File Integrity Monitoring vs. Integrity: What you need to know

Using security tools to monitor activities on IP based endpoints and the resulting changes that occur pose one of the most formidable challenges to security and regulatory compliance efforts, thanks to its potential to disrupt established security measures and protocols.

Compliance frameworks, such as PCI DSS and NIST 800-53/SI-7, require organizations in every sector to maintain a consistent and secure environment to meet regulatory standards. Integrity is a foundational piece of this puzzle.

It takes only one accidental, unintentional, or malicious system change to completely undermine the state of an entity‘s IT infrastructure and turn security into risk.

Separating the ‘good’ from the ‘bad’

Businesses need to understand that thousands of changes are occurring every day, even in mission-critical servers. Without total system integrity, security teams cannot determine what change is “good” and what is “bad.”

All activity needs to be assessed and prioritized on an ongoing basis and should include databases, operating systems (OS), network devices, virtual infrastructure, laptops, desktops, and application software files for any signs of deviance.  

This is why many entities are turning to File Integrity Monitoring  (FIM) solutions in an attempt to ensure their files stay intact, unaltered, and as they expect to find them. Unfortunately, too often, the focus is on integrity for operating systems and software, but no more, and the genuine integrity of the system as a whole seems to take a backseat.

This is primarily because government leadership hasn’t pushed for more or regulated that every entity needs to implement security initiatives that guarantee integrity across the board. 

Moreover, many do not understand the differences between FIM and integrity management. Although FIM and integrity management both deal with safeguarding the trustworthiness of data and systems, they have different scopes and employ diverse approaches.

FIM is a tool. Integrity is a culture.

File Integrity Monitoring (FIM) is a subset of integrity management that primarily focuses on monitoring and detecting changes to files and directories within an IT system. FIM tools constantly monitor file attributes such as permissions, content, size, and checksums to identify unauthorized or unexpected modifications.

The goal of FIM is to ensure the integrity of critical files and configurations, detect potential security breaches or unauthorized activities, and maintain compliance with regulatory standards. FIM is typically implemented as a security control to provide real-time monitoring and alerting capabilities.

A robust FIM solution should not stop at file systems but also cover networking devices, virtual hosts, and any device with an IP address that supports SSH. Ultimately, FIM’s goal is to ensure the integrity of critical files and configurations, detect potential security breaches or unauthorized activities, and maintain compliance with regulatory standards.

Aiming at overall integrity

Unlike FIM, which is a specific tool or technology, integrity management is a holistic approach to maintaining the integrity and security of an organization’s IT environment. It takes a broader view, encompassing processes and policies to ensure the overall trustworthiness and ethical conduct within an organization. It features tools to prevent fraud, corruption, conflicts of interest, and other unethical practices and is about building a culture of integrity.

While FIM focuses specifically on monitoring changes to the files and directories, integrity management extends beyond files to include monitoring changes to other system components such as configurations, software installations, user permissions, network settings, and more. True integrity goes beyond just configuration files and directory structures (FIM), beyond hashing, beyond registry key integrity, beyond permissions. Hypothetically speaking, if a new software were to be saved to a disk from a malicious email, beyond knowing and alerting the file dropped, are there processes in place to notify if the file was “executed,” if a service started, if a new port opened, or if an exploit has just occurred? 

A good integrity tool will provide the capability to look beyond FIM and run commands or scripts (regularly) where the output is captured and as a feed to determine if any other integral parts or policies of a system were violated. 

Some examples might include capturing what your firmware looks like, local users, startup tasks, scheduled tasks, listening and established port(s)/sessions, and whether the anti-virus is installed, running, and up to date. For databases, queries should be executed regularly to assess proper/expected output. The bottom line is that security engineers need to be expressive and use their creative minds and skills to augment out-of-the-box security routines.

Integrity management also involves implementing comprehensive change management processes, vulnerability assessments, system hardening measures, and ongoing security monitoring to protect against various threats and vulnerabilities.

Deep-dive insight

There are myriad log-based file integrity solutions on the market that claim to bolster security by showing that “something” has changed. However, without knowing what has changed, this information is meaningless.

Fortra’s Tripwire Enterprise solution, for instance, sets itself apart by focusing on more than just file integrity. It ensures full integrity by giving customers a deep-dive insight into what is going on at each endpoint by using ongoing, versioned baselines that reveal whether the changes detected were to content, permissions, general file attributes, hashing, or any data that pertains to a host and can be captured through a command or script. Integrity involves the whole system, not just what is tangible on the disk.

This helps the security team determine the potential severity of the change related activity, so they can take automated actionable steps as it happens, guaranteeing ongoing system integrity. Moreover, it automates detecting, auditing, and reconciling changes, even the low-profile, more obscure changes that could indicate advanced hacks and exploits.

A host of features

With Tripwire FIM, security teams can:

Establish a Secure Baseline – Tripwire FIM lets security practitioners capture the “known good state” of their systems when properly configured so that they can monitor for deviations and anomalies.

Monitor More Than Just Files – Tripwire FIM ensures the integrity of much more than files. Security teams can use it to monitor for changes in servers, operating systems, networks, endpoints, and more.

Keep Security in Mind – While FIM is viewed as a compliance tool, at its heart, it‘s about security. Tracking real-time system changes empowers teams with the visibility that they need to respond to potential breaches before they wreak havoc.

Notify the Appropriate Personnel – Alert fatigue is a real problem for security teams and makes it hard for them to identify what needs their urgent attention and what can wait. Tripwire offers a solution that shows the right info to the right people at the appropriate juncture.

Combine with Policy Management – Security personnel can gain complete integrity control and continuous compliance with visibility into all changes that are suspicious or deviate from compliance.

Have Multi-Policy Coverage – Teams can save time by enforcing many compliance policies at once in their integrity monitoring practice and benefit from a solution that is capable of custom policy creation.

Tripwire Enterprise stands out for its comprehensive FIM capabilities that build a culture of integrity too, by effectively detecting and responding to all changes, safeguarding against potential security breaches, and maintaining the trustworthiness of critical systems.