How Does File Integrity Monitoring Work?

File integrity monitoring (FIM) software is among the most critical elements for PCI-DSS and several other compliance mandates. As changes occur to critical systems and devices, it's possible to become non-compliant with PCI standards in seconds.

Your organization's network is dynamic, which is why organizations today need solutions that work in real-time to measure compliance and eliminate security risks. However, before you embark on your compliance journey, it's important to understand the basics of file integrity monitoring and how it works.

File Integrity Monitoring

Among the enterprise solutions on the market, there are subtle, significant differences in features and functionality. This blog focuses on taking an in-depth look at agent-based FIM. Agentless and open-source options may offer similar marketing rhetoric and use of value propositions but lack the advantages and ability to quantify an acceptable total cost of ownership. It’s like getting a puppy for "free". The initial purchase may be no-cost, but what about the ongoing expenses of bedding, toys, food, veterinary bills, etc…

For more information on the different categories of FIM solutions, we recommend: Agent vs. Agentless File Integrity Monitoring: Which is Best?

What Does a File Integrity Monitoring Tool Do?

Before we take a deep dive into the backend of FIM, we'll briefly address what an enterprise FIM solution provides to end users, who are typically security professionals. By focusing on the benefits of file integrity monitoring, we'll examine the role it can play in your organization and how it can positively affect your security objectives.

• IT Environment Monitoring: Depending on your FIM product or service, you should gain the ability to monitor files, users, groups, and even the entirety of your IT environment. This may include the state of your:
  
  • Servers,
  • Network devices,
  • Critical workstations,
  • Cloud environment,
  • Point of sale systems,
  • Port settings,
  • Databases,
  • VMware,
  • Hypervisor/ESXI, and
  • Active Directories/LDAP

• Real-Time Notification: Through a centralized management portal, you should receive real-time alerts of changes made on critical systems and devices across your entire IT environment.
• Total Change Management: While most agent-based FIMs do not offer this capability, CimTrak is unique in its ability to support total change management directly from the FIM management portal giving admin users the ability to prevent changes entirely and/or remediate and roll-back to any number of established and trusted baselines.
• Change Documentation and Logging: Enterprise FIM provides in-depth logs of all changes, including expected and authorized changes. This supports the daily audit of logs and internal reporting. It can also provide sufficient documentation in case of forensic investigation or other situations where you need to access historical records.
• Differentiate Changes: CimTrak is the only file integrity monitoring tool that has a built-in workflow and ticketing system, which provides for an automated change reconciliation process. This provides users with the ability to identify unknown, unwanted, and unauthorized changes in real-time resulting from either a circumvented process or malicious change.

Benefits of File Integrity Monitoring:

• Mitigate the risk of integrity drift
• Detect Zero-Day breaches
• Reduce security analysis and operational costs
• Remediate unwanted and unauthorized changes in seconds
• Achieve continuous compliance with 25%, on average, of all IT compliance mandates.

How File Integrity Monitoring Works

FIM works by detecting changes to files, configurations, and settings. When you initially install FIM, it creates a baseline to determine your trusted point of reference. That baseline uses cryptographic hashes that are essentially unique fingerprints. When a hash changes, it can be determined that the original files being monitored have been altered in some way.

More robust enterprise solutions like CimTrak work at the OS kernel level to detect change in real-time. In contrast, open-source, agentless, or older FIM tools rely upon continuously scanning for change. This difference makes the CimTrak agent very lightweight with minimal impact on processor utilization.

If a difference is detected between the state and baseline, this is registered as a change and an alert can be generated or a workflow process can be kicked off to determine if the change was good or bad. If your FIM has advanced situational intelligence, your alert will also include human-readable insight on the specifics of changes.

Three Primary Components of FIM:

• A Database: This database stores information on the original state of your files and configurations as cryptographic hashes. Advanced FIM solutions also store the original file(s) in the event of initiating a roll-back to restore to a previous baseline of operation.
• Agents: These technical components measure the state of systems and devices for change and upload that information to the database for comparison and analysis.
• User Interface: Typically a centralized web portal is utilized by administrative users as the hub for change management, change control analysis, reporting/alerting, and remediation.

Other Elements of File Integrity Monitoring Tools

Dashboards

If your organization chooses to divide security responsibilities among multiple personnel, you may be able to create customized dashboards and access permissions in the management console, to provide up-to-date information on the area of your network or environment, for every individual's area of responsibility. Enterprise FIM tools should enable multi-tenancy capability.

Integration with Complimentary Tools

Enterprise FIMs can be integrated directly, working with Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and IT Service Management tools. These integrations provide a multitude of functionality and automation to meet the business objectives of continuous integrity, trust, and resiliency for both operations and security teams alike.

Next-Gen FIM

Next-Gen file integrity monitoring allows your organization to utilize and incorporate a plethora of other integrity controls to drive unprecedented security results and statistics. By understanding the full scope, benefits, and potential of this new advanced technology, information security professionals can understand and be alerted to more than just determining when a file has changed (as highlighted on a PCI checklist or other similar compliance requirements). 

Click here to learn more about how CimTrak can benefit your organization with best-of-class change detection, configuration management, change reconciliation, and remediation.