Once upon a time there was Change Audit. It was invented by Tripwire and it was good.
Then along came VISA CISP (Cardholder Information Security Program) in June, 2001 and Change Audit had a makeover. It was renamed File Integrity Monitoring—or FIM for short—and referenced in requirements 10.5 and 11.5 of the CISP specification. So as not to confuse anyone as to the meaning of FIM, VISA parenthetically referenced Tripwire by name in the 10.5.5 requirement: “10.5.5 Use file integrity monitoring/change detection software (such as Tripwire) on logs to ensure that existing log data cannot be changed without generating alerts”.
The purpose of FIM was to alert security teams when unauthorized changes were detected so they could be remediated before any harm came to cardholder data. Sounds simple, right?
Not wanting to be left on the sidelines, other card brands jumped on the bandwagon and, together with VISA, formed the PCI Security Standards Council and renamed CISP to PCI 1.0 in September, 2006. As with all things that are too good to be true, the PCI Council decided to remove all references to vendor solutions from the specification and Tripwire’s name vanished from version 1.1 of PCI DSS. Much time has passed since the Tripwire name faded from the pages of PCI DSS and along with it the true meaning of FIM has vanished, too.
FIM is important. FIM improves security. FIM provides protection for cardholder data.
FIM’s purpose is to find changes that can lead to increased risk of compromise to cardholder data before those changes do harm. But merchants who are subject to FIM requirements, and those who are tasked with enforcing FIM’s intent and spirit, have lost sight of its purpose and, therefore, tarnished its reputation. For many, FIM has become synonymous with “noise”. Not so at Tripwire! We believe FIM deserves a seat at the head Security table.
True FIM—Tripwire FIM—is a critical tool in the fight against cardholder data compromise. Tripwire FIM is the “only” FIM that is dedicated to, and capable of, alerting security teams to changes that pose an increased threat to cardholder data. All other FIM does little more than acknowledge that a large quantity of files have changed; they offer virtually no additional information to help determine if any of those changes pose risk. Since the purpose of FIM is to find change that poses risk and alert on that risk, these “pseudo” FIM tools are nearly useless in that fight.
What makes Tripwire FIM so different and such a powerful security tool in the fight against reducing the risk of cardholder data compromise—or any other IT asset for that matter? Stay tuned for our series of posts on FIM and we’ll tell you.