File integrity monitoring (FIM) exists because change is prolific in organizations’ IT environments. Hardware assets change. Software programs change. Configuration states change. Some of these modifications are authorized insofar as they occur during a patch cycle; some cause concern by their unexpected nature.
Organizations commonly respond to such dynamism by investing in asset discovery and secure configuration management (SCM). These foundational controls allow companies to track their devices and monitor those products’ configurations. Even so, companies are left with an important challenge: reconciling change in important files. For that challenge, enterprises turn to FIM.
What Exactly is File Integrity Monitoring?
File integrity monitoring was invented in part by Tripwire founder Gene Kim and went on to become a security control that many organizations build their cybersecurity programs around. The term “file integrity monitoring” was widely popularized by the PCI standard.
FIM is a technology that monitors and detects changes in files that may indicate a cyberattack. Unfortunately, for many organizations, FIM mostly means noise: too many changes, no context around these changes, and very little insight into whether a change actually poses a risk. FIM is a critical security control, but it must provide sufficient insight and actionable intelligence.
Otherwise known as change monitoring, file integrity monitoring involves examining files to see if and when they change, how they change, who changed them, and what can be done to restore those files if those modifications are unauthorized.
Companies can leverage the control to supervise static files for suspicious modifications such as adjustments to their IP stack and email client configuration. As such, FIM is useful for detecting malware as well as achieving compliance with regulations like the Payment Card Industry Data Security Standard (PCI DSS).
3 Advantages of Running a Successful File Integrity Monitoring Program
- Protect IT Infrastructure: FIM solutions monitor file changes on servers, databases, network devices, directory servers, applications, cloud environments, virtual images and to alert you to unauthorized changes.
- Reduce Noise: A strong FIM solution uses change intelligence to only notify you when needed—along with business context and remediation steps. Look for detailed security metrics and dashboarding in your FIM solution.
- Stay Compliant: FIM helps you meet many regulatory compliance standards like PCI-DSS, NERC CIP, FISMA, SOX, NIST and HIPAA, as well as best practice frameworks like the CIS security benchmarks.
How File Integrity Monitoring Works (in 5 Steps)
There are five steps to file integrity monitoring:
- Setting a policy: FIM begins when an organization defines a relevant policy. This step involves identifying which files on which computers the company needs to monitor.
- Establishing a baseline for files: Before they can actively monitor files for changes, organizations need a reference point against which they can detect alterations. Companies should, therefore, document a baseline, or a known good state for files that will fall under their FIM policy. This standard should take into account the version, creation date, modification date, and other data that can help IT professionals provide assurance that the file is legitimate.
- Monitoring changes: With a detailed baseline, enterprises can proceed to monitor all designated files for changes. They can augment their monitoring processes by auto-promoting expected changes, thereby minimizing false positives.
- Sending an alert: If their file integrity monitoring solution detects an unauthorized change, those responsible for the process should send out an alert to the relevant personnel who can fix the issue.
- Reporting results: Sometimes companies use FIM tools for ensuring PCI DSS compliance. In that event, organizations might need to generate reports for audits in order to substantiate the deployment of their file integrity monitoring assessor.
4 Things to Look for When Assessing File Integrity Monitoring Tools
To complement the phases described above, organizations should look for additional features in their file integrity monitoring solution. That functionality should include, for example, a lightweight agent that can toggle “on” and “off” and can accommodate additional functions when necessary. The solution should also come with total control over a FIM policy. Such visibility should incorporate:
- Management: Out-of-the-box policy customizations should come with the solution.
- Granularity: The product should be capable of supporting different policies according to the device type.
- Editing: Organizations should have the ability to revise a policy according to their individual requirements.
- Updates: All systems should quickly update via content downloads.
File Integrity Monitoring with Tripwire
Tripwire’s file integrity monitoring solution focuses on adding business context to data for all changes that occur in an organization’s environment. As such, it provides IT and security teams with real-time intelligence that they can use to identify incidents that are of real concern. It also helps personnel learn the who, what, when, and how of a change, data which they can use to validate planned modifications.
File integrity monitoring is just one of the foundational controls for which organizations should look when purchasing a new solution. Here are three core components of a FIM solution:
Every security breach begins with a single change. A small alteration to one file can expose your whole network to a potential attack. File integrity monitoring, in its simplest sense, is about keeping track of change from an established baseline and alerting you to any unexpected change that may represent a security risk or a compromise in regulatory compliance. Whether it’s a phishing scam, DDoS attack, malware, ransomware or insider threat, your FIM solution should alert you right away anytime a cybercriminal is penetrating your system.
Comparing Against a Secure Baseline
In order to know which file changes are relevant to your security, you must first establish an authoritative data integrity baseline. A FIM solution like Tripwire® File Integrity Manager will capture your system’s configuration baseline and deliver the “who, what and when” details of each relevant file change—without bogging you down in notifications about routine changes.
Automated Remediation Guidance
A FIM solution is only useful if it clearly communicates the steps you need to take once a suspicious change is identified. Once your FIM solution flags a suspicious change from your established security baseline, it should provide immediate steps for remediation. Automated FIM solutions help you return to your baseline quickly. Advanced FIM products can also integrate with other security solutions like log management, vulnerability management and security configuration management (SCM), as well as your DevOps tools.
Please download the white paper FIM Isn’t Just for Files Anymore for information on other core security measures of interest.