When understood and employed correctly, file integrity monitoring (FIM) is a critical tool against the compromise of any sensitive information, such as cardholder data breaches.
While it’s clear using a file integrity monitoring solution is a must for organizations big and small, we've noticed several important concepts are often improperly implemented, misunderstood, or neglected altogether.
This blog post highlights best practices to efficiently deploy and configure your file integrity monitoring solution. Putting these concepts into practice can mean the difference between useful deployment of FIM and being caught off guard with compromised data.
The Critical Role of FIM in Your Organization
Before we dive into best practices, let’s take a look at what an FIM does for your organization.
File integrity monitoring solutions protect critical systems and data by:
- Detecting changes in files associated with applications, databases, routers, servers, and other devices in your IT infrastructure
- Capturing the details of each change
- Interpreting the details and identifying if the change is a security risk or not
- Alerting you of the changes and immediately remediating issues caused by an improper change
Monitored files ranging from configuration files to directory permissions to executables. Ideally, all of the above should happen in real-time.
7 File Integrity Monitoring Best Practices You Should Be Doing Now
Now that you have a grasp of what FIM is about and why it’s needed in organizations today, here are the important steps and concepts to make your FIM solution truly work for you.
1. Consider file integrity monitoring as part of the big picture.
At a basic level, FIM verifies that important system files and configuration files have not changed. Put simply, it ensures the files’ integrity remains intact. However, keep in mind that no single tool or application by itself can be relied on with the task of providing data protection and security.
We recommend you establish more than one way of detecting and alerting your team of unauthorized, suspicious changes. When other defenses and proper documentation are in place to help protect your IT assets, FIM serves to add yet another layer for an attacker to penetrate. It’s best practice to keep those layers as complex and impenetrable as possible.
2. Plan for deployment down to the tiniest detail.
Careful planning before deploying FIM cannot be emphasized enough to ensure top-notch monitoring and protection. To aid you in the planning process, answer the following:
- How many assets or files should be monitored?
- Do you have a clear picture of how your existing infrastructure is organized?
- What elements of the systems will need to be monitored?
- What operating systems and versions need to be monitored?
- Who will manage and administer the system?
3. Set up servers by function or geographical location.
Grouping servers by function or location allows you to apply the same set of internal and external security policies without going all over the place. It is not uncommon to monitor files and assets across different networks.
At CimTrak, we recommend you adopt a practical labeling strategy to identify the type of servers in each group based on where they are geographically located. Take "US-WEST2-Web-Servers" as an example.
On the other hand, if the servers involve similarly configured web servers yet with different applications running on top of them, consider adding an application identifier to the server group name. This will help clarify which policies should be applied to each group. "US-West2-Web-Servers-Signup" and "US-West2-Web-Servers-Messaging" are good examples.
It is easier to establish baselines and apply the “golden policy” if the configuration settings in a group are clones of each other.
4. Be as specific as you can when creating file integrity policies.
By narrowing down your file and directory targets when creating policies, your FIM becomes more efficient in detecting changes. This is particularly useful if you’re concerned about the state of just a few files within the directory.
When selecting your file and directory targets, we do not recommend targeting directories and files you know will change dynamically over time. These include uploads and temporary directories as well as log files.
5. Assess, deploy, and actively manage baselines.
Each unique server in your network requires a file integrity baseline that describes the configuration's standard secure state in comparison to a given file integrity policy. Think of it as verifying your existing files and directories against a known good.
While creating baselines before deployment of your file integrity monitoring is ideal, it is not always practical.
If you’re still uncertain of the accuracy of a file’s “state of good” to be monitored, take steps to give this file all the protection it can get. This is important because if you happen to install FIM on a file that is already compromised and create your baseline out of this compromised file, your FIM becomes a useless tool.
6. Take logs seriously (and archive them)!
One of the most important aspects of initially setting up FIM is to ensure critical log messages are received, detected, communicated to the appropriate administrator, and properly archived.
Using a file integrity monitoring solution that keeps tabs on the overall state of the file is recommended. It is also important to use the same application to monitor the output of the file integrity application. Take CimTrak, for example. It collects and retains logs on all system changes and it stores these logs securely in the CimTrak database to protect them from unauthorized modification. It also allows you to limit viewing to only authorized individuals.
The more information you can collect and archive, the more likely you'll be able to retrace your steps and reconstruct events that occurred in case of a compromise.
7. Use file data for forensics and not just for change alerting.
Forensics is the key to understanding the depth of a breach. If a hacker breaks into your infrastructure, you should go beyond understanding the existing state of the network but also have a clearer picture of what it looked like minutes before the attack.
If you have good forensic information on your end, you can dramatically reduce the cost of clean-up following a compromise and answer the following critical questions with clarity:
- What happened?
- How badly were the files exposed?
- How can I stop it from happening again?
In summary, file integrity monitoring best practices involve a sharp sense of situational awareness (what's the current state), building and maintaining an accurate baseline, and paying special attention down to the tiniest details.
Are you implementing the aforementioned file integrity monitoring best practices? Or are you more likely to get caught sleeping? Download our definitive guide to file integrity monitoring to learn more today.
April 26, 2016