When used properly, file integrity monitoring (FIM) is a crucial tool in preventing the compromise of sensitive information, such as cardholder data.
While it’s clear using a file integrity monitoring solution is a must for organizations big and small, we've noticed several important concepts are often improperly implemented, misunderstood, or neglected altogether.
This post highlights best practices for efficiently deploying and configuring your file integrity monitoring solution. Practicing these concepts can mean the difference between the useful deployment of FIM and being caught off guard with compromised data.
The Critical Role of FIM in Your Organization
Before diving into best practices, let’s look at what a FIM does for your organization.
File integrity monitoring solutions protect critical systems and data by:
- Detecting changes in files associated with applications, databases, routers, servers, and other devices in your IT infrastructure
- Capturing the details of each change
- Interpreting the details and identifying if the change is a security risk or not
- Alerting you of the changes and immediately remediating issues caused by an improper change
FIM tools are ideal for monitoring various files, such as configuration files, directory permissions, and executables, in real-time.
7 File Integrity Monitoring Best Practices You Should Be Doing Now
Now that you understand FIM and why it’s needed in organizations today, here are the essential steps and concepts to make your FIM solution truly work for you.
1. Consider file integrity monitoring as part of the big picture.
At a basic level, FIM verifies that important system files and configuration files have not changed. It ensures the files’ integrity remains intact. However, keep in mind that no single tool or application can be relied on to provide data protection and security.
We recommend you establish multiple ways of detecting and alerting your team of unauthorized, suspicious changes. When other defenses and proper documentation are in place to help protect your IT assets, FIM adds yet another layer for an attacker to penetrate. It’s best practice to keep those layers as complex and impenetrable as possible.
2. Plan for deployment down to the tiniest detail.
Careful planning is crucial before deploying FIM to ensure effective monitoring and protection. To aid you in the planning process, answer the following:
- How many assets or files should be monitored?
- Do you have a clear picture of how your existing infrastructure is organized?
- What elements of the systems will need to be monitored?
- What operating systems and versions need to be monitored?
- Who will manage and administer the system?
3. Set up servers by function or geographical location.
Grouping servers by function or location allows you to apply the same set of internal and external security policies without going all over the place. It is not uncommon to monitor files and assets across different networks.
At Cimcor, we recommend you adopt a practical labeling strategy to identify the type of servers in each group based on their geographical location. Take "US-WEST2-Web-Servers" as an example.
On the other hand, if the servers involve similarly configured web servers yet with different applications running on top of them, consider adding an application identifier to the server group name. This will help clarify which policies should be applied to each group. "US-West2-Web-Servers-Signup" and "US-West2-Web-Servers-Messaging" are good examples.
It is easier to establish baselines and apply the “golden policy” if the configuration settings in a group are clones of each other.
4. Be as specific as you can when creating file integrity policies.
By narrowing down your file and directory targets when creating policies, your FIM becomes more efficient in detecting changes. This is particularly useful if you’re concerned about the state of just a few files within the directory.
When selecting your file and directory targets, we do not recommend targeting directories and files that you know will change dynamically over time. These include uploads, temporary directories, and log files.
5. Assess, deploy, and actively manage baselines.
Each unique server in your network requires a file integrity baseline that describes the configuration's standard secure state in comparison to a given file integrity policy. Think of it as verifying your existing files and directories against a known good.
While creating baselines before deployment of your file integrity monitoring is ideal, it is not always practical.
If you’re still uncertain of the accuracy of a file’s “state of good” to be monitored, take steps to give this file all the protection it can get. This is important because if you happen to install FIM on a file that is already compromised and create your baseline out of this compromised file, your FIM becomes a useless tool.
6. Take logs seriously (and archive them)!
One of the most important aspects of setting up your FIM tool is to ensure critical log messages are received, detected, communicated to the appropriate administrator, and properly archived.
It is recommended that you use a file integrity monitoring solution that tracks the overall state of the file, as well as the solution's output. CimTrak, for example, collects and retains logs on all system changes and stores them securely in the CimTrak database to protect them from unauthorized modification. It also allows you to limit viewing to only authorized individuals.
The more information you can collect and archive, the more likely you'll be able to retrace your steps and reconstruct events that occurred in case of a compromise.
7. Use file data for forensics and not just for change alerting.
Forensics is the key to understanding the depth of a breach. If a hacker breaks into your infrastructure, you should go beyond understanding the existing state of the network and also have a clearer picture of what it looked like minutes before the attack.
If you have good forensic information on your end, you can dramatically reduce the cost of clean-up following a compromise and answer the following critical questions with clarity:
- What happened?
- How badly were the files exposed?
- How can I stop it from happening again?
The Bottom Line
In summary, file integrity monitoring best practices involve a sharp sense of situational awareness, building and maintaining an accurate baseline, and paying special attention to the tiniest details.
Are you implementing file integrity monitoring best practices? Or are you more likely to get caught sleeping? Download our Definitive Guide to File Integrity Monitoring to learn more today.
