The increasing incidence of data breaches over the past decade has led to the creation of numerous regulatory standards such as the PCI-DSS. These standards call for companies to adopt security best practices, including the need to monitor all types of changes made to server configurations.
Although some of these configuration changes have no significant impact on systems, a few unexpected changes could turn out to be a security risk. This could also lead to non-compliance.
The File Integrity Monitoring Solution
To help protect your sensitive data and maintain compliance, you need to detect changes down to the tiniest detail in real time. This is accomplished by establishing a baseline state and monitoring for file changes relative to the baseline.
The problem is it’s impractical to monitor every application or device in your network all the time. In addition, today’s networks are far too complex to be monitored manually, and this reality holds true even in small to mid-sized enterprises.
For this reason, you need a solution that helps you take control of all these changes minus the risks of manual editing. This is what File Integrity Monitoring (FIM) is for.
File Integrity Monitoring at a Glance
Also known as change audit, a file integrity monitoring tool monitors files of all types and identifies changes in these files that can potentially put your sensitive data at risk. Files monitored include configuration files, executables, registry files, file and directory indexes, permissions, and tables.
Your FIM of choice should not only detect changes. It should also help you control what should be monitored for change and help you rectify issues brought about by any undesirable changes.
In essence, any file integrity monitoring solution should provide you with the following details:
- What function or application made a change
- When a change was made
- Who initiated the change
- Before-and-after state of the file
- Determine if the change was authorized or not
File Integrity Monitoring Features to Look For
Next to the aforementioned basic FIM functions, the following describes the features you should be looking for when evaluating any file integrity monitoring solution.
1. Multiple Platform Support
It’s not uncommon for a typical enterprise today to run on Windows, Linux, Solaris, AIX or even HP-UX. For this reason, it’s best to look for an FIM solution than can monitor multiple platforms without incompatibility issues.
2. Easy Integration
The FIM of your choice should be able to seamlessly work with other data security solutions such as correlating change data with event and log data. This allows your team to quickly identify, trace, and relate problem-causing changes with each other.
A great example of this is how Cimtrak complements anti-virus or other malware preventing technologies by acting as a last line of defense. CimTrak detects changes caused by malware which may not yet be signatured and potentially bypass your existing security defenses.
3. Extended Perimeter Protection
Go for a file integrity monitoring solution that extends beyond change detection in files and its attributes. Your FIM solution should also take network devices into account such as firewalls, routers, switches, and VPN (virtual private network) concentrators.
4. Smarter Change Detection
Detecting a change at a minimum means identifying if a hash of the file has changed. A more robust file integrity monitoring solution can look at several attributes related to a file in addition to the hash.
All of this additional metadata provides greater insight of the true nature of the change. For example, changing the owner of a file does not change its contents. This means the hash would stay the same. However, a more sophisticated FIM allows you to understand if the file’s owner has been changed. Most FIM solutions today are unable to provide the “who changed the data” information.
5. Multi-Level Logging and Simplified Reporting
Old school FIM solutions typically run on each individual machine. Modern FIM tools like CimTrak provide an integrated view of all changes throughout the network. This allows you to manage all of the servers in a single view.
Another thing to look for in an FIM solution is high-level reporting of rollup information. Ideally, your FIM tool should have a sophisticated dashboard that allows you to examine the state of your infrastructure at an advanced level and consequently drill down volumes of change data into actionable information.
6. Simplified Rule Configuration
Your FIM solution should have a method to easily define monitoring rules for a server or device. In addition, there should be a mechanism to replicate those rules to many devices across your infrastructure.
7. Real-Time Monitoring
This feature safeguards the integrity of your IT infrastructure by comparing misconfigurations in real time against your internal standards or external policies for compliance and security best practices.
As revealed in Verizon's 2015 Data Breach Investigations Report, exfiltration can begin within minutes to hours during a breach. This provides an extremely narrow window during which you can detect and stop the threat. Real-time monitoring is a feature that can make or break your organization's continuity of operations.
Get All These Features with CimTrak
By working with CimTrak, your organization will have the same set of tools and processes to help safeguard your IT infrastructure against today’s ever-evolving digital threats.
Learn more by downloading our definitive guide to file integrity monitoring today.
April 28, 2016