Malicious actors can cause a lot of damage to your business, employees, and clients if they gain access to your systems. Besides stealing and leaking data, they can also change your configurations, applications, and system files — and delete logs to cover their tracks.
File integrity monitoring (FIM) can help you protect your business. By an IT security technology and security process that tracks file changes to determine whether files have been deleted or tampered with, FIM can help you prevent and mitigate unauthorized system file changes.
Read on to learn more about FIM, why it’s important, how it works and what you should focus on when evaluating FIM solutions.
What is file integrity monitoring (FIM)?
A FIM solution is change tracking and intrusion detection software that checks database, operating system, and Windows files to determine whether they have been modified and if so, by whom and when.
Why do you need to use a FIM solution?
FIM helps organizations:
- Detect and address threats: FIM detect changes to system files and sends alerts about harmful modifications. Your network security team can then block unauthorized access and revert modified files to their original state.
- Ensure file integrity: FIM tools validate critical files by comparing the current version against a trusted baseline. It then determines whether any differences are potentially damaging.
- Meet compliance requirements: Many compliance regulations include FIM requirements, including the Payment Card Industry Data Security Standard (PCI DSS), SOX, the Federal Information Security Management Act of 2002 (FISMA), and the Health Insurance Portability and Accountability Act (HIPAA).
- Harden system configurations: FIM can help you establish appropriate configuration settings for your Windows servers and other IT systems to reduce your attack surface area.
How often should Windows file integrity checks be made?
Security compliance standards such as the PCI DSS mandate weekly file integrity checks. However, weekly checks may not be enough to prevent serious data security breaches. In recent years, threat actors have become much more dangerous — they now only need a few hours or days to cause serious damage.
That’s why you need real-time file monitoring solutions with continuous detection. If you run file integrity checks only once a week, threats may slip under your radar until too late.
What data should Windows file integrity monitoring cover?
Your FIM solution should monitor the following:
Windows folders and files
At a minimum, you should use file integrity monitoring for:
- Program files (x86)
- Program files
- System 32
- SysWow64
You should also consider applying FIM to the Windows system drive (C:Windows). However, as with registry monitoring, this can result in a great many false positives. Accordingly, you need to exclude files that change regularly, including database and live log files like C:WindowsLogs.
Including and excluding files for monitoring can be difficult if you must do it manually. It’s wise to invest in a FIM tool that lets you quickly locate files using both filtering by file type and extension, and regular expressions (regex), which are search patterns that locate files and folders containing specific characters. In addition, look for intelligent change detection that can identify unexpected changes and other true threats.
All folder and file attributes and contents
Your FIM tool should track all folder and file attributes, including the following:
- Current state
- Privileges, permissions and other security settings
- Core size and attributes
- Credentials
- Configuration values
Some FIM solutions also track file contents. This is often impractical, especially for large files. A better approach is to track metadata such as:
- Name and path
- Cryptographic hash values
- Size and length
- Creation and access dates
Windows registry keys, hives and values
Additionally, you should apply FIM to Windows registry keys, hives and values because they control Windows configuration settings. Be sure to monitor:
- Installed programs and updates
- Local audit and security policies, which include everything from Windows firewall settings to your screensaver
- Local user accounts
Note that the registry consists of millions of values, many of which frequently change during Windows operation. To reduce the volume of false positive alerts, you will need fine-grained inclusion and exclusion capabilities, as explained above.
How does Windows FIM detect threats?
To detect changes, Windows file integrity monitoring solutions should use cryptographic hash values generated using a secure hash algorithm such as MD5, SHA1, SHA256 or SHA512. This approach provides a unique ‘DNA fingerprint’ for each file that enables even minute changes to be detected, because even the slightest modification to a file’s content or composition greatly impacts the hash value.
Cryptographic hash values can be assigned to any file type, including binary files (such as .dll, .exe, .drv, and .sys) and text-based configuration files (such as .js, XML and zipped archives).
What should you focus on when evaluating FIM solutions for Windows?
When assessing Microsoft file integrity monitoring solutions, ask the following key questions:
Does the solution use modern FIM methods?
Traditional FIM solutions track and verify all file and folder attributes by creating a baseline that has all of your files’ hash values and metadata, and comparing those baseline values with the most recent versions of the files. However, they check for changes only daily or weekly. They are also extremely resource-intensive and lack essential features such as real-time monitoring, centralized storage of security events, and context about why system files have changed. These shortcomings make it extremely challenging for cybersecurity specialists to spot potentially dangerous changes in the vast sea of acceptable modifications.
In contrast, modern file integrity solutions like Netwrix Change Tracker use a FIM agent to continuously detect changes and issue real-time alerts. They also feature:
- Context-based file whitelisting and file integrity monitoring to ensure that all change activity is automatically analyzed to differentiate between good and bad changes, which vastly reduces change noise and alert fatigue
- Certified and complete DISA STIG and CIS configuration hardening to ensure that all systems are securely configured at all times
Does the solution support Microsoft Azure?
If you use Microsoft Azure, it’s vital that your FIM solution supports it. Azure does come with Microsoft Defender for Cloud, a file integrity monitoring solution that helps you protect your data. But although Defender for Cloud can catch many abnormalities, a significant number of threats can still slip through because it lacks critical features like centralized storage of security events, planned versus unplanned change detection, and real-time monitoring. These shortcomings can make it difficult to understand whether detected changes are malicious or acceptable.
Accordingly, you should invest in a third-party FIM tool like Netwrix Change Tracker that can detect every change to your Microsoft Azure cloud environment and alert you in real time about unauthorized modifications so you can respond to cloud security incidents quickly.
FAQ
1. How does Windows FIM detect zero-day malware?
Windows FIM solutions use a cryptographic hash value to track each file in your system. When zero-day malware enters your system, the hash values of critical files will change, and the FIM solution will alert your security team. This approach works for any file type, including .drv, .exe, .dll, .sys and zipped archive files.
2. How often should a Windows file integrity check be made?
Although PCI only mandates weekly checks, this may not be enough to prevent severe data security breaches. Modern threat actors only need a few hours or days to wreak havoc on your systems and data, making prompt detection more critical than ever. Any delay may prove costly.
3. Does Microsoft Defender for Cloud provide FIM?
Yes, Microsoft Defender for Cloud examines Windows registries, operating system files, Linux systems files, application software, and other files for changes that might indicate a cyberattack.
However, it cannot distinguish between planned and unplanned changes, so security teams can be overwhelmed with alerts. In addition, Defender for Cloud does not provide real-time monitoring, so threat actors may have time to complete their attacks before an alert is issues. Therefore, investing an a third-party FIM solution can be a wise strategy.