In the age of advanced persistent threats (APT), distributed denial of service (DDoS), and other raging security risks, file integrity monitoring can be a way to detect threats and act quickly. FIM is also required by PCI and NERC-CIP and is a best practice for FISMA, SOX, HIPAA, and GLBA. Many organizations that adopt FIM can benefit from better security and compliance. However, not all tools are the same—or even similar.
Today's security administrators are frustrated by "blind spots," slow security response, and automated collection of risk data, notes eWeek . The right file integrity monitoring software can solve all of these common issues and more.
To avoid app fatigue or software regret, your organization wants to pick the right FIM from the start. But how do you know which will deliver the best reliability and risk mitigation for your money? Join us as we review the most important selection criteria for FIM so you can pick the right tool for your needs.
What Does FIM Offer, and Why Do Businesses Adopt it?
File integrity monitoring can be used to describe a broad range of tools, from simple open-source software that polls your critical files against a baseline to sophisticated threat protection.
Business IT security needs can vary widely. However, if we had to generalize which FIM features offer benefits to virtually everyone, they would be:
- Network-wide oversight and real-time change detection.
- The ability to comply with regulatory requirements.
- The ability to integrate your security suite.
While information security objectives can also vary, most security teams have a goal of risk mitigation, data protection, and compliance. Some of the most common goals that spur IT teams to adopt FIM can include:
- Maintaining a safe network
- Vulnerability management
- Access governance and management
- Improved security response times
- Data asset integrity
If you identify with any of these business requirements or use cases, there's a chance that FIM could benefit your organization. However, the sheer amount of options available can be overwhelming. How do you pick between sophisticated (and often high-cost) products and open-source alternatives without spending too much money or introducing risk?
The 5 Most Important File Integrity Monitoring Characteristics
The cost of file integrity monitoring software can range from free to many thousands of dollars in licensing fees. Ease of use, support, and documentation can all impact affordability.
A "free" product that compromises your security to the point where you suffer a data breach could cost much more than a modestly-priced product with the other features you need. It's also important to consider the widely-variant ease of use within this area and whether you can afford to pay an engineer for implementation or to train your users extensively.
2. Infrastructure-Wide Coverage
The "coverage" of file integrity monitoring software can range from files-only to your entire network and all of your endpoints. An important factor to consider here is the difference between agent-based and agentless file integrity monitoring. While agent-based file integrity monitoring works on the device or endpoint level to detect changes in real-time, agentless monitoring polls files at specific intervals.
For in-depth coverage of the difference, we recommend Agent vs. Agentless File Integrity Monitoring: What's the Difference?
In general, agent-based FIM provides better network coverage. Depending on your endpoints and industry, you may wish to consider an FIM with coverage for point-of-sale systems and other special features.
3. Real-Time Intelligence
Many FIM, including most open source and agentless tools, perform polling at periodic interviews. While this is sufficient to meet PCI requirements, you may not know that your network has been compromised for days after a security incident.
Mitigating the damage to your data assets and locking out cybercriminals before it's too late requires real-time insight into negative changes in your network. Real-time monitoring for real-time response is often one of the most important FIM features
While lower-cost or free tools can carry a steep learning curve, price doesn't always denote a user-friendly interface or ease of use. Some file integrity monitoring solutions are so complex to use they require professional implementation support and extensive training. Not only is this costly, but it can also compromise your security if your subject matter expert decides to leave their role.
Products with strong ease of use and extensive documentation can enable you to protect your organization, even when your primary product users go on vacation or leave the company.
5. Full Change Remediation
Translating threat intelligence into action is crucial. Your organization needs the ability to act on changes and restore compromise to your endpoints or files before they turn into a full-blown security incident. Optimally, your FIM will also have the built-in intelligence to help you determine between positive and negative changes. This is by far the rarest feature for FIM tools—and it's crucial.
Does Open-Source File Integrity Monitoring Offer Enough Features?
There is an abundance of open-source FIMs, including freemium versions of paid products. Due to the wide variety of open-source options, it's important to evaluate solutions on a per-case basis. In general, the price tag associated with open-source may indicate that one or more of the following characteristics is missing:
- Full network coverage
- Updated support and documentation
Other factors to consider when evaluating open-source products include:
- Centralized control
- Multi-platform support
- Master-agent configuration mode
- Advanced automation
- Real-time notifications
- Detection of negative changes prior to installation
- Differentiation between positive, neutral, and negative changes
At the time of writing, there were no open-source FIM products that offered full change remediation. While some open-source tools are "smarter" than others, you may compromise your ability to reverse threats or file changes.
Finally, security administrators should understand that a significant number of open-source products may contain inherent risks due to poor encryption or other flaws. In other cases, it is relatively easy to implement products in a way that introduces risk, such as unsecured and unencrypted communications between the product and the master repository for logging changes.
Is open-source FIM wrong for you? Not necessarily. However, it's important to understand inherent and implementation-related risks with any open-source tool and the security advantages you could lose by going this route.
For in-depth coverage of this topic, we recommend Is Open Source File Integrity Monitoring Too Risky?
How to Pick the Objectively Right FIM Software
Research indicates that a structured approach to software selection can yield the best outcomes, regardless of whether you're shopping for FIM or customer relationship management tools (CRM). Given the expanding security threat vector, a careful approach to FIM selection is very important.
Capgemini Consulting's 2016 Software Selection Guide identifies four factors to consider which relate to the "fit" of both the product and vendor:
- Functional requirements: Features and other functionality.
- Technical requirements: Architecture, security, compliance, and integration factors.
- Vendor characteristics: Market commitment, resources, and support
- Track record: Standardization, client references, implementation tactics, and implementation support.
FIM features are important for compliance and enterprise security, however, looking beyond the purely functional requirements to understand the product and vendor holistically can yield even better satisfaction.
The Right FIM for You Exists. And You CAN Find it.
By starting your software selection process with a clear understanding of your technical and vendor requirements, you can narrow your choices significantly. Only the best file integrity monitoring software solution will offer all of the features you need to detect and reverse threats—and offer these at a cost your organization can afford.
January 5, 2017