File Integrity Monitoring vs. File Activity Monitoring: Which is Best?
2016 was a tumultuous year for information security.
Symantec's 2016 Internet Security Threat Report revealed some shocking stats about criminal activity, including:
- A new zero-day vulnerability is discovered every week
- Security vulnerabilities are found in 75% of websites
- Ransomware increased 35%
- Spear-phishing campaigns targeting employees increased 55%
Network monitoring software can be among the most effective tools for discovering when criminals have gained entry to your company's network, even when they try to avoid detection.
File Integrity Monitoring vs. File Activity Monitoring
While the types and volume of security incidents have increased significantly in the past year, many hackers have certain behavioral patterns in common. This can often involve the modification, replacement, or addition of critical system files to guarantee access to the network for a long enough period of time to steal data, sometimes repeatedly over a period of months.
If you are wondering whether file activity monitoring or file integrity monitoring will offer your company the best network oversight and protection from criminal activity, stay tuned. In this post, you'll learn about the difference between file integrity monitoring (FIM) and file activity monitoring (FAM), and how to tell which technical safeguards you need to protect your organization.
What is File Activity Monitoring?
File activity monitoring is a technical tool to monitor sensitive data on servers and create rules-based administration about data access.
While options can vary, FAM typically offers the following features:
- File discovery: Identification of files, existing file permissions, and/or metadata. Depending on the sophistication of your solution and your needs, you may be able to configure your FAM tool to identify files with sensitive data.
- Classification: FAM can be configured to identify at-risk sensitive data such as credit card information, social security numbers, or other forms of PII or HIPAA-protected ePHI.
- Ongoing Monitoring: FAM can send alerts when audit information indicates PII is at risk, allowing you to block users or connections.
FAM is largely based on a "crawler" that creates a periodic or continual inventory of your critical system files and files that contain sensitive info. The data from these technical surveys is compared against rules you have set in the administration center around information that is considered sensitive or "normal" access patterns. If there are discrepancies in your rules and access permissions/patterns, your FAM tool will generate alerts.
What is File Integrity Monitoring?
File integrity monitoring is a broader category of technology than FAM.
Generally, FIM is defined as a tool to validate the integrity of your files, applications, and operating systems. Some FIM tools use hashes to validate the state of monitored factors against a known baseline. While some FIM operate in real time, others create "polling" at specified intervals, such as once a week.
Depending on the scope of your FIM, you may be able to continually verify the integrity of the following factors:
- Critical system files
- Network Devices
- Active Directory/LDAP
- Point-of-Sale Systems (POS)
While the following also depends on the scope of your solution and configuration decisions, you may be able to access intelligence on the following network factors:
- User credentials
- Access permissions and security settings
- File content
- File attributes and size
- Configuration values
- Regulatory compliance
File integrity monitoring tools can vary wildly, from lightweight open-source solutions that meet the bare minimum of PCI-DSS requirements to real-time tools for total network oversight that also enable full change remediation.
To learn more about the variation within the field of FIM and your options, we recommend the following assets:
- How Does File Integrity Monitoring Work?
- Agent vs. Agentless File Integrity Monitoring: Which is Best?
- Is Open Source File Integrity Monitoring Too Risky?
Is File Integrity Monitoring or Activity Monitoring Right for Me?
Ultimately, it's almost never a matter of FIM vs. FAM for organizations. File integrity monitoring and File activity monitoring offer different features and purposes. While there can be some overlap between the two technologies, for the most part, they are very different.
Understanding the difference between these two technologies on a feature-by-feature basis can help you make a more informed decision:
|Feature||File Activity Monitoring||File Integrity Monitoring*|
|Complete Infrastructure Monitoring||No||Yes|
|File Change Monitoring||Yes||Yes|
|File Access Monitoring||Yes||Yes|
|File Permission Changes||Yes||Yes|
|File Content Changes||Yes||Yes|
|Access Permission Risks||Yes||No|
|Stale Data Detection||Yes||No|
*FIM feature set based on best-of-class technology
Both FIM and FAM work to create accountability and oversight around data security. However, the roles they play are significantly different. Best-of-class file integrity monitoring is a tool for total change intelligence, allowing you to understand when changes occur to an endpoint or infrastructure element (such as point-of-sale system or server). In Cimtrak's case, this includes change logging, the storing of incremental baselines, and the ability to deny access from an endpoint since it runs as a system-based account.
In contrast, file activity monitoring is focused solely on data and users. It can enable administrators to identify data for archiving and improve the quality of policy-based administration by approaching access as "objects." This can allow you to identify excessive permission risks.
There are some areas of minor overlap between the two technologies. FIM and FAM can enable security professionals to understand changes to critical system files and monitor access patterns. However, they are ultimately both important, but very different, tools for data security.
CimTrak + FAM = Data Security
Today's security professionals need total intelligence to manage complex networks. Implementing CimTrak enables you to meet and exceed PCI or other regulatory requirements around file integrity monitoring by providing intelligence at the level of the endpoint. FAM can significantly simplify complex issues of access governance and allow you to understand how your users interact with data, identify at-risk assets, and understand other access patterns. Utilizing both CimTrak and FAM can help you create a more secure system and allow you to more quickly identify negative changes.
To learn more about CimTrak, click here to request a complimentary demo.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".