Everything to know about file integrity monitoring software and tools — definition, usage, and how it benefits compliance
Much like most things in life, change is inevitable. The same can be said for any organization’s IT networks and operating systems. But with that in mind, it’s essential to know who makes the changes and why. Is a change made by an authorized employee with the organization’s best interest in mind, or is it caused by an attacker who intends to corrupt the system and commit a cybercrime? To detect unauthorized and unusual changes in operating systems or software, organizations frequently use a control system known as file integrity monitoring (FIM).
In this article, we’ll cover everything you need to know about FIM, i.e., usage, available software, benefits, and legal compliance associated with file integrity monitoring via software and tools.
So, What Is File Integrity Monitoring?
As the name suggests, file integrity monitoring — also known as change monitoring — is used to ensure the integrity of your files by identifying any changes made to them. FIM can be used on your network, operating system, cloud, and other platforms.
FIM is a risk mitigation technology that’s based on artificial intelligence (AI). It examines all the changes in a system, compares them against the predefined baseline, and alerts the management or person in charge if it notices any unexpected changes. This helps your organization to detect any change that may pose a security risk, a probable cyber attack, or a compromise in regulatory compliance.
FIM software examines:
- who modified the file;
- when and what changes have been made;
- unusual changes in file sizes, versions and file configuration;
- unauthorized access of confidential files, system binaries, and directories; and
- changes in security settings, permissions, and registry keys.
But file integrity software is versatile and isn’t limited to only monitoring files. It also works on hardware and IoT device configurations, software configurations, activity logs, operating systems, directory servers, media files, and cloud settings.
File Integrity Monitoring Software
To implement FIM technology, your organization needs to install file integrity monitoring software or tools. Some of the best-known FIM software providers are OSSEC, Tripwire, Qualys, McAfee Change Control, Kaspersky Labs, Splunk, Trustwave, and CloudPassage.
But before selecting an FIM tool, you should ensure that it has the following qualities:
- Flexibility: File integrity management software must be flexible enough to add and remove files and to modify the baseline as and when required. It also should provide you with the ability to revise and customize policies.
- Compatibility: The tool must be compatible with different types of files, activity logs, operating systems, hardware devices, and cloud settings.
- “Noise” Reduction: It’s easy for these systems to be “noisy” — meaning they provide a multitude of information without context. The most effective FIM solutions are those that only notifies you when necessary. They also recommend steps to move forward in terms of remediation and file restoration.
- Affordability: All FIM providers have customized pricing policies that will meet different organizations’ needs. A FIM software generally starts from $500 and can go up to thousands of dollars. Make sure you get quotes from multiple providers before choosing one for your organization.
How Does the File Integrity Monitoring Work?
Now you know what FIM is and what you should look for in a good FIM solution, let’s understand how it actually works. We have break down this process in two parts. First, we’ll start with what you need to do to get it up and running and then we will cover how does it function on your system after the successful implementation.
How to Implement File Integrity Monitoring
Install FIM Software
Choose the best FIM provider that matches your needs, budget, and technology. Install it to your system using either an agent-based or agentless mode. But what do these terms mean?
In agent-based file integrity monitoring, an agent software is installed on the monitored host to provide real-time monitoring of files. However, it consumes a massive amount of resources of the host.
In an agentless file integrity monitoring system, a scanner detects the changes on its scheduled time and hashes all the files on the system each time it scans. It’s easy to implement, but there won’t be any live real-time monitoring.
Choose the Area of Monitoring
You need to decide which files, devices, software configurations, directory servers, media files, and cloud settings should be added in the FIM software. You need to choose which areas are most vulnerable and require constant monitoring.
Define a Baseline
Every FIM tool needs a reference point, which it uses to compare with the changes it detects to identify any unusual activities. You need to establish a baseline or reference point for all of your files and IT setups. The baseline can include the following:
- hash values,
- file size,
- access privileges,
- user credentials, and
- security settings.
Setting up the baseline is the most time consuming, yet a crucial step to reduce the noise and false-positive alerts. You must carefully observe all the usual (authorized) changes and set the separate baselines for each area of monitoring. Sometimes, the baseline can be a range of values instead of an absolute point.
How FIM Works
Once the organization follows the above mentioned three steps, the FIM’s work begins.
Monitoring and Detection
Once implemented, the FIM software will start monitoring any modifications that are made to your files, systems, logs, settings, etc. It observes when, how, and by whom the changes are made and compares them with the baseline. The organizations can install the expected changes to reduce false alerts. Most of the FIM software are capable of detecting DDoS attacks, phishing attacks, unauthorized system access, data theft, malware or ransomware injections, and insider threats.
A business website has hundreds of code files on the directory. Even though the management realizes that an attacker has injected malware in the website, it’s difficult to locate malicious injections amongst thousands of lines of codes. File integrity monitoring software has ability to point out which exact file and codes have been corrupted, making the recovery process faster and easier. For WordPress sites, it can also monitor wp-config.php and .htaccess files.
