Much like most things in life, change is inevitable. The same can be said for any organization\u2019s IT networks and operating systems. But with that in mind, it\u2019s essential to know who makes the changes and why. Is a change made by an authorized employee with the organization\u2019s best interest in mind, or is it caused by an attacker who intends to corrupt the system and commit a cybercrime? To detect unauthorized and unusual changes in operating systems or software, organizations frequently use a control system known as file integrity monitoring<\/strong> (FIM). <\/p>\n\n\n\n In this\narticle, we\u2019ll cover everything you need to know about FIM, i.e., usage, available\nsoftware, benefits, and legal compliance associated with file integrity\nmonitoring via software and tools. <\/p>\n\n\n\n As the name suggests, file integrity monitoring\n\u2014 also known as change monitoring \u2014 is used to ensure the integrity of your\nfiles by identifying any changes made to them. FIM can be used on your network,\noperating system, cloud, and other platforms. <\/p>\n\n\n\n FIM is a risk mitigation technology that\u2019s based on artificial intelligence<\/a> (AI). It examines all the changes in a system, compares them against the predefined baseline, and alerts the management or person in charge if it notices any unexpected changes. This helps your organization to detect any change that may pose a security risk, a probable cyber attack, or a compromise in regulatory compliance. <\/p>\n\n\n\n FIM software examines: <\/p>\n\n\n\n But file integrity software is versatile\nand isn\u2019t limited to only monitoring files. It also works on hardware\nand IoT device configurations, software configurations, activity logs, operating\nsystems, directory servers, media files, and cloud settings. <\/p>\n\n\n\n This is something you can do to help keep an eye on the code integrity<\/a> of your software apps (in addition to signing your code using a digital certificate, which uses cryptographic hashing to verify whether any changes have been made to you code).<\/p>\n\n\n\n To implement\nFIM technology, your organization needs to install file<\/strong> integrity\nmonitoring software or tools<\/strong>. Some of the best-known FIM software\nproviders are OSSEC, Tripwire, Qualys, McAfee Change Control, Kaspersky Labs,\nSplunk, Trustwave, and CloudPassage. <\/p>\n\n\n\n But before selecting an FIM tool, you should ensure that it\nhas the following qualities:<\/p>\n\n\n\n Now you know what FIM is and what you should look for in a\ngood FIM solution, let\u2019s understand how it actually works. We have break down\nthis process in two parts. First, we\u2019ll start with what you need to do to get\nit up and running and then we will cover how does it function on your system\nafter the successful implementation. <\/p>\n\n\n\n Choose the best FIM provider that matches your needs,\nbudget, and technology. Install it to your system using either an agent-based\nor agentless mode. But what do these terms mean?<\/p>\n\n\n\n In agent-based file integrity monitoring<\/strong>, an agent\nsoftware is installed on the monitored host to provide real-time monitoring of\nfiles. However, it consumes a massive amount of resources of the host. <\/p>\n\n\n\n In an agentless file integrity monitoring system<\/strong>, a\nscanner detects the changes on its scheduled time and hashes all the files on\nthe system each time it scans. It\u2019s easy to implement, but there won\u2019t be any\nlive real-time monitoring. <\/p>\n\n\n\n You need to decide which files, devices, software\nconfigurations, directory servers, media files, and cloud settings should be\nadded in the FIM software. You need to choose which areas are most vulnerable\nand require constant monitoring.<\/p>\n\n\n\n Every FIM tool needs a reference point, which it uses to compare\nwith the changes it detects to identify any unusual activities. You need to\nestablish a baseline or reference point for all of your files and IT setups.\nThe baseline can include the following: <\/p>\n\n\n\n Setting up the baseline is the most time consuming, yet a\ncrucial step to reduce the noise and false-positive alerts. You must carefully\nobserve all the usual (authorized) changes and set the separate baselines for\neach area of monitoring. Sometimes, the baseline can be a range of values\ninstead of an absolute point. <\/p>\n\n\n\n Once the organization follows the above mentioned three\nsteps, the FIM\u2019s work begins.<\/p>\n\n\n\n Once implemented, the FIM software will start monitoring any modifications that are made to your files, systems, logs, settings, etc. It observes when, how, and by whom the changes are made and compares them with the baseline. The organizations can install the expected changes to reduce false alerts. Most of the FIM software are capable of detecting DDoS attacks<\/a>, phishing attacks<\/a>, unauthorized system access, data theft, malware or ransomware injections, and insider threats. <\/p>\n\n\n\n A business website has hundreds of code files on the directory.\nEven though the management realizes that an attacker has injected malware in the\nwebsite, it\u2019s difficult to locate malicious injections amongst thousands of\nlines of codes. File integrity monitoring software has ability to point out\nwhich exact file and codes have been corrupted, making the recovery process\nfaster and easier. For WordPress sites, it can also monitor wp-config.php and\n.htaccess files.