form of authorization or not fails to address the issue of a “bad” change; that is, a change that exposes a device or application to increased risk of compromise. Finding bad change is the issue that must be addressed by FIM—and that is the true intent of the PCI DSS 11.5 requirement in our example. And not only should FIM detect bad change, it should detect it immediately so the damage can be minimized.

A true FIM solution helps organizations automatically determine if detected change is authorized. More importantly, a true FIM helps automatically determine if a change is suspect and needs immediate investigation, or is expected and can be considered low- or no-risk.