Detect and manage changes better with File Integrity Monitoring

August 19, 2022
Makarand

In any organization’s IT environment, change is an integral part. Hardware keeps changing. Software programs are often updated or even changed. Network configurations, user roles and privileges all undergo changes all the time. 

Many companies have asset discovery & secure configuration management (SCM) software in place within which these changes are usually pre-authorized. But there are many cases wherein such systems are not treated with the respect they deserve. The urgency of getting things done often overrules the sanctity of systems. Hence while most of these changes are authorized, some are not.

Often, in the case of unauthorized changes, there could be a dilemma whether a particular change was intended or does it indicate a cyberattack or a malware activity. Hence it is necessary to keep monitoring all IT assets at all times and detect and flag changes whether authorized or unauthorized. 

And most SCM deployments are pretty elementary. These solutions help organizations to build an inventory of devices & monitor these products’ configurations from time to time. But these solutions do not provide information about important file level changes. This shortcoming is fulfilled by a FIM solution.

What is FIM?

File Integrity Monitoring, popularly known as FIM, is an integral part of an IT security policy framework. A FIM solution executes change auditing scans, analyses & reports on operating systems, databases & application software to determine whether they have been tampered with. FIM creates a digital footprint of the files. Reactive auditing as well as proactive rule-based active monitoring are both possible using FIM.

The FIM technology first audits and analyses the selected files and generates a good baseline digital fingerprint of the files. Thereafter, for each subsequent scan it compares the digitally created fingerprint of a file with the last known good baseline fingerprint. 

A good quality FIM tool is needed to monitor various elements of the IT environment like OS, Database,  Middleware, Servers, Network Devices, Active Directory, Hypervisor, Cloud-based Services etc. The FIM software looks for many aspects of the files like 

  • Settings which are created, modified & accessed
  • Credentials 
  • File contents
  • Security & privileges
  • Configuration values

While a FIM audit can be carried out at any time, it is best if it is done at regular intervals.

An enterprise-grade FIM solution needs to provide insights into change management, centralized logging & reporting, alerts etc. FIM specifically involves examining files to see if and when they’ve changed, how they’ve changed, who changed them, and what can be done to restore those files if those modifications are unauthorized.

Implementation Steps

Important steps for File Integrity Monitoring: 

  1. Setting up a policy => this involves identifying the assets to be monitored - which files on which device.  
  2. Setting up a baseline for files => Organizations need a reference point against which they can detect alterations. This is called the baseline. This de-facto standard baseline version includes the file’s creation date, modification date & any other data that needs to be monitored for consistency and is considered as the reference point going forward.
  3. Monitoring the changes => the organization can continuously check the digital fingerprint of these selected files against the reference baseline file to detect any changes.
  4. Sending alert => When the FIM solution detects an unauthorized, undesired, unexpected change, an alert needs to be sent immediately to the relevant team to quickly fix up the issue.
  5. Documentation => The FIM solution generates reports of such logs of baseline creations and digital fingerprint comparisons for audits and forensic purposes.

FIM is useful for detecting malware as well as achieving compliance with regulations like PCI DSS, NERC, CIP, FISMA, SOX, NIST and HIPAA, and other such best practice frameworks.

Considerations for a good FIM solution

Considering that FIM plays a major role in compliance monitoring, a correct selection of a FIM solution becomes very critical. I recommend considering the below points for selecting the FIM solution for your business.

  • Customization : The solution should provide built-in policy customization 
  • Editing : The organizations should be able to edit the policies according to changes in security policy requirements like Center for internet Security benchmark
  • Automatic Rollback : File Integrity Monitoring must be a part of a broader auditing & security solution that will also include automatic rollback of the changes to an earlier one
  • Audit Trail : The tool should be able to generate a non-editable (tamper-proof) audit trail for every change detected in the environment

So if you haven’t yet implemented anything on the FIM front, do reach out to us and our team shall be happy to guide you.

Let’s build something amazing together