Superior Integrity Monitoring: Getting Beyond Checkbox FIM

Contrary to what one might expect, creating a File Integrity Monitoring (FIM) system is pretty easy. Practically anyone with a modicum of Python, Perl, or development skills can write an app or script to gather a file’s checksum, compare it to a list or baseline, and tell you whether or not said file has changed.

But creating a good FIM solution is hard. Many inadequate checkbox File Integrity Monitoring solutions are on the market because while detecting change is easy, reconciling it is not. Purchasing one of these inferior solutions could result in a failed audit and severe financial consequences, so buyers must be able to identify and avoid them.

Why do you even need File Integrity Monitoring?

But, you may be asking, why do you even need FIM? Why does it matter?

File Integrity Monitoring is essential for maintaining the security and integrity of digital assets within an organization. Here’s why you need it:

• Security Assurance – FIM continuously monitors critical files and system configurations, promptly detecting unauthorized changes; this helps prevent and mitigate security breaches, ensuring data confidentiality and protecting against cyber threats.
• Compliance Requirements – Many regulatory standards and frameworks mandate the implementation of FIM as part of security best practices. Compliance with regulations such as PCI DSS, HIPAA, GDPR, and others often requires organizations to demonstrate robust file integrity monitoring capabilities.
• Early Threat Detection – FIM enables early detection of suspicious activities or unauthorized modifications to files, applications, or system settings. Organizations can respond promptly to mitigate risks and prevent further damage by identifying potential security incidents in real time.
• Prevention of Data Tampering – FIM safeguards against data tampering and manipulation by monitoring changes to critical files and configurations; this is crucial for protecting sensitive information, maintaining trust with customers and stakeholders, and preserving the integrity of digital assets.
• Risk Management – Implementing FIM helps organizations proactively manage cybersecurity risks by identifying vulnerabilities and weaknesses in their IT infrastructure. By continuously monitoring file integrity, organizations can strengthen their overall security posture and minimize the likelihood of data breaches or system compromises.

Why are there so many checkbox FIM solutions out there?

Again, detecting change is easy; reconciling it is not. This is the core problem that folks who offer checkbox FIM solutions or logging solutions cannot solve. They offer customers the delusion that all they need to do is set their solution into place and start collecting change data, and the auditors will be happy.

For many, FIM is just an item to be checked off on a list of products they are trying to sell you. They don’t tell you that while you might get away with such an approach with an inexperienced auditor, it can lead to significant findings if you come across one who knows what they are looking for.

We’ve had customers who have run into both. The customer who could present Fortra’s Tripwire Enterprise reports and show authorized versus unauthorized changes to the SOX auditor and passed with flying colors. The other one? Well, let’s just say that they are looking to make what was a small deployment much larger.

One of the key issues is security and compliance best practice maturity. Small organizations, in particular, have minimal staff who wear many hats. The same person who manages the servers and applications may also generate the reports for the auditors. Tripwire’s founder, Gene Kim, used to give presentations to auditors and security folks, and he had a saying: The person who saved the ship may have been the one who started sinking it in the first place.

The sysadmins may not even have the skills needed for their role (through no fault of their own). I once visited a customer who told me that before being one of two security team members, he was a “loss prevention specialist.” That’s right: the guy who stopped shoplifters was now in charge of security at a multi-million dollar business.

The problems with checkbox FIM solutions

These skills gaps magnify the problem that the reconciliation of change – determining whether it was authorized or unauthorized – takes work. And choosing a checkbox FIM solution when the people running it can’t even wrap their heads around the concept can lead to several issues:

Noise

Change happens – a lot. Every day a new patch, hotfix, service pack, upgrade, or even regular system activity happens on a server. Hundreds or even thousands of changes can occur. Now, multiply that across an entire data center and think about sifting through those changes to find the malware or the misconfiguration that interrupts service. It will be like searching for a needle in a stack of needles.

Performance

Ask anyone who has turned on C2 Auditing on a SQL database or tried to enable Object Access: Success on a large number of files and directories on a Windows server. Performance on that system will suffer.

Reconciliation is Hard

Checkbox File Integrity Monitoring solutions are often minimally viable products designed to get you over the low bar of FIM. The higher bar of change reconciliation lies out of reach for most of these solutions. Trying to match changes against any given change management process requires the technical prowess of a company that understands such things and has spent almost its entire existence working to understand what the auditors were looking for. It also requires understanding how unauthorized change can impact a business.

Authorized Change is Not Necessarily Good Change

Many folks can’t understand this idea, but it speaks to the anecdotal idea that most downtime or breaches occur due to internal IT action. The sysadmin could have a fully authorized change ticket to install Dropbox or enable telnet on a server, but is that a good thing? Probably not.

Deciding What to Monitor

Many checkbox vendors can’t help you decide what to monitor and how. Do you try to monitor every single file? Just the operating system? What about the applications on the server?

How Fortra’s Tripwire can help

The folks at Tripwire have been working on these problems for over twenty-five years. Out of the box, we provide coverage for all of your major operating systems (and more than a few older or obscure ones). Need help with a custom application or other file or directory? We have seen more than our share and stand ready to help you.

What about this reconciliation thing you keep harping about? That, my friend, is the magic sauce – well, not magic. Instead, it’s a set of robust APIs and partnerships with large and small change management solution vendors like ServiceNow or Remedy. It allows Tripwire Enterprise to take detected changes and match them up against a known ticket or vendor patch. It’s our built-in ability to test those changes against a benchmark like the Center for Internet Security, NIST, or PCI and tell you whether or not the changes take you out of compliance.

We have yet to explore the more security-related aspects of true FIM. Our ability to match our FIM data against the Indicators of Compromise (IoC) databases of our threat intelligence partners is just one of Tripwire Enterprise’s many uses. For example, many of our customers download our free Splunk App to integrate our products so that change data can be reconciled against other network-level security events.

The business needs to make a decision. Do we spend less on a checkbox FIM product in the hopes that the auditor doesn’t call us out, or do we spend more when an outage occurs due to a bad change and because we trusted our sysadmin? Or do we invest in a company with a long track record of successful change reconciliation that works well within just about any security ecosystem?

Let me answer it with this final little aphorism from Gene Kim, who wrote the original Tripwire code many years ago: “Hope is not a strategy, and trust is not a control.”

Interested in learning about ten reasons why Tripwire’s solutions outperform other companies’ products? Click here.