5 Things to Consider Before Buying a File Integrity Monitoring (FIM) Solution
Imagine you’re on the tail end of installing a 100-line script. It’s five o’clock, and you’re ready to head out early for once. You run the startup script on a new server, and then – the fated error message. Something isn’t working, and only after painstakingly reviewing 67 lines of code do you realize you had the IP address wrong.
This could have been prevented. File Integrity Monitoring (FIM) solutions exist to make sure files stay intact, unaltered, and as you expect them. The best of them not only detect unauthorized changes but also provide an option to automatically take action to mitigate the issue. Want to know how to find the best FIM solution? Look no further than these five requirements.
1. Integrity Verification
Integrity verification defines the rules by which a FIM solution baselines and vets an asset for integrity. The lengthy checklist can include:
- Can automatically check for changes to file/directory contents.
- Can automatically check for changes to file/directory permissions.
- Can automatically check for changes to file/directory time/date stamps.
- Can automatically check for changes to file/directory names.
- Can automatically check for changes to file/directory ownership.
- Can automatically check for additions/modifications/deletions to Windows registry keys.
- Can check for file content changes using cyclic redundancy checking and/or digital signature checking.
- Can check for file content changes using a reference baseline of the file for comparison.
These are just some of the attributes a FIM solution can check for change on. Once these rules are in place, the solution will check the database, operating system (OS), and application software files for any signs of deviance. A good FIM solution does not stop at file systems but also can include networking devices, virtual hosts and any device with an IP address that supports SSH.
2. Operational Requirements
Now, it’s time to check and see if the contemplated FIM solution stands up to user-side requirements. Considerations include whether the tool establishes baseline behaviors, whether it can execute commands based on integrity breaches if it can specify severity levels by individual or element, if the console can view the status of machines and group agents, and whether it works well in low bandwidth connections. When you know the answer to all of these could be “yes,” it’s hard to choose a solution that has to answer “no,” even to one of these. And this list is far from exhaustive.
3. Security and Control
At this point, security considerations should be top-of-mind. Does the FIM tool:
- Report devices that run afoul of regulatory policies? Altered files do not show proper due diligence when protecting consumer information in an industry audit.
- Provide proof of department-level compliance? Security leadership can’t know where to prioritize when they don’t know what’s already been done. Management is the name of the game in achieving overall file integrity within an organization.
- Check changes against existing policies? Not all changes are bad ones. However, the ones that directly defy internal or external policies most definitely are. Incorrectly modified security controls can quickly make a system vulnerable to attack by decreasing its hardened state.
- Analyse changes for risk in real-time? Your enterprise is a living organism, and changes need to be made on the fly. However, human error accounts for 74% of data breaches, and the right FIM solution will evaluate whether those changes introduce risk based on the circumstances and context in which they were made. A best practice FIM policy is to ensure critical configuration files are monitored in realtime.
- Verify agent security and passphrases? Sometimes, it’s better not to give a nefarious third party the chance to make changes in the first place, even if those changes are caught. That’s why user login verification is critical to ensuring that those handling the files are the ones authorized to do so (responsibly).
4. Enterprise Management Integration
The file integrity monitoring solution’s ability to integrate with what you already have is extremely important as well. The most high-powered tool in the world is rendered useless when unable to work with your existing services.
That’s why it’s key to find out if the FIM platform has an API integration that allows for customization. And whether it meshes with your current change management system (JIRA, ServiceNow, Remedy). This integration type can assess change as authorized vs unauthorized. It can accurately promote proper authorized change or create violation-triggered tickets when unautorized change is detected. Within your current system(s), it can provide the ability to take action from other enhanced messaging services (EMS) allowing you to hit the ground running. A highly compatible FIM foundational tool is one key to zero-trust.
5. Reporting and Alerting
Lastly, how good is all that functionality and the subsequent data generated if your FIM solution can’t crank out a good report? Reporting and alerting capabilities spell the difference between saving you time and costing you money.
Your FIM platform should bend to you and be able to:
- Customize criteria for reports
- Create reports on-demand
- Filter and search existing reports
- Provide executive-level rundowns
- Help meet compliance requirements
- Specify why a certain change is significant given the context
And more.
Beyond FIM: What’s Next?
File integrity monitoring systems need to do more than “check for changes” because your team is accountable for more. Compliance standards must be met, it must be usable and user-friendly, it needs to generate reports (and good ones), and it needs to work with what you already have. But the best FIM solutions provide one crucial capability beyond even that. By properly deploying a good integrity/SCM and compliance product, your security staff are well on their way to reducing the “attack surface” within your critical environment.
Superior file integrity monitoring not only alerts you of changes (who made them, how severe they were, to what file, under what condition) but also how those changes clash with existing policies. This is gold to companies looking for what really matters: how file integrity alterations impact your compliant state. Modifications to security controls may or may not adversely effect your infrastructures hardened state, knowing when those controls are modified and to what extent is critical to maintaining a secure posture. While knowing when a file has been tampered with is critical enough to internal processes, knowing when it puts your organization in jeopardy with industry and government regulations is perhaps even more critical still.
Tripwire’s unique approach to file integrity monitoring combines to-the-minute change visibility with compliance policy management. This completes the puzzle – it’s one thing to maintain “no changes,” but it’s useless unless that original state meets the approved state and is fully compliant and hardened. By comparing alterations against established safe-zone baselines, companies can leverage Tripwire FIM to continuously bring their assets back to a place of compliance and safety.
As this article emphasizes, the ultimate value-add of the right FIM solution is going from “something changed” to “something changed, it was unexpected, it was bad, here’s how to fix it, and let’s tune our solution to minimize noise in the future.”