Great security technology is expensive—but not nearly as pricey as the costs of non-compliance or a security breach. Gartner recently predicted that information security spending would become a $81.6 billion dollar industry in 2016.

With the tools already in your security portfolio, the skills of your development team, and a little ingenuity, is it possible to build your own file integrity monitoring (FIM) system from the ground up? If you already have some of the tools, it may save you money, right? Well, not exactly.

For most organizations, the decision to build a file integrity monitoring franken-system is not the path of least resistance. A self-built system may offer some advantages over many open source file integrity monitoring solutions, but any custom software build is a massive undertaking.

However, for the purpose of understanding exactly what goes into the world's most effective file integrity monitoring solutions, join us as we review the necessary components for a secure FIM solution.

What are the Objectives of an FIM Franken-System?

If you're approaching the process from many common software development lifecycle models (SDLC), the first step is to gather requirements and document business requirement, in order to establish success metrics or user stories for your project.

For an agent-based file integrity monitoring system that meets leading specifications and provides advanced security, you may define the objectives as the following:

1. Detect Environment-Wide Changes

Depending on your network, your FIM system will likely need to monitor for changes in critical system files, servers, network devices, databases, active directory, point-of-sale systems (POS), and virtualized environments. In addition, there is the need to support nearly identical behavior of the FIM on multiple operating system.

2. Provide Instant Notification

While you may choose to define success as meeting PCI requirements for weekly scans and scans after any major changes, real-time notifications offer superior situational intelligence.

3. Provide Documentation on Changes

To enable the smartest actions possible, your FIM system should provide documentation on all activities taken place within the network. Optimally, these logs should be an uneditable accountability trail that is human-readable and should provide built-in intelligence on the quality of changes and compliance status.

4. Take Action

In order to maximize the value of your homegrown FIM system, you may choose to design a system that enables full change remediation from the management console.

Elements of a Homegrown File Integrity Monitoring System

In order to achieve the goals of your file integrity monitoring franken-system, what is needed? Using existing or homegrown systems, here's a basic overview of what you'll need to acquire, create or build.

Master Repository

The master repository of your system will act as a centralized, secure storage point for your protected history and log files. While some open source and basic FIM solutions use the master repository as a place to store hashed copies of system scans, more sophisticated solutions will store entire compressed and encrypted copies of critical files in order to enable change remediation in the future.

Technical specifications for this aspect of your franken-system should include (but are not limited to) strong encryption, compression, file isolation, a rollback capability, and complete prevention of administrative overrides to maintain integrity.

Agents and Modules

The agents and modules of your franken-system will be responsible for monitoring your servers, network, and other components of your infrastructure; and for performing real-time communication with the master repository. While the exact actions may vary depending on the type of agent, the minimal functionality will include the hashing of data, identifying other key attributes of the data being monitored, and enforcing rules defined by established FIM policies. Your agents need the technical ability to determine whether changes are allowed based on configuration data and either log, refuse, or reverse changes accordingly.

Management Console

The management console should be a user interface that directly integrates with the master repository. This should act as a web-based application, which allows credential-based access to administrators for remote management and configuration of policies that define how your servers and network devices are monitored.

From the management console, administrators need the ability to access reporting, review logs, respond to alerts, and restore files to a previous state based on data stored in the master repository.

While these details are by no means a comprehensive overview of all of the technical requirements or security best practices for building a file integrity monitoring system, it should provide a high level overview of the scope of work that must be performed.

For additional insight into the components of an effective, agent-based FIM we recommend the following resources:

Is Building a Homegrown File Integrity Monitoring System Right for Me?

With average project costs ranging from the tens of thousands of dollars to hundreds of thousands of dollars, a homegrown file integrity monitoring system is rarely the most cost-effective security solution for organizations. Due to the volume of data, and the binary data that needs to be potentially stored, many standard databases are unable to effectively serve the role of the master repository. The management console should ideally be a web application, and must be created from scratch. Often multiple iterations of the user interface must be developed in order to find the simplest method to perform a task. In addition to the cost of custom application development, the efforts required to integrate your master repository, management console, and agents can be intensive and prohibitive.

If you are concerned about the costs of popular solutions for agent-based file integrity monitoring, CimTrak could be the right option for your budget and needs. A budget-friendly alternative, it offers comprehensive network coverage, real-time alerts, and the unique ability to remediate changes in real time. Learn more today.


Jacqueline von Ogden
Post by Jacqueline von Ogden
October 25, 2016
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".