File integrity monitoring (FIM) refers to an IT security process and technology that tests and checks operating system (OS), database, and application software files to determine whether or not they have been tampered with or corrupted. FIM, which is a type of change auditing, verifies and validates these files by comparing the latest versions of them to a known, trusted “baseline.” If FIM detects that files have been altered, updated, or compromised, FIM can generate alerts to ensure further investigation, and if necessary, remediation, takes place. File integrity monitoring encompasses both reactive (forensic) auditing as well as proactive, rules-based active monitoring.

Why File Integrity Monitoring is Important

FIM software will scan, analyze, and report on unexpected changes to important files in an IT environment. In so doing, file integrity monitoring provides a critical layer of file, data, and application security, while also aiding in the acceleration of incident response. The four primary file integrity monitoring use cases are:

Detecting Illicit Activity

If a cyber attacker intrudes upon your IT environment, you will need to know if they have tried to alter any files that are critical to your operating systems or applications. Even if log files and other detection systems are avoided or altered, FIM can still detect changes to important parts of your IT ecosystem. With FIM in place, you can monitor and protect the security of your files, applications, operating systems, and data.

Pinpointing Unintended Changes

Often, file changes are made inadvertently by an admin or another employee. Sometimes the ramifications of these changes may be small and go overlooked. Other times, they can create security backdoors, or result in dysfunction with business operations or continuity. File integrity monitoring simplifies forensics by helping you zero in on the errant change, so you can roll it back or take other remediation.

Verifying Update Status and Monitoring System Health

You can check if files have been patched to the latest version by scanning installed versions across multiple locations and machines with the post-patch checksum.

Meeting Compliance Mandates

The ability to audit changes, and to monitor and report certain types of activity is required for compliance with regulatory mandates such as GLBA, SOX, HIPAA and PCI DSS.

File Integrity Monitoring — Windows vs. Linux and Unix

FIM is important for Windows-based environments as well as for Linux and Unix systems. Windows uses the registry for most of its configuration, combined with the Win32 API, which is a tightly controlled and restricted area. In Linux and Unix environments, configurations are much more exposed as part of the overall file system. This makes Linux and Unix more vulnerable to direct attacks and hacked binary executables. Updating and replacing core files in Linux or Unix means that attackers can easily inject malicious code.

The Most Critical Files to Monitor and Protect

Ideally, FIM should track changes to OS, database, directory, application, and critical business files, and alert you to any potentially sensitive or suspicious changes. Some key areas to audit change control include:

Windows

OS, bootup/startup, password, Active Directory, Exchange SQL, etc.

Linux/Unix

Boot loader, kernel parameters, daemons and services, run commands, cron jobs, profiles, hosts, etc.

How File Integrity Monitoring Works, and Best Practices

File integrity monitoring examines various aspects of a file to create a “digital fingerprint.” It then compares this fingerprint to a known, good baseline fingerprint. While native auditing tools exist, these generally all suffer from shortcomings, such as decentralized storage of the security logs from multiple domain controllers, lack of information within the log entry regarding the old settings, and inability to recover the object/configuration from the audit log, to name few. For these reasons, organizations with moderately to highly complex IT environments generally rely on proven enterprise solutions.

High-quality enterprise FIM software will look at many aspects of files, including:

FIM can be carried out on a continual, snapshot, or regular basis. It can happen randomly, or to any other rules that the security team sets up.

A good FIM tool will monitor all components of your IT environment, including:

At minimum, an enterprise solution should provide change management, real-time logging, centralized logging and reporting, and alerts. Often, file integrity monitoring is part of a broader auditing and security solution that will also include capabilities such as automated rollback of changes to an earlier, trusted state. An ideal solution will give you clear, rapid information on the who, what, where, and when for every access and change event.