NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

File Integrity Monitoring Explained

March 8, 2019

  • Blog
  • Archive

File integrity monitoring (FIM) is a cybersecurity process and technology that tests and checks operating system (OS), database, and application software files to determine if they have been corrupted or tampered with. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted “baseline.”

File integrity monitoring software will scan, analyze, and report on unexpected changes to important files in an IT environment. In so doing, file integrity monitoring provides a critical layer of file, data, and application security, while also aiding in the acceleration of incident response and remediation.

File integrity monitoring encompasses both reactive (forensic) auditing as well as proactive, rules-based active monitoring.

In this blog, I’ll cover the basics of FIM, including why it’s important, common FIM use cases, files it protects, and must-have file integrity monitoring capabilities.

File Integrity Monitoring Use Cases

The four most common file integrity monitoring use cases include:

  1. Detecting illicit activity: If a cyber threat actor breaches your IT environment, you will need to know (for both auditing, breach reporting, and security purposes) whether or not they have altered any files, especially those that are critical to your applications or operating systems. Even if log files and other detection systems are avoided or tampered with to try to cover the attacker’s tracks, FIM can still identify changes to important parts of your IT ecosystem. With FIM in place, you can ensure an extra measure of protection that monitors and safeguards the integrity of your files, applications, operating systems, and data.
  2. Diagnosing unwanted changes: Sometimes, file changes are inadvertently made by an admin or other employee. The consequences of these alterations may be negligible, and thus, be overlooked. However, in many other instances, these accidental file changes can open up dangerous security backdoors, or wreak havoc with applications/system functions, and disrupt business continuity. With FIM in place, you can easily pinpoint the errant change responsible for dysfunctions, and some file integrity monitoring solutions will even allow you to directly roll back the change(s).
  3. Confirming update status and monitoring system health: You can apply FIM to verify whether or not files have been patched to the latest version by scanning installed versions across multiple locations and machines with the post-patch checksum.
  4. Addressing compliance mandates: The core FIM capabilities of auditing file changes, and monitoring and reporting on file alteration attempts and changes are needed for compliance with regulatory mandates such as GLBA, SOX, HIPAA and PCI DSS.

File Integrity Monitoring in Windows, Unix, & Linux Environments

FIM is an important capability across Windows, Linux, and Unix environments. Windows leverages the registry for most of its configuration, combined with the Win32 API, which is a tightly controlled and restricted area.

In Linux and Unix environments, configurations are considerably more exposed as part of the overall file system. Consequently, Linux and Unix are more vulnerable to direct attacks and hacked binary executables. Cyber attackers can easily inject malicious code by updating and replacing core files in Linux or Unix.

Ideally, FIM should track changes to OS, database, directory, application, and critical business files, alert you to any sensitive or suspicious changes. Core areas to audit change control include:

  • Windows — OS, bootup / startup, password, Active Directory, Exchange SQL, etc. (Learn more about Windows Auditing)
  • Linux / Unix — boot loader, kernel parameters, daemons and services, run commands, cron jobs, profiles, hosts, etc.

Native Auditing Tools or Enterprise FIM Solutions?

File integrity monitoring analyzes file characteristics to create a “digital fingerprint.” This fingerprint can then be compared to a known, good baseline fingerprint.

Native auditing tools provide some basic functionalities, but all generally suffer from significant shortcoming, such as decentralized storage of the security logs from multiple domain controllers, lack of information within the log entry regarding the old settings, and inability to recover the object/configuration from the audit log, amongst many others.

Thus, enterprises with even modest amounts of IT complexity require enterprise solutions that provide FIM capabilities.

Enterprise FIM software should examine many aspects of files, including:

  • Created, modified, and accessed settings and permissions
  • Security and privilege settings
  • Content of the file
  • Core attributes and size
  • Hash values, based on file contents
  • Configuration values
  • Credentials

File integrity monitoring may be performed as a continual, snapshot, or regular basis.

Your FIM tool should monitor all components of your IT ecosystem, including:

  • Network devices and servers
  • Workstations and remote devices
  • Databases, directories, OS, and middleware
  • Cloud-based services
  • Hypervisor configuration, and Active Directory

At minimum, an enterprise solution should provide change management, real-time logging, centralized logging and reporting, and alerts. Often, file integrity monitoring is part of a broader auditing and security platform that will include other capabilities, such as automated rollback of changes to an earlier, trusted state.

Ultimately, a good FIM solution should help you rapidly and clearly diagnose the who, what, where, and when for every important access and change event.

BeyondTrust provides file integrity monitoring capabilities as part of our privileged access management platform. Contact us to learn more.

File Integrity Monitoring Resources

  • The Most Important Linux Files to Protect (and How) (blog)
  • Best Practices for Auditing Changes in Active Directory (white paper)
  • Linux Security: Top Files and Directories to Monitor in Linux to Catch Attackers (webcast)
  • BeyondTrust Auditor (Windows change auditing solution page)
  • BeyondTrust Adds File Integrity Monitoring for Unix and Linux Systems (press release)

Photograph of Matt Miller

Matt Miller, Director, Content Marketing & SEO

Matt Miller is Director, Content Marketing at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cybersecurity, cloud technologies, and data governance in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cybersecurity, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.