File Integrity Monitoring: Fact vs Fiction

File Integrity Monitoring (FIM) has been in practice for the better part of two and a half decades and is often associated with compliance and audits. Its use cases and value add are broad and impact Dev, Sec, and Ops (DevSecOps) if implemented correctly. Prior to 2000, IT compliance mandates traditionally applied to organizations that dealt with the government having a focus on regulatory and legal requirements. Security frameworks and best practices did exist with Statement on Auditing Standards No. 70 (SAS 70) and the National Institute of Standards and Technology (NIST) with general guidelines and recommendations that touched very lightly on FIM requirements.

The onset of FIM tools came after the year 2000 when compliance mandates started to move to the forefront when the government first signed into federal law the Sarbanes Oxley Act (SOX) in 2002, establishing broad IT auditing and financial regulations for public companies. This was followed shortly by the financial industry rolling out PCI DSS v1 in late 2003 to mandate that all businesses that store, process, or transmit payment cardholder data must be compliant.

However, the title of “File Integrity Monitoring” is somewhat of an oxymoron and contradicts itself by the very use of the word “integrity”. FIM, by definition, is simply the detection of change from a baseline. There is no “integrity” in the detection of change…it just tells you something changed from an expected state (file addition/modification/deletion). Detecting change against a baseline should be the instigator or trigger that kicks off a process to determine if that observed change was wanted/unwanted, known/unknown, excepted/unexpected, etc… Furthermore, given that original FIM tools could not discriminate good changes from bad changes, they were often associated with being noisy (change noise), extremely hard to manage, and unable to scale to a large enterprise environment. Soon after, FIM tools became synonymous with "shelfware" as they were too complex and noisy, too cumbersome to operate, and provided a lot of false positives. This was mainly because, as an industry, we were indoctrinated to manage security from a state of bad versus one that is known and trusted. 

This is where Next-Gen FIM is flipping the model around and looking at the problem of knowing everything that is good and then managing everything else by exception. The analogy is that Next-GEN FIM is equivalent to the white blood cells in the human body. White blood cells continuously flow through our bloodstream to fight viruses, bacteria, and other foreign invaders that threaten our health. They know and understand what is good and identify and attack anything unknown and unwanted. They are the baseline of our health. By managing from a state of good or trust, we are able to identify unknown and unwanted changes in the form of circumvented and malicious changes in real-time, which positively impact an IT organization’s ability to identify zero-day attacks of malware. All the while providing the necessary evidence that proper integrity controls not only exist but are operating as expected. 

FIM – Fact vs Fiction True False Questionnaire

How well do you know these File Integrity Monitoring facts? 

T/F - “Detecting change will give my systems and devices integrity.”

Answer:

❌FALSE – Traditional FIM tools only tell you if a change has been made, not if that change comes with a high or low degree of integrity.

✅TRUE – Next-Gen FIM provides the necessary information to determine and attest if your systems and devices are suspect to integrity drift from a known and trusted state of operation.

T/F - “All FIM tools detect a change in real-time.”

Answer:

❌FALSE – Traditional FIM tools operate in near real-time, which drastically impacts processor utilization. There is only one NextGen FIM tool that operates in real-time, and they own the patent (see Summary - CimTrak section below).

T/F - “FIM tools are noisy.”

Answer:

✅TRUE – Traditional FIM tools generate alerts on everything that changes from a baseline and does not have the methodology nor the inherent process to suppress good noise to highlight the bad.

❌FALSE – Next-Gen FIM has the unique ability to suppress known and authorized changes (available for auditing purposes, though), which then highlights unknown and unexpected changes that are either classified as circumvented or malicious. Either way, they are unwanted.

T/F - “FIM tools cannot scale and manage to enterprise levels.”

Answer:

✅TRUE – Traditional FIM tools are not able to scale and manage the needs and requirements of a traditional medium and large enterprise.

❌FALSE – Next-Gen FIM tools are currently installed and operating in environments that well exceed 100k servers/devices without any management or processor utilization issues/concerns.

T/F - “You can roll back from unexpected changes with in-product capability.”

Answer:

❌FALSE – Traditional FIM tools require integration with provisioning products to enable this feature.

