File Integrity Monitoring
What is File Integrity Monitoring?
File integrity monitoring (FIM) refers to an IT security process and technology that tests and checks operating system (OS), database, and application software files to determine whether they have been tampered with or corrupted.
File integrity monitoring encompasses both reactive (forensic) auditing as well as proactive, rules-based active monitoring. A typical FIM process involves the following activities:
Establishing a baseline: FIM creates a known baseline using factors such as settings and permissions, file contents, credentials, etc.
Change auditing: FIM verifies and validates files by comparing the latest version to this known baseline.
Alerting on suspicious changes: If FIM detects that files have been altered, updated, or compromised, it can generate alerts to ensure further investigation, and if necessary, remediation takes place.
Key Use Cases of File Integrity Monitoring
The process of FIM—scanning, analyzing, and reporting on unexpected changes to important files in an IT environment—answers a few key security cases by providing a critical layer of file, data, and application security while also aiding in the acceleration of incident response. These primary use cases include:
1. Detecting Illicit Activity
If a cyber attacker intrudes upon your IT environment, you will need to know if they have tried to alter any files that are critical to your operating systems or applications. Even if log files and other detection systems are avoided or altered, FIM can still detect changes to important parts of your IT ecosystem. With FIM in place, you can monitor and protect the security of your files, applications, operating systems, and data.
2. Pinpointing Unintended Changes
Often, file changes are made inadvertently by an admin or another employee. Sometimes the ramifications of these changes may be small and go overlooked. Other times, they can create security backdoors or result in dysfunction with business operations or continuity. File integrity monitoring simplifies forensics by helping you zero in on the errant change, so you can roll it back or take other remediation.
3. Verifying Update Status and Monitoring System Health
You can check if files have been patched to the latest version by scanning installed versions across multiple locations and machines with the post-patch checksum.
4. Meeting Compliance Mandates
The ability to audit changes, and to monitor and report certain types of activity, is required for compliance with regulatory mandates such as GLBA, SOX, HIPAA, and PCI DSS.
FIM for Systems Hardening
FIM plays a key role in systems hardening, which is a collection of tools, techniques, and best practices to reduce vulnerability in technology applications, systems, infrastructure, firmware, and other areas. The goal of systems hardening is to reduce security risk by eliminating potential attack vectors and shrinking the system’s attack surface.
As a key component of the systems hardening process, file integrity monitoring is used to detect vulnerabilities in operating systems, software, and other database environments. This allows you to patch vulnerabilities as soon as they arise, substantially shrinking the attack surface and the window of opportunity for any would-be attacks.
File Integrity Monitoring: Windows vs. Linux and Unix
FIM is important for Windows-based environments as well as for Unix and Linux security.
Windows uses the registry for most of its configuration, combined with the Win32 API, which is a tightly controlled and restricted area. File integrity monitoring is a major component in Windows auditing— the process of tracking, analyzing, and understanding events that take place on Windows-based computer systems. Windows auditing can reveal important contextual information about the who, what, when, and where of system events.
In Linux and Unix environments, configurations are much more exposed as part of the overall file system. This makes Linux and Unix more vulnerable to direct attacks and hacked binary executables. Updating and replacing core files in Linux or Unix means attackers can easily inject malicious code.
File Integrity Monitoring
FIM For Windows | FIM for Linux and Unix | |
|---|---|---|
Which data is audited? | Registry and Win32 API | Configurations live in the file system |
Nature of data structure | Tightly controlled and restricted API | Open configuration |
Threats detected by FIM | Suspicious system events, as FIM helps track and analyze events with context (who/what/when/where) | Direct attacks and hacked binary executables, as FIM helps detect the updating or replacement of core files that would indicate an attack |
Critical Files to Monitor and Protect
Ideally, FIM should track changes to OS, database, directory, application, and critical business files, and alert you to any potentially sensitive or suspicious changes. Some key areas to audit change control include:
Windows: OS, bootup/startup, password, Active Directory, Exchange SQL, etc.
Linux/Unix: Boot loader, kernel parameters, daemons and services, run commands, cron jobs, profiles, hosts, etc.
File Integrity Monitoring Best Practices
To perform file integrity monitoring most effectively, consider the following best practices:
1. Use a third-party FIM solution
2. Select a FIM solution that monitors a variety of file characteristics
3. Decide the frequency and scope of file integrity monitoring
4. Prioritize your most critical systems, and roll out to other areas from there
5. Regularly test your FIM system
Here are each of these best practices in more detail:
1. Use a third-party FIM solution
While native auditing tools exist, these generally suffer from shortcomings, such as decentralized storage of the security logs from multiple domain controllers, lack of information within the log entry regarding the old settings, and inability to recover the object/configuration from the audit log. For these reasons, organizations with moderately to highly complex IT environments generally rely on proven enterprise solutions.
2. Select a FIM solution that monitors a variety of file characteristics
High-quality enterprise FIM software will look at many aspects of files, including:
Created, modified, and accessed settings and permissions
Security and privilege settings
Content of the file
Core attributes and size
Hash values, based on file contents
Configuration values
Credentials
3. Decide the frequency and scope of file integrity monitoring
Define how often the FIM system should monitor files and which changes it should look for. FIM can be carried out on a continual, snapshot, or regular basis. It can happen randomly or follow any other rules that the security team sets up.
4. Prioritize your most critical systems, and roll out to other areas from there
Implement FIM in your most critical systems and files first, and then roll it out to other areas over time. Some key areas to monitor with FIM tools include:
Network devices and servers
Workstations and remote devices
Databases, directories, OS, and middleware
Cloud-based services
Hypervisor configuration, and Active Directory
5. Regularly test your FIM system
Plan to test the accuracy of your FIM system by periodically simulating security incidents. From there, you can refine and tune your implementation.
Securing Enterprise Environments with FIM Tools
File integrity monitoring is an integral piece of securing enterprise environments. While standalone FIM tools exist, the capabilities can also be embedded within broader solutions, such as endpoint privilege management / PAM products.
At the minimum, an enterprise solution should provide change management, real-time logging, centralized logging and reporting, and alerts. Sometimes, file integrity monitoring is part of a broader auditing and security solution that will also include capabilities such as automated rollback of changes to an earlier, trusted state. An ideal FIM solution will give you clear, rapid information on the who, what, where, and when for every access and change event.
