logo

FIM Solutions: Essential Guide

Changes to your IT devices, systems and servers are inevitable — but they can introduce critical security weaknesses. A file integrity monitoring (FIM) solution will track changes to your system and configuration files so you can promptly verify patch rollouts and investigate and mitigate unauthorized modifications — helping your business maintain a strong security posture and ensure ongoing regulatory compliance.

This blog post will help you determine whether you need a FIM solution and what capabilities to look for.

Do you need a FIM solution?

A file integrity monitoring solution is important if you want to:

  • Harden and protect your IT infrastructure. FIM can help ensure file integrity and detect threats. FIM tools compare the current state of important files against a verified baseline version and notifies the security team about potentially harmful changes so they can respond quickly.
  • Be compliant. FIM is mandated by compliance regulations like NERC CIP, NIST CSF and PCI DSS. While FIM isn’t explicitly required by GDPR and HIPAA, it is still helpful during compliance audits. FIM is also recommended by Control 4 of the CIS Critical Security Controls. 

What can a FIM solution do?

What types of files does a FIM solution monitor?

A file integrity monitoring solution helps you ensure the integrity of two critical types of files:

  • System files. Program, application and operating system files should only change when a planned update, patch or upgrade is implemented. To verify planned changes and assess any other modifications, the FIM solution should track the file attributes governing security and permissions, as well as the file length and cryptographic hash value.
  • Configuration files. A FIM solution must also monitor the integrity of computer configuration settings that restrict either access to the host or privileges for users of the host. For example, software installations and updates can modify the settings of a device away from its hardened configuration, and this drift can lead to vulnerable configurations that make it easier for attackers to penetrate the infrastructure.

How does a FIM solution help detect malware?

To gain access to valuable systems and data, adversaries sometimes plant malware that is disguised to look like a legitimate system file. Examples include:

  • A keylogger that captures the information that a user enters, such as critical user credentials
  • A command & control agent that can be used to control the device and siphon off information from the network and shares it is attached to

A file integrity check can detect these types of malware files so they can be removed before they cause damage.

How can FIM help with configuration management?

Detecting inappropriate changes to your vital configuration files is important, but it’s also critical that you have a secure configuration to begin with. Accordingly, the best FIM tools not only check the integrity of these files but analyze the quality of your baseline settings against security best practices. For example, a default installation of Windows 10 or Windows Server 2019 ticks only about one third of the settings required by CIS benchmarks.

A solid FIM solution can help you establish and maintain a hardened build standard, which is vital for both secure operations and compliance with .

How does FIM help achieve compliance?

FIM is required or recommended by many security mandates and standards, including the following:

  • Health Insurance Portability and Accountability Act (HIPAA) recommends constant data auditing and access controls front and center of best-in-industry practices.
  • Federal Information Security Management Act (FISMA) specifies file integrity monitoring as a core security requirement.
  • National Institute of Standards and Technology (NIST) promotes using real-time FIM as part of a broader security strategy.
  • North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requires FIM capabilities.
  • Payment Card Industry Data Security Standard (PCI DSS) requires weekly integrity monitoring of critical data and system files.

What should a FIM solution monitor?

A FIM solution needs to monitor:

  • Operating system files
  • Installed software packages
  • File systems, such as FAT32 or NTFS
  • Password policy
  • User accounts
  • Management and monitoring functions
  • Registry keys and values
  • User rights assignment
  • Patches, updates and upgrades to the files listed above

This list is far from exhaustive; be sure to assess your organization’s unique needs.

What types of FIM tools are there?

File integrity monitoring tools can be agentless or agent-based:

  • Agentless FIM solutions use scripted, command-line host interactions to examine files. You don’t have to install programs or deploy files to the endpoints. Still, different types of systems require different measures to ensure file integrity. Examples include:
  • Linux-based hosts such as Solaris or Ubuntu systems require the /etc/login.defs or similar configuration files to be edited.
  • Windows hosts require specific configuration settings to be set in Local or Group Policy.
  • Agent-based FIM tools need more effort to get up and running. They require extensive software installation on all monitored network elements and devices. However, they offer three significant advantages:
  • Capture of all user activities, regardless of connectivity method to your IT infrastructure
  • Real-time detection of file changes
  • No need to open a system host to allow monitoring (for example, the Windows System32 folder can be left set to “Administrator Access Only”)

What are important criteria for choosing a FIM solution?

As you assess FIM tools for your organization, be sure to check for the following essential features:

  • Real-time change monitoring and alerting on changes. Any modification to your critical system and configuration files, whether inadvertent or malicious, can open a serious security gap, so you need to be able to investigate and respond to suspicious changes as quickly as possible. To avoid alert fatigue, look for a solution that can distinguish between changes that are unplanned or potential harmful and those that are expected or benign.
  • Application vulnerability monitoring. Security teams need to know about any vulnerabilities in applications, especially newly deployed software. The best file integrity monitoring solutions provide the detailed information required for prompt remediation of issues.
  • Automated compliance reporting. Manual monitoring and reporting of file integrity issues is time consuming and prone to human error, especially since compliance requirements are constantly evolving. Look for an automated reporting system that makes compliance preparation and compliance audits far more seamless and cost-effective.
  • Easy deployment and configuration. Consider a FIM solution that can be quickly deployed across both cloud and on-premises systems. In addition, look for easy configuration, which helps reduce operating costs while ensuring consistent policy enforcement across all enterprise assets.
  • Ease of integration with other solutions. A FIM solution is only one component in your security architecture, so look for one that integrates easily with your other security tools and practices.

How can Netwrix help?

Netwrix Change Tracker delivers the powerful file integrity monitoring required for security and compliance. This flexible solution will:

  • Help you establish secure baseline configurations.
  • Monitor your systems for any drift from those baselines.
  • Analyze changes to determine whether they are planned or unplanned and harmful or benign, and issue intelligent alerts that enable response teams to focus on true threats
  • Provide full visibility into changes to critical system files across your entire infrastructure, including details about who changed what and when and where each change occurred, all in human-readable format.
  • Reduce the time and effort you spend on compliance reporting with 250+ reports covering CIS, NIST, PCI DSS, CMMC, STIG and NERC CIP.
Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.