What is file integrity monitoring (FIM)?
File integrity monitoring (FIM), sometimes referred to as file integrity management, is a security process that monitors and analyzes the integrity of critical assets, including file systems, directories, databases, network devices, the operating system (OS), OS components and software applications for signs of tampering or corruption, which may be an indication of a cyberattack.
FIM tools rely on two different verification methods to verify the integrity of critical file systems and other assets: reactive or forensic auditing; and proactive or rules-based monitoring. In both cases, the FIM tool compares the current file with a baseline and triggers an alert in the event the file has been altered or updated in a way that violates the company’s predefined security policies.
Why is file integrity monitoring important?
In recent years, cybercriminals have become increasingly sophisticated in their use of malware and other techniques to alter critical system files, folders, registries and data end endpoints to carry out advanced cyberattacks. Left undetected, these hackers can steal data, IP, and customer information or otherwise disrupt business operations.
The rapid acceleration of remote work due to the COVID-19 pandemic, as well as an explosion of IoT devices has dramatically expanded the attack surface for cybercriminals, thus providing many points of access for these actors.
FIM provides an important layer of protection for sensitive files, data, applications and devices by routinely scanning, monitoring and verifying the integrity of those assets. It also helps identify potential security issues more quickly and improves the accuracy of remediation efforts by the incident response team.
File integrity monitoring use cases
Some common use cases for a file integrity management tool include:
Detecting a cyberattack
In the early stages of a complex cyberattack, cybercriminals may need to alter critical files related to the OS or applications. Very sophisticated attackers may even alter the log files to cover their activity. However, FIM tools can still detect such modifications because it reviews the current file against a baseline, as opposed to simply reviewing the file logs.
Expediting threat detection, response and remediation
By detecting a threat early in the cyber kill chain, the organization stands a better chance of stopping the breach before significant or costly damage is done. FIM greatly enhances the organization’s ability to detect an attack that may be missed by other security measures.
Identifying weaknesses within the IT infrastructure
Some changes made by administrators or employees, while not malicious in nature, may inadvertently open the organization to risk. FIM helps identify these vulnerabilities and rectify them before they can be exploited by adversaries.
Streamlining compliance efforts
Organizations are facing an increasingly complex regulatory landscape. In virtually every industry, companies are obliged to monitor their IT environment and report select activity to maintain compliance with key regulations such as Health Insurance Portability & Accountability Act (HIPAA), General Data Protection Regulation (GDPR), ISO 17799 and Payment Card Industry Data Security Standard (PCI DSS).
How file integrity monitoring works
Below are the six main steps organizations take to set up a successful file integrity monitoring process:
Defining the file integrity policy: Before the FIM tool can be deployed, the organization must first specify what assets will be monitored and the types of changes that it wants to detect.
Establishing a baseline: FIM tools create an initial baseline, which will serve as a reference point for comparison for all future activity. This will contain all file attributes, including file size, content, access settings, privileges, credentials and configuration values.
Applying the cryptographic hash signature: As part of developing the baseline, the IT team will also apply a cryptographic hash signature, which can’t be altered, to each file. Any changes made to the files, whether authorized or not, will also change the hash value of the file, making it easy to detect file updates and alterations.
Monitoring, analyzing and verifying file integrity: The FIM tool compares the hash values on the files to quickly and clearly detect anomalous changes. As part of this process, the IT team can also exempt certain changes from monitoring to avoid triggering alerts for planned changes or updates.
Issuing an alert: In the event an unexpected or unauthorized modification has been made, the FIM tool will also alert the information security (InfoSec) team of the need for further investigation and possible remediation.
Reporting and regulatory compliance: In some cases, the organization must report a breach to the relevant authorities, as dictated by law. The FIM tool helps the Regulatory Affairs team compile such information for reporting purposes.
How to select the right FIM tool
While FIM is a critical capability for cybersecurity teams, many tools do not offer the customization, configurations, integrations and functionalities needed by the business.
Here are some questions to consider when evaluating file integrity monitoring tools:
Compatibility
- Is this file integrity monitoring solution compatible with all other aspects of the organization’s existing cybersecurity architecture?
- Is this FIM tool capable of supporting the company’s existing file integrity policies?
Customization
- Can the FIM tool be customized to support specific threat detection and remediation use cases as identified by the business?
- Does this file integrity monitoring software help automate and streamline regulatory compliance efforts unique to the organization?
- Can the FIM solution support additional functionalities that may be needed by the business in the future?
Configuration
- What support does the vendor provide during the configuration process to help cut down on the “noise” and differentiate between actual threats and false positives?
- How quickly can the FIM software be updated? What does the QA testing process look like to ensure all existing configurations work properly?
Ease of use
- How much of the file analysis is automated by the FIM tool?
- Can security controls in the FIM solution be easily turned off and on, or updated as needed?
- How are alerts from the monitoring tool delivered to the IT team?
- In what format is alert data presented to ensure that information is actionable?
Integration
- How does the FIM tool integrate within the organization’s existing cybersecurity architecture, including the SIEM?
- What support does the vendor provide to ensure that the FIM tool is properly integrated with other tools and technologies?