File integrity monitoring software is among the most critical PCI-DSS compliance requirements for the health of a security program. As complex configurations and networks change, it's possible to become non-compliant with PCI standards in a matter of minutes.
Your organization's network is dynamic, which is why organizations today need solutions that work in real time to measure and eliminate security risks. However, before you invest in compliance and protection, it's important to understand the basics of what file integrity monitoring is and how it works.
File Integrity Monitoring
Among paid solutions on the market, there can be subtle and significant differences in solution architecture and benefits. This blog focuses on taking an in-depth look at agent-based FIM. Agentless and open source options may offer significantly simpler benefits and architecture. For more information on the different categories of FIM solutions, we recommend Agent vs. Agentless File Integrity Monitoring: Which is Best?
What Does a File Integrity Monitoring Tool Do?
Before we take a deep dive into the backend of FIM, we'll briefly address what a high-end FIM solution provides to end users, who are typically security professionals. By focusing on the benefits of file integrity monitoring, we'll examine the role it can play in your organization and how it can affect your security objectives.
- IT Environment Monitoring: Depending on your FIM solution, you gain the ability to either monitor files or the entirety of your IT environment. This may include the state of your:
- Network devices,
- Critical workstations,
- Point of sale systems,
- Hypervisor configuration, and
- Active Directory.
- Real-Time Notification: Through a centralized management portal, you can receive real-time alerts of changes to your monitored environment elements and critical system files.
- Total Change Management: While many agent-based FIMs do not offer this capability, CimTrak is unique in its ability to support total change management directly from the FIM management portal. This gives admin users the ability to remediate and prevent changes in real-time.
- Change Documentation and Logging: FIM provides in-depth logs of all changes, including positive changes. This supports the daily audit of logs and internal reporting. It can also provide sufficient documentation in case of forensic investigation or other situations where you need to access historical records.
- Differentiate Changes: CimTrak is the only file integrity monitoring tool that has a built-in ticketing system, which provides for an automated change workflow. This allows users to greatly reduce "noise".
Benefits of File Integrity Monitoring:
- Total Oversight of Your IT Environment
- Faster incident response times,
- More effective change remediation,
- Real-time, continuous monitoring, and
- Regulatory compliance.
How File Integrity Monitoring Works
FIM works by detecting changes to files and configurations. When you initially install FIM, it creates a baseline to determine your status quo, which is stored in a database as cryptographic hashes that cannot be edited, deleted, or altered.
An agent-based FIM will compare data on the state of monitored elements against the baseline on a continual basis. Better solutions like CimTrak work at the OS kernel level to detect change the second it occurs without continuously scanning files. This makes the CimTrak agent very lightweight, which means it operates on a system transparently in the background.
If a difference is detected between the state and baseline, this is registered as a change and an alert can be generated. If your FIM has advanced situational intelligence, your alert will also include human-readable insight on the specifics of changes.
Three Primary Components of FIM:
- A Database: This database stores information on the original state of your files and configurations as cryptographic hashes.
- Agents: These technical components measure your hardware and applications and send data back to your database for comparison.
- User Interface: This is the interface for administrative users, which serves as the centralized portal for reporting, evaluation, change monitoring, and change control.
Other Elements of File Integrity Monitoring Tools
If your organization chooses to divide security responsibilities among multiple personnel, you may be able to create customized dashboards and access permissions in the management console, to provide up-to-date information on the area of your network or environment, for every individual's area of responsibility.
Integration with Complimentary Tools
Some FIMs can be integrated directly, working with tools such as Security Information and Event Managers (SIEM). This can combine reporting by providing up-to-date log information directly to your SIEM solution for visualization and analysis.
File integrity monitoring allows your organization to step beyond safeguards and respond to risks in real-time. By understanding the full scope of the benefits and potential of this technology, information security professionals have the opportunity to look beyond file integrity monitoring as an item on a PCI checklist and implement organization-wide protection.
June 14, 2016