Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

File Integrity Monitoring Explained

March 8, 2019

  • Blog
  • Archive

File integrity monitoring (FIM) is a cybersecurity process and technology that tests and checks operating system (OS), database, and application software files to determine if they have been corrupted or tampered with. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted “baseline.”

File integrity monitoring software will scan, analyze, and report on unexpected changes to important files in an IT environment. In so doing, file integrity monitoring provides a critical layer of file, data, and application security, while also aiding in the acceleration of incident response and remediation.

File integrity monitoring encompasses both reactive (forensic) auditing as well as proactive, rules-based active monitoring.

In this blog, I’ll cover the basics of FIM, including why it’s important, common FIM use cases, files it protects, and must-have file integrity monitoring capabilities.

File Integrity Monitoring Use Cases

The four most common file integrity monitoring use cases include:

  1. Detecting illicit activity: If a cyber threat actor breaches your IT environment, you will need to know (for both auditing, breach reporting, and security purposes) whether or not they have altered any files, especially those that are critical to your applications or operating systems. Even if log files and other detection systems are avoided or tampered with to try to cover the attacker’s tracks, FIM can still identify changes to important parts of your IT ecosystem. With FIM in place, you can ensure an extra measure of protection that monitors and safeguards the integrity of your files, applications, operating systems, and data.
  2. Diagnosing unwanted changes: Sometimes, file changes are inadvertently made by an admin or other employee. The consequences of these alterations may be negligible, and thus, be overlooked. However, in many other instances, these accidental file changes can open up dangerous security backdoors, or wreak havoc with applications/system functions, and disrupt business continuity. With FIM in place, you can easily pinpoint the errant change responsible for dysfunctions, and some file integrity monitoring solutions will even allow you to directly roll back the change(s).
  3. Confirming update status and monitoring system health: You can apply FIM to verify whether or not files have been patched to the latest version by scanning installed versions across multiple locations and machines with the post-patch checksum.
  4. Addressing compliance mandates: The core FIM capabilities of auditing file changes, and monitoring and reporting on file alteration attempts and changes are needed for compliance with regulatory mandates such as GLBA, SOX, HIPAA and PCI DSS.

File Integrity Monitoring in Windows, Unix, & Linux Environments

FIM is an important capability across Windows, Linux, and Unix environments. Windows leverages the registry for most of its configuration, combined with the Win32 API, which is a tightly controlled and restricted area.

In Linux and Unix environments, configurations are considerably more exposed as part of the overall file system. Consequently, Linux and Unix are more vulnerable to direct attacks and hacked binary executables. Cyber attackers can easily inject malicious code by updating and replacing core files in Linux or Unix.

Ideally, FIM should track changes to OS, database, directory, application, and critical business files, alert you to any sensitive or suspicious changes. Core areas to audit change control include:

  • Windows — OS, bootup / startup, password, Active Directory, Exchange SQL, etc. (Learn more about Windows Auditing)
  • Linux / Unix — boot loader, kernel parameters, daemons and services, run commands, cron jobs, profiles, hosts, etc.

Native Auditing Tools or Enterprise FIM Solutions?

File integrity monitoring analyzes file characteristics to create a “digital fingerprint.” This fingerprint can then be compared to a known, good baseline fingerprint.

Native auditing tools provide some basic functionalities, but all generally suffer from significant shortcoming, such as decentralized storage of the security logs from multiple domain controllers, lack of information within the log entry regarding the old settings, and inability to recover the object/configuration from the audit log, amongst many others.

Thus, enterprises with even modest amounts of IT complexity require enterprise solutions that provide FIM capabilities.

Enterprise FIM software should examine many aspects of files, including:

  • Created, modified, and accessed settings and permissions
  • Security and privilege settings
  • Content of the file
  • Core attributes and size
  • Hash values, based on file contents
  • Configuration values
  • Credentials

File integrity monitoring may be performed as a continual, snapshot, or regular basis.

Your FIM tool should monitor all components of your IT ecosystem, including:

  • Network devices and servers
  • Workstations and remote devices
  • Databases, directories, OS, and middleware
  • Cloud-based services
  • Hypervisor configuration, and Active Directory

At minimum, an enterprise solution should provide change management, real-time logging, centralized logging and reporting, and alerts. Often, file integrity monitoring is part of a broader auditing and security platform that will include other capabilities, such as automated rollback of changes to an earlier, trusted state.

Ultimately, a good FIM solution should help you rapidly and clearly diagnose the who, what, where, and when for every important access and change event.

BeyondTrust provides file integrity monitoring capabilities as part of our privileged access management platform. Contact us to learn more.

File Integrity Monitoring Resources

  • The Most Important Linux Files to Protect (and How) (blog)
  • Best Practices for Auditing Changes in Active Directory (white paper)
  • Linux Security: Top Files and Directories to Monitor in Linux to Catch Attackers (webcast)
  • BeyondTrust Auditor (Windows change auditing solution page)
  • BeyondTrust Adds File Integrity Monitoring for Unix and Linux Systems (press release)

Matt Miller

Senior Content Marketing Manager, BeyondTrust

Matt Miller is a Senior Content Marketing Manager at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cyber security and cloud technologies in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cyber security, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

Webcasts

Welcome to 2021: A BeyondTrust Global Partner Update

Webcasts

Security Wellness Check: Keeping Healthcare Safe from Ransomware & other Cyberattacks

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.