File integrity monitoring is essential for information security because it helps quickly identify unauthorized changes to critical files that could lead to data loss and business disruptions. File changes may be your first or only indication that you’ve been hacked in a cyberattack or compromised through errors by staff or system update processes.
By investing in the right file integrity monitoring tools and following the best practices laid out here, you can instantly flag changes, determine whether they are authorized and take action to prevent a security incident in which critical data is lost and vital business processes are disrupted, leading to costly revenue losses, reputation damage, and legal and compliance penalties.
What is file integrity monitoring?
File integrity monitoring (FIM) is the process of auditing every attempt to access or modify files or folders that contain sensitive information. With FIM, you can detect improper changes and access to any critical file in your system and determine whether the activity was legitimate, so you can respond promptly to prevent security incidents. File integrity monitoring helps with the data integrity part of the CIA (confidentiality, integrity and availability) triad, ensuring that data remains accurate, consistent and trustworthy throughout its lifecycle.
Essential functions of FIM include:
- Configuration management
- Detailed change reporting that differentiates between good and bad changes
- Real-time alerts and notifications
- Remediation
- Compliance reporting
Why do you need file integrity monitoring?
File integrity monitoring helps organizations improve cybersecurity and maintain and prove compliance.
Detect and respond to threats
FIM improves your threat intelligence by monitoring changes to your files, assessing their impact on data integrity and alerting on negative modifications. Security teams can then block unauthorized access and revert the file to its original state. Some FIM solutions even automate the response and remediation process. For example, when suspicious activity is detected, the system administrator can quickly remove the user’s access rights to protect data and services. A FIM solution should provide thorough reports for investigations and audits.
Ensure file integrity
FIM compares the contents of the current version of critical system and configuration files to the known good state and determines whether any differences are negative.
- System files hold information required for your systems to operate correctly, so improperly moving, deleting, changing or renaming a system file can result in complete system failure. While system files are often changed when you apply updates or install applications, it’s generally a good idea to leave them alone and protect them from unexpected changes.
- Configuration files provide the parameters and settings for operating system and applications. They allow you to customize operations and user capabilities. For example, changing the IP address resolution in a configuration file could cause the system to connect to a malicious IP address and server.
Perform configuration hardening
Configuration hardening reduces the attack surface of your IT environment by ensuring that all your systems use a secure configuration. The manufacturer’s default configuration for most devices is selected for ease of installation and implementation — but these defaults are rarely the most secure choices. FIM helps you establish appropriate settings.
For example, strong security requires all your hosts to have a strong password policy; for Linux hosts, it is controlled by the /etc./login.defs file or a similar file, while for Windows hosts, it is defined by Group Policy settings in Active Directory. A FIM program can help you enforce a strong password policy and monitor the associated configuration file for changes that take it out of its hardened state.
Meet compliance requirements
File integrity monitoring requirements are included in many compliance regulations, including the following:
- PCI DSS, which governs debit and credit card transaction security against data theft and fraud, addresses FIM in requirements 5.5 and 11.5. The former calls out FIM specifically for detecting changes to log files, and the latter governs the documentation of events.
- SOX protects investors from fraudulent accounting activities. Section 404 requires an organization’s annual report to include an in-house assessment of internal reporting on financial controls, as well as an attestation by an auditor. FIM detects changes in financial control files and provides documentation for audits.
- FISMA requires federal agencies to enact information security plans. The criteria for FIM are presented in NIST SP800-53 Rev. 5, Chapter 3.5 Configuration Management, CM3. Configuration Change Control, and Chapter 3.19 (System and Information Integrity).
- HIPAA is designed to improve the security of personal health NIST Publication 800-66 mandates the use of FIM to mitigate the threat of malware and hacker activities and ensure detection and reporting of breaches.
More broadly, FIM plays an essential role in compliance with CIS critical security controls, which provide a framework for managing cybersecurity risks and defending against threats in an on-premises, cloud or hybrid environment. In particular, FIM helps you implement CIS Control 4, — Secure Configuration of Enterprise Assets and Software, which requires establishing and maintaining the secure configuration of enterprise software and other assets, including end-user devices, network devices, IoT devices, servers, applications and operating systems.
What are the challenges of implementing FIM?
You face two significant challenges when implementing a file integrity monitoring policy. One is the enormous number of systems, devices or actual changes that need to be monitored — a manual approach to FIM is simply not feasible for any modern organization. You need a software solution that can automate change detection and remediation across your network in real time.
Another challenge is the variety of files to be managed. It is important to choose a FIM solution that supports all the various platforms in your IT ecosystem.
File integrity monitoring best practices
File integrity monitoring solutions are valuable tools, but they require careful implementation to avoid introducing issues rather than resolving them. The following best practices will help your company implement an effective file integrity monitoring policy.
Use a cybersecurity framework to evaluate the current state of security.
A framework such as the CIS Critical Controls will help you understand your infrastructure’s vulnerabilities, weigh the risks and choose appropriate FIM tools.
Establish secure baselines.
Every server in your network requires a file integrity baseline that the FIM solution can use for comparing against the current state. A good FIM solution can help you create secure configurations.
Choose a FIM solution that can integrate with your other technologies.
Look for a FIM solution that can integrate with your current tools, such as.
- Threat intelligence — Combining FIM with your threat intelligence will help you assign severity and risk ranking and prioritize remediation strategies.
- Change management or ticket management — Integrating FIM with these systems helps limit alerts to unauthorized changes and avoid alert fatigue.
- SIEM — Integrate FIM with your SIEM can improve real-time threat detection. While your SIEM collects log data from the network, your FIM tool helps ensure that those log files are not altered and tracks critical changes for investigations and compliance audits.
How Netwrix can help
Netwrix Change Tracker is a FIM solution that tracks unauthorized changes and other suspicious activity across your environment to enhance your security posture. In particular, it can help you:
- Harden systems faster
- Close the loop on change control
- Ensure critical system files are authentic
- Track a complete history of changes
- Stay informed about your security posture
FAQ
What is the function of file integrity monitoring?
FIM audits all attempts to access or modify files or folders containing sensitive information, and checks whether the activity is authorized and aligned with industry and legal protocols. Some solutions also automate threat remediation to reduce the risk of security breaches.
What functionality is important in a FIM solution?
Core FIM functionality includes change management, threat detection and compliance auditing. To achieve these goals, a FIM tool must provide the following:
- Configuration management
- Differentiation between authorized and unauthorized changes
- Real-time alerts
- Detailed change reporting
- Remediation capabilities
- Multiple platform support
- Integration with other technology
Does HIPAA require file integrity monitoring?
The HIPAA Security Rule explicitly requires authentication, documentation and data integrity protection to help ensure the confidentiality, integrity and availability of protected health information.
What does it mean to check file integrity?
Checking file integrity means comparing the current state of a file with a secure baseline that reflects its proper configuration. File integrity is broken if the comparison shows changes to the file that could represent a threat to system operations and resources.