A file integrity monitoring tool sends automated alert emails to the relevant personnel and records everything on its dashboard. A good FIM software application also suggests steps for reconciliation (such as how to restore files). Some FIM software automatically deletes the corrupted files and takes remediation steps. You can also create reports from the FIM software’s dashboard for your IT audits.
Benefits of Implementing File Integrity Monitoring
Now that you know how the file integrity monitoring software works, the million-dollar question that arises here is what value does it bring to an organization? And is it really worth spending money on or can a business manage without it?
Let’s check out the FIM tool’s benefits to understand its real-life utility:
FIM is needed to meet with many crucial regulatory compliance standards, such as:
- PCI-DSS — Payment Card Industry Data Security Standard;
- HIPAA — Health Insurance Portability and Accountability Act;
- SOX — Sarbanes-Oxley Act;
- FISMA — Federal Information Security Management Act;
- NERC CIP — North American Electric Reliability Corporation critical infrastructure protection; and
- NIST — National Institute of Standards and Technology.
Protection Against External Cyber Attacks
FIM software detects any unusual changes in the system, which might indicate a cyber attack. It’s essential to recognize the cyber attacks on their earliest stage to reduce the damage.
Insider Threat Detection
A change in activity logs, unusual changes in access criteria and permission, mass data access and transfer, etc. indicate an insider threat (where current or former employees corrupt the system or steal valuable data). Such activities are monitored by FIM software and are brought to the attention of management before it’s too late.
When a cyber attack takes place, a company not only loses millions of dollars in lawsuits, but its reputation also takes a significant hit. (In some cases, it takes damage to the point that no amount of positive PR can help.) It takes decades to build a reputation and tons of money to create a brand value. However, it just needs a single cyber attack or data breach incident to ruin everything. FIM gives your organization an extra layer of protection against such unfortunate events.
File Integrity Monitoring and PCI-DSS Compliance
Any website that deals with its users’ sensitive financial data such as credit card/debit card numbers and bank account details must comply with Payment Card Industry Data Security Standard. Under PCI DSS, there are some rules which a website must follow to get PCI DSS compliance status. The following are the standards that suggest using file integrity monitoring to ensure the safety of the users’ financial information:
Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”
PCI-DSS Requirement 10.5.5
Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).”
As you can see, PCI DSS recommends that merchants use file integrity monitoring (or any other equivalent change detection systems) to check for changes to critical files, so that any unauthorized data modification can’t go unnoticed. It suggests that the activity logs should also be accurately monitored. If someone tries to alter the activity logs, such change should be brought into the notice of the responsible personnel by the FIM software.
File Integrity Monitoring and HIPAA Compliance
Tampering with any health data can have a dire consequence. It not only gives false health condition information to the medical service provider, but it also can result in data theft, identity theft, and ransomware attacks. The Health Insurance Portability and Accountability Act of 1996 suggests that the healthcare providers must take proactive steps for the authentication, documentation, intervention protection, and integrity protection of all healthcare-related data. If the data breach takes place, and if the healthcare institution is not a HIPAA-compliant, the fines can exceed $1.5 million.
Check out the following HIPPA standards for integrity protection in terms of file monitoring:
§ 164.312(e)(2)(i): Integrity Controls Addressable
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
§ 164.312(c)(2): Mechanism to authenticate ePHI
Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”
Unlike PCI DDS, HIPAA doesn’t directly recommend using FIM software, but it does suggest that any electronically transmitted sensitive health data must be protected from improper modification. The health organizations must implement the control mechanism that confirms that the data has not been altered or destroyed in an unauthorized way. As you may guess, to comply with this rule, it means that healthcare organizations need to have a control mechanism in place — such as a file integrity monitoring solution.
The Drawbacks of File Integrity Management Solutions
File integrity management is an essential tool for tracking known changes and detecting unauthorized ones. But just like all other technology, FIM also has some disadvantages. One of the negative sides of using FIM software is false positives. If you haven’t configured the baseline properly, the FIM tool considers a legit change as an unauthorized one and generates the warning message for the same, and its alerts become false positive. When the number of false positives increases, it wastes investigation time and resources.
Another downside of FIM is the cost. For startups and small businesses, it can add a substantial financial burden. However, FIM’s benefits overweigh its costs because the direct and indirect damage involved with cybercrime can be devastating for an organization.
A Final Word
Regardless of any potential drawbacks, the benefits of file integrity monitoring outweigh the advantages. If you’re an organization or business that handles users’ sensitive financial data or health-related information, FIM is integral to your legal compliance, so you must implement it within your own systems. As you’ve learned, an efficient file integrity monitoring solution is a crucial tool that enables your organization to have a healthy security posture.