Change is prolific in organizations’ IT environments. Hardware assets change. Software programs change. Configuration states change. Some of these modifications are authorized insofar as they occur during a patch cycle; some cause concern by their unexpected nature.
Organizations commonly respond to such dynamism by investing in asset discovery and secure configuration management (SCM). These foundational controls allow companies to track their devices and monitor those products’ configurations. Even so, companies are left with an important challenge: reconciling change in important files.
For that challenge, enterprises turn to file integrity monitoring.
Otherwise known as change monitoring, file integrity monitoring (FIM) is a foundational control that involves examining files to see if and when they change, how they change, who changed them, and what can be done to restore those files if those modifications are unauthorized. Companies can leverage the control to supervise static files for suspicious modifications such as adjustments to their IP stack and email client configuration. As such, FIM is useful for detecting malware as well as achieving compliance with regulations like the Payment Card Industry Data Security Standard (PCI DSS).
There are five steps to file integrity monitoring. These are as follows:
- Setting a policy: FIM begins when an organization defines a relevant policy. This step involves identifying which files on which computers the company needs to monitor.
- Establishing a baseline for files: Before they can actively monitor files for changes, organizations need a reference point against which they can detect alterations. Companies should, therefore, document a baseline, or a known good state for files that will fall under their FIM policy. This standard should take into account version, creation date, modification date, and other data that can help IT professionals provide assurance that the file is legitimate.
- Monitoring changes: With a detailed baseline, enterprises can proceed to monitor all designated files for changes. They can augment their monitoring processes by auto-promoting expected changes, thereby minimizing false positives.
- Sending an alert: If their file integrity monitoring solution detects an unauthorized change, those responsible for the process should send out an alert to the relevant personnel who can fix the issue.
- Reporting results: Sometimes companies using FIM for ensuring PCI DSS compliance. In that event, organizations might need to generate reports for audits in order to substantiate the deployment of their file integrity monitoring assessor.
To complement the phases described above, organizations should look for additional features in their file integrity monitoring solution. That functionality should include, for example, a lightweight agent that can toggle “on” and “off” and can accommodate additional functions when necessary. The solution should also come with total control over a FIM policy. Such visibility should incorporate management, (Out-of-the-box policy customizations should come with the solution.) granularity, (The product should be capable of supporting different policies according to device type.) editing, (Organizations should have the ability to revise a policy according to their individual requirements.) and updates. (All systems should quickly update via content downloads.)
Tripwire’s file integrity monitoring solution focuses on adding business context to data for all changes that occur in an organization’s environment. As such, it provides IT and security teams with real-time intelligence that they can use identify incidents that are of real concern. It also helps personnel learn the who, what, when, and how of a change, data which they can use to validate planned modifications.
To learn more about Tripwire’s file integrity monitoring solution, click here.
File integrity monitoring is just one of the foundational controls for which organizations should look when purchasing a new solution.
Please download this white paper for information on other core security measures of interest.