File Integrity Monitoring:
How it works and why you need to implement it

File integrity monitoring (FIM) detects changes to critical files including system, application, and configuration files. Next generation FIM tools can also monitor other closely related items such as the Registry, installed software, and local users and groups.

Organizations choose to implement FIM for a variety of reasons, including securing their systems from threats such as zero-day attacks and complying with various regulations such as PCI-DSS, HIPAA, NERC, and FISMA.

The Definitive Guide to File Integrity Monitoring

Take Control of Change

Change is the nemesis of IT professionals who seek to maintain a stable environment that is secure. Changes to critical files can mean that a breach has occurred or that internal changes to systems are occurring. Finding a change without an advanced FIM tool is practically impossible; the equivalent of finding a needle in a haystack.

In the first case, you want to know as soon as possible so that swift action can be taken, and in the later, as part of your change management process, you will be able to check that changes have occurred and have been implemented correctly.

In many cases, having an audit trail of changes that have occurred is required for various compliance initiatives including PCI-DSS.


What’s Going On Here?

Knowing what changed is only part of the story though. Advanced FIM solutions like CimTrak give you a deeper dive into changes by not only letting you know exactly what changed, but also other forensic details such as:

  • WHO made the change
  • WHEN did the change occur
  • WHAT exactly changed and what process was used

This level of detail is simply not available in most products, but it is critical to have a complete view of changes. Just knowing that a change happened is of little use without understanding the corresponding metadata associated with the change.

Advanced, Real-Time File Integrity Monitoring

CimTrak Provides the Key Information

What Process Was Used

FIM And PCI – What’s the Connection?

PCI-DSS and file integrity monitoring fit together like a hand in a glove. Specifically, sections 10.5.5 and 11.5 require change detection mechanism to be put in place:

PCI-DSS 11.5

“Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configurations files, or content files; and configure the software to perform critical file comparisons at least weekly.”

PCI-DSS 10.5.5

“Use file-integrity monitoring or change detection software on logs to ensure that existing log data cannot be altered without generating alerts …”

Security professionals know that unexpected changes can mean that something bad is happening to your system. With new forms of malware continuously being unleashed, much of it being zero-day, it is critical that you have technology in place to detect such threats.

As these threats are unsignatured, many will find their way through perimeter defenses and attempt to take up residence in your infrastructure. Each day seems to bring news of the latest breach of payment card data. Proactively being alerted to changes can mean the difference between eliminating a threat quickly, or losing your customer’s personal information.

Dispelling the Rumors

File integrity monitoring is often misunderstood by IT professionals as being extremely hard to use, very expensive, and a technology that creates tons of false positives all leading to dissatisfaction or discontinued use – that is if it is even installed in the first place.

Another myth many people believe is that Tripwire® is the only FIM product on the market. Because of this, they suffer through with the extremely high costs and product complexity believing they have no other option available.

Advanced FIM tools such as CimTrak break all of these familiar stereotypes by being very easy to use, budget friendly, and more useable through its proprietary features for eliminating false positives. There’s a reason that organizations such as NASA, Cornell University, and the Chicago Stock Exchange rely on CimTrak to keep their assets secure and compliant!

CimTrak File Integrity Monitoring

So Happy Together!

As more and more firms deploy them, what role FIM plays with regards to Security Information and Event Managers (SIEM) tools is often a question that IT and security personnel ask. The answer is that it is a complementary technology, helping SIEM’s do their job better by receiving system, application, and file change data directly from the file integrity monitoring tool itself.

This allows the SIEM to combine critical change information with other data streams, allowing for enhanced event analysis and correlation. This benefits the enterprise by learning about security events more quickly, and being able to provide better context surrounding those events. What’s more, alerts raised by a SIEM can be traced back to the FIM tool, which can provide all of the forensic data (who, what, when, how) for the event, allowing for quick and simple root-cause analysis.

Not all change detection tools integrate easily to a SIEM directly from the tool itself, so it is important to inquire if you are running a security information and event manager currently or want to do so in the future. CimTrak integrates with any security information and event manager including HP ArcSight, RSA Security Analytics, IBM QRadar, and McAfee Enterprise Security Manager.