The benefits of a capable and properly deployed File Integrity Monitoring (FIM) solution are plentiful:
- If you see unexpected or unexplained file changes, you can investigate immediately and resolve the issue quickly if your system has been compromised.
- You can reconcile changes against change tickets or a list of approved changes in a text file or spreadsheet.
- You can determine if changes take configurations out of policy (impact hardening standard).
- You can automate responses to specific types of changes—for example, flag the appearance of a DLL file (high-risk) but auto-promote a simple modification to a DLL file (low-risk).
And the importance of FIM cannot be understated. Let’s not forgot what the Center for Internet Security (CIS) says in its Distribution Independent Linux Benchmark version 2.0.0:
“Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered. The reporting system should: have the ability to account for routine and expected changes; highlight and alert on unusual or unexpected alterations; show the history of configuration changes over time and identify who made the change (including the original logged-in account in the event of a user ID switch, such as with the su or sudo command). These integrity checks should identify suspicious system alterations such as: owner and permissions changes to files or directories; the use of alternate data streams which could be used to hide malicious activities; and the introduction of extra files into key system areas (which could indicate malicious payloads left by attackers or additional files inappropriately added during batch distribution processes).”
The Value Provided by FIM
Let’s face it, File Integrity Monitoring (FIM) can be “noisy” and a large time commitment if you let it get out of control. With a well-chosen solution, light care and feeding, along with tuning to match environment changes, you can keep the Five Stages of FIM from overburdening your resources. Let’s simplify (or look FIM for what value it provides to an organization):
- Something in your monitored environment changed.
- Something changed, and it was unexpected.
- Something changed, it was unexpected, and it was bad.
- Something changed, it was unexpected, it was bad, and here’s how to get back to the known and trusted state.
- Something changed, it was unexpected, it was bad, here’s how to fix it, and let’s tune our solution to minimize noise in the future.
If you have no solution, or if your solution doesn’t help you quickly address these changes, it’s easy to understand how FIM can act like “the one that got away.” One of the most important things you can do to advance FIM in your organization is to narrow its scope to the use cases that solve compliance, security, and operational problems. Probably in that order. And probably starting with the five opportunities/levels of complexity above. A good example is SOX compliance where the organization has “locations” involved in producing SOX-related content. Those may be files, directories, applications, or even database fields. But NOT all files or all directories or all applications. Organizations on the more mature side of FIM will say, “We have 135 locations associated with SOX data that could be audit points. We need to know what changes happened, including a baseline, to ensure there was not malfeasance in the creation of our financial reports in those (very specific) places.”
Realizing FIM with Tripwire ExpertOps
Organizations purchase FIM solutions for a few different reasons. Some are looking for an inexpensive “checkbox” solution to show due diligence against legal action, while others are concerned about the impact of change on operational uptime. In our option at Tripwire, we help our clients to take advantage of everything that FIM has to offer through the delivery of a specific service that addresses the varied use of use cases for file integrity monitoring. We call this service “ExpertOperations” or “ExpertOps” for short. In a nutshell, customers get a dedicated managed services engineer who can work under different tiers of service, delivering everything from standard Tripwire reports to full integration with their Security Information and Event Management solution as well as tying into their change management solution and more. Our Tripwire experts who run and manage this service are dedicated to addressing customers’ specific needs, and they are with them in partnership to make their projects successful over time. By recognizing the value of FIM, focusing your efforts where you MUST and WANT to, as well as narrowing your horizon to the critical few, you too can reap the advantages of FIM in your organization. Learn more about Tripwire’s FIM solutions here.