✅TRUE - Next-Gen FIM tools securely store the files and attributes associated with the files that make up a baseline in the event there is a requirement to roll back to any previously known and trusted baselines.

T/F - “Rolling back to a FIM baseline is all accomplished the same way.”

Answer:

❌FALSE – Traditional FIM tools require integration with 3^rd party tools to completely reprovision an image, whereas Next-Gen FIM simply adds back the files that were deleted, deleted files that were added, or restores any changes to existing files that were made.

T/F - “30% on average of all compliance and best practice controls are ‘integrity controls.’”

Answer:

❌FALSE – Traditional FIM tools will meet the general requirements of configuration management domains, categories, or families of functionality.

✅TRUE – Next-Gen FIM (as determined below) crosswalks on average with 30% of all major compliance and best practice frameworks. Meeting a crosswalk control is determined if a product provides a control, automated scan, or enables a process, procedure, or policy to assist with the evidence collection to meet the objective of a defined domain, category, control, standard, component, or assessment factor.

T/F - “Integrity is one of the three core requirements of a security strategy.”

Answer:

✅TRUE – The SANS CIA Triad is a model to give guidance to the three core principles of establishing an informational security foundation: confidentiality, integrity, and availability. 

T/F - “Next-Gen FIM is a core and fundamental component of DevSecOps.”

• TRUE
• FALSE

Answer:

✅TRUE – Integrity is not a vertical silo product or service. It positively impacts development, security, and operations across multiple disciplines and control categories.

• Development – When there is a vulnerability in the supply chain, bad actors will leverage that opportunity to do one of two things 1) snoop around and try to exfiltrate data/information or 2) disrupt business continuity or alter the risk and security posture by adding, modifying, or deleting files (this includes delivering ransomware, changing configuration and port setting, adding unauthorized users, etc…). Next-Gen FIM tools are a leading indicator that vulnerabilities exist in your infrastructure.
• Security – The IP Process Institute has determined that 91% of all security breaches could be auto-detected if three Next-Gen integrity controls were in place (change, configuration, and release management). Similarly, 36% of Implementation Group 1 (IG1) of the Center for Internet Security (CIS) Controls are Next-Gen FIM controls.
• Operations – When a problem occurs in operations, the first question becomes “What changed?” followed shortly by “How can we remediate or recover from the problem?” Best practice frameworks like ITIL clearly call out Next-Gen FIM controls and the monitoring FIM.

What IS Next-Gen FIM?

Next-Gen FIM is built on the premise that security isn’t a product; it’s a process. The process is initiated by detecting a change and determining if that change was good or bad by understanding if the change was authorized and expected. Next-Gen FIM includes nine controls assembled into a workflow and ticketing process to create a closed-loop process for integrity management.  As previously referenced in the CIA Triad - Defining Integrity, those controls and processes include:

• System Hardening Configuration Management Change Control - 
• Change Reconciliation - Change Prevention - Roll-back and Remediation File Allowlisting 
• File Reputation Services Digesting STIX/TAXII Feeds Workflow and Ticketing System

By implementing Next-Gen FIM, organizations can recognize the immediate benefits of:

• Detecting security breaches/incidents in a matter of seconds as opposed to the industry average of 207 days.
• Containing security breaches/incidents in a matter of seconds as opposed to the industry average of 70 days.
• Early indication that there is a software supply chain security issue based on unauthorized changes occurring.
• Integrity functionality is the ONLY way to prevent and identify ransomware payloads from being executed and added
• Detection of zero-day breaches.
• Continuous compliance via the capture of integrity evidence, demonstrating controls are not only in place but operating as expected.

Summary - CimTrak

Next-Gen FIM is terribly misunderstood when it comes to the actual value it can deliver to an enterprise in all three facets of DevSecOps. Cimcor’s CimTrak Integrity Suite consists of products and services that deliver a comprehensive set of functionalities that can only be described as Next-Gen FIM. It’s not just a monitoring tool that looks at monitoring FIM but is a comprehensive tool that detects, protects, responds, and recovers from both malicious and circumvented activities where system/device attributes and files have been added, modified, or deleted.

To learn more about CimTrak and how CimTrak’s file integrity monitoring with system integrity assurance can help, download The Definitive Guide to File Integrity Monitoring today.