Cybersecurity in an everything-as-a-service environment is increasingly challenging. As companies look to protect information, many focus on maintaining data confidentiality and availability. However, within the data security triad of Confidentiality, Integrity, and Availability (CIA), maintaining data integrity is often treated as more of a data governance issue. However, File Integrity Monitoring (FIM) is a powerful tool for detecting cybersecurity incidents like malware, ransomware, and advanced persistent threats (APTs).
What is File Integrity Monitoring (FIM)?
File integrity monitoring (FIM) is a security and compliance practice that uses tools to detect file changes. FIM solutions check operating system (OS), database, and application files for unauthorized changes or corruption that can indicate a security event.
FIM works to ensure that organizations’ change management processes are working correctly by comparing accepted baseline configurations against the latest file versions. FIM verifies and validates versioning, giving companies visibility into critical files that have been altered or updated without approval.
Unauthorized changes might indicate a potential system, network, or application compromise requiring further investigation.
Why Do We Need FIM?
FIM enables organizations to gain visibility into who makes changes to files, when they do, and how they do it. With FIM, organizations gain insights that can help them detect risks associated with attacks that may have otherwise gone undetected. Further, to meet compliance requirements, many organizations use FIM to prove governance.
Cybersecurity risk detection
As more companies use cloud-connected resources, they need the visibility FIM provides visibility to mitigate access risks.
Some risks that FIM can detect include:
- Insider threats: authorized users stealing information for monetary gain, corporate espionage, or revenge
- Credential theft and brute force attacks: use of weak or stolen credentials often used as part of a double-exfiltration ransomware attack
- Advanced persistent threats (APTs): threat actors spending time in systems and networks to exfiltrate data on an ongoing basis
- Privilege escalation: elevating access permissions to gain privileged access as part of lateral movement and data exfiltration
PCI DSS Requirements Covered by Alert Logic File Integrity Monitoring (FIM)
Some of the most common Payment Card Industry Data Security Standard (PCI DSS) requirements that must be met include:
PCI DSS 10.5.5 requires that organizations use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts. FIM or change-detection systems should check for changes to critical files, and notify when such changes are noted. For file integrity monitoring purposes, an entity usually monitors files that don’t regularly change, but when changed indicate a possible compromise.
PCI DSS 11.5 requires that organizations deploy a change-detection mechanism, such as FIM, to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables.
How File Integrity Monitoring works
File integrity monitoring incorporates more than just technology. Companies need to have the policies and processes that help them establish and enforce controls.
The FIM basics may not include using a FIM solution, but they do set the stage for choosing one.
At the core, FIM requires companies to:
- Identify files: define critical files that must be monitored
- Establish policies: set policies across all technologies that need to be monitored
- Monitor changes: continuously monitor resources that have been identified as critical
- Set and receive alerts: ensure the responsible parties receive alerts so that they know an unauthorized change occurred and can remediate the issue
- Document activities: create reports for auditors and staff in order to take immediate action using FIM solutions.
While FIM does not require automated solutions, it is often easier with them. Using a technology that scans and monitors for changes eliminates many of the time-consuming activities that companies undertake. Additionally, with more connected applications and data sharing capabilities, manually managing FIM becomes untenable.
FIM scans files, creates individual baselines for them based on an organization’s configurations then looks for:
- Users who changed the file
- Timing of changes
- Types of changes made
- Abnormal changes to file sizes, versions, and configurations
- Unauthorized access to sensitive files, including personally identifiable information (PII), system files, and directories
- Changes to security settings, permissions, and registries
Many of these changes act as Indicators of Compromise (IoC). For example, a cybercriminal looking to exfiltrate data before launching a ransomware attack might escalate privileges to gain unauthorized access to sensitive data. When the FIM detects changes to permissions or unauthorized access to PII, it can help the organization proactively mitigate ransomware risks.
Types of FIM Monitoring Tools
Understanding the types of FIM tools available can help organizations make better decisions.
Generally, FIM solutions can be deployed as:
- Agent-based: installed on every monitored host
- Agentless: scanner monitoring for changes at scheduled times
Agent-based solutions like Alert Logic File Integrity Monitoring provide real-time capabilities for continuous monitoring which enables more robust security incident detections.
Considerations for Choosing File Integrity Monitoring Tools
With the vast array of technologies and providers available, choosing the best FIM tool for an organization is often difficult. However, as a company looks to narrow down the vendors, some key considerations should be included.
Ease of Deployment
The less time onboarding a solution takes, the faster the company receives a return on investment. If FIM solution deployment is too time-consuming, it becomes a large project that might get put on the backburner.
With trending data, companies gain greater visibility into events within their environment. To detect abnormal activity, organizations need to know what normal looks like. Historic data and trends give insight into both normal and abnormal activity.
organizations need to consider the various types of interactions and changes it can detect, including:
- File access
- File creation
- File deletion
- File movement
- Modification of attributes
The solution should also be expansive enough to detect across system directories, registry keys, and operating system values across Linux files, Windows files, and Windows Registry
System and File Path Events
Companies need the ability to trace the resources impacted. This means they need to know not just the FIM events that occurred, but also the file paths and systems impacted. For example, if a particular file path is the majority of FIM events, an exclusion may need to be created to reduce false positives from a noisy file path.
Compliance reporting is a key capability for any organization that needs to meet regulatory or industry standard mandates. A valuable FIM tool gives organizations a way to download data that can be used to prove governance over security.
Alert Logic File Integrity Monitoring (FIM) Demo Video
File Integrity Monitoring to Mitigate Cybersecurity Risk
Cybercriminals are working harder than ever to evade detection. However, FIM offers companies a way to create a proactive cybersecurity program that monitors for file changes that can be a precursor to a larger scale security incident. With a FIM tool integrated into a managed detection and response (MDR) solution, companies can have a comprehensive cybersecurity solution that can deliver complete threat detection and incident response that also includes the built-in monitoring they need without having to purchase additional, expensive point solutions. Those standalone FIM solutions also add complexity and also require additional budget for staffing and training, while Alert Logic MDR offers FIM at no extra cost.
For more information about Alert Logic’s File Integrity Monitoring tool, contact us to schedule a demo.