The Past, Present, and Future of File Integrity Monitoring

Also known as change monitoring, File Integrity Monitoring (FIM) solutions monitor and detect file changes that could indicate a cyberattack. They determine if and when files change, who changed them, and what can be done to restore files if those changes are unauthorized. As such, FIM solutions are useful for detecting malware and achieving compliance with regulations like PCI DSS and are a crucial part of any enterprise security stack.

But FIM has changed a lot over the years – and is set to change even more. Considering Tripwire was the first FIM solution, we figured we should be the ones to educate you on its past, present, and future.

The History of FIM

FIM began in the early 1990s when Gene Kim, a graduate computer science student at Purdue University, recognized the need for a solution to monitor file integrity amidst cyber threats like the Morris Worm. In 1992, he released the first version of Tripwire, the world’s first FIM solution, and changed cybersecurity forever.

Five years later, in 1997, upon recognizing the potential of his solution, Kim and Wyatt Starnes co-founded Tripwire to commercialize FIM technology and make it accessible to a broader range of organizations. In the years following, Tripwire continued developing FIM technology to keep pace with the growing complexity of cyber threats and the rise of e-commerce.

In 2000, Tripwire introduced an open-source version of its FIM solution, making it accessible to a wider audience. In 2005, Tripwire Enterprise, a comprehensive FIM solution for large enterprises