No matter how well-designed it is, a security program will never prevent every digital attack. But an assault need not escalate into a data breach. Organizations can reduce the likelihood of a major incident by investing in key security controls.
One such fundamental security component is FIM. Short for “file integrity monitoring,” FIM helps organizations monitor, detect, and manage all changes to a system’s state. The control doesn’t rely on any attack signatures, exploits, or vectors. Instead it uses an approved system state as a reference point to answer the question: “Are systems still in a secure and trusted state?”
FIM is essential to an organization’s proactive threat defense capabilities in that it can help a company detect an unauthorized or malicious change before it escalates into a breach. But that’s not all it does. On the flip side, FIM is integral to helping organizations that have suffered a breach understand what happened. It’s therefore no wonder nearly every security and compliance framework includes a control for FIM.
Of course, not every use case of file integrity monitoring is the same. For instance, change auditing is by far the most people- and process-intense case because it keeps a record of every change and uses an automated process to detect unapproved modifications. As it is so intensive, organizations should save change auditing for only the most important systems that have change control process built around them. By contrast, they can deploy less-intensive FIM orientations like change logging (change auditing without the automated process) and endpoint detection and response (monitoring for malicious changes) more broadly across their networks.
Determining FIM asset coverage and monitoring comes down to what resources can be used to create a security benefit on parts of a monitored system. That’s no so hard. Compliance requirements and regulations can influence prioritization. But what’s sometimes difficult is figuring out whether and to what extent a file integrity monitoring solution is effective.
To answer that question, Tripwire has published Security Reference Architecture: A Practical Guide to Implementing Foundational Controls. The resource identifies metrics that companies can use to evaluate the effectiveness of their FIM tools. It also explains how organizations stand to benefit from integrating FIM with a variety of systems, including security configuration management, vulnerability management, ticket/software remediation systems, and others.
To learn more about how FIM can strengthen your organization’s security program; protect against availability, reliability, and operational failures; and reduce risk, please download Tripwire’s guide here.