<\/p>\n\n\n\n A file integrity monitoring tool sends automated alert\nemails to the relevant personnel and records everything on its dashboard. A\ngood FIM software application also suggests steps for reconciliation (such as\nhow to restore files). Some FIM software automatically deletes the corrupted\nfiles and takes remediation steps. You can also create reports from the FIM\nsoftware’s dashboard for your IT audits. <\/p>\n\n\n\n Now that you know how the file integrity monitoring software\nworks, the million-dollar question that arises here is what value does it bring\nto an organization? And is it really worth spending money on or can a business manage\nwithout it? <\/p>\n\n\n\n Let\u2019s check out the FIM tool\u2019s benefits to understand its\nreal-life utility:<\/p>\n\n\n\n FIM is needed to meet with many crucial regulatory\ncompliance standards, such as: <\/p>\n\n\n\n FIM software detects any unusual changes in the system,\nwhich might indicate a cyber attack. It\u2019s essential to recognize the cyber attacks<\/a>\non their earliest stage to reduce the damage. <\/p>\n\n\n\n A change in activity logs, unusual changes in access\ncriteria and permission, mass data access and transfer, etc. indicate an\ninsider threat (where current or former employees corrupt the system or steal\nvaluable data). Such activities are monitored by FIM software and are brought to\nthe attention of management before it\u2019s too late. <\/p>\n\n\n\n When a cyber attack takes place, a company not only loses\nmillions of dollars in lawsuits, but its reputation also takes a significant\nhit. (In some cases, it takes damage to the point that no amount of positive PR\ncan help.) It takes decades to build a reputation and tons of money to create a\nbrand value. However, it just needs a single cyber attack<\/a> or data breach\nincident to ruin everything. FIM gives your organization an extra layer of\nprotection against such unfortunate events.<\/p>\n\n\n\n Any website that deals with its users\u2019 sensitive financial\ndata such as credit card\/debit card numbers and bank account details must\ncomply with Payment Card Industry Data Security Standard. Under PCI DSS, there\nare some rules which a website must follow to get PCI DSS compliance status.\nThe following are the standards that suggest using file integrity monitoring to\nensure the safety of the users’ financial information:<\/p>\n\n\n\n Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”<\/em><\/p>\n<\/blockquote>\n\n\n\n Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).\u201d <\/em><\/p>\n<\/blockquote>\n\n\n\n As you can see, PCI DSS recommends that merchants use file\nintegrity monitoring (or any other equivalent change detection systems) to\ncheck for changes to critical files, so that any unauthorized data modification\ncan\u2019t go unnoticed. It suggests that the activity logs should also be\naccurately monitored. If someone tries to alter the activity logs, such change\nshould be brought into the notice of the responsible personnel by the FIM\nsoftware. <\/p>\n\n\n\n Tampering with any health data can have a dire consequence.\nIt not only gives false health condition information to the medical service provider,\nbut it also can result in data theft, identity theft, and ransomware attacks.\nThe Health\nInsurance Portability and Accountability Act<\/a> of 1996 suggests that the\nhealthcare providers must take proactive steps for the authentication,\ndocumentation, intervention protection, and integrity protection of all\nhealthcare-related data. If the data breach takes place, and if the healthcare\ninstitution is not a HIPAA-compliant, the fines can exceed\n$1.5 million<\/a>.<\/p>\n\n\n\n Check out the following HIPPA\nstandards<\/a> for integrity protection in terms of file monitoring: <\/p>\n\n\n\n Implement security measures to ensure that electronically transmitted <\/a>electronic protected health information is not improperly modified without detection until disposed of.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\nSo, What Is File Integrity Monitoring? <\/h2>\n\n\n\n
\n
configuration; <\/li>\n\n\n\n
and directories; and<\/li>\n\n\n\nFile Integrity Monitoring Software<\/h2>\n\n\n\n
\n
software must be flexible enough to add and remove files and to modify the
baseline as and when required. It also should provide you with the ability to
revise and customize policies. \u00a0<\/li>\n\n\n\n
compatible with different types of files, activity logs, operating systems,
hardware devices, and cloud settings. <\/li>\n\n\n\n
systems to be \u201cnoisy\u201d \u2014 meaning they provide a multitude of information without
context. The most effective FIM solutions are those that only notifies you when
necessary. They also recommend steps to move forward in terms of remediation
and file restoration. <\/li>\n\n\n\n
customized pricing policies that will meet different organizations’ needs. A
FIM software generally starts from $500 and can go up to thousands of dollars.
Make sure you get quotes from multiple providers before choosing one for your organization.<\/li>\n<\/ul>\n\n\n\nHow Does the File Integrity Monitoring Work?<\/h2>\n\n\n\n
How to Implement File Integrity Monitoring<\/h3>\n\n\n\n
Install FIM Software <\/h4>\n\n\n\n
Choose the Area of Monitoring <\/h4>\n\n\n\n
Define a Baseline <\/h4>\n\n\n\n
\n
How FIM Works<\/h3>\n\n\n\n
Monitoring and Detection <\/h4>\n\n\n\n
Reporting <\/h4>\n\n\n\n
Benefits of Implementing File Integrity\nMonitoring<\/h2>\n\n\n\n
Legal Compliance <\/h3>\n\n\n\n
\n
Security Standard; <\/li>\n\n\n\n
Accountability Act; <\/li>\n\n\n\n
Management Act; <\/li>\n\n\n\n
infrastructure protection; and <\/li>\n\n\n\n
and Technology. <\/li>\n<\/ul>\n\n\n\nProtection Against External Cyber Attacks <\/h3>\n\n\n\n
Insider Threat Detection <\/h3>\n\n\n\n
Reputation <\/h3>\n\n\n\n
File Integrity Monitoring and PCI-DSS Compliance <\/h2>\n\n\n\n
PCI-DSS Requirement 11.5<\/a> <\/h3>\n\n\n\n
\n
PCI-DSS Requirement 10.5.5<\/h3>\n\n\n\n
\n
File Integrity Monitoring and HIPAA Compliance<\/h2>\n\n\n\n
\u00a7 164.312(e)(2)(i): Integrity Controls Addressable<\/h3>\n\n\n\n
\n
\u00a7 164.312(c)(2): Mechanism to\nauthenticate ePHI<\/h3>\n\n\n\n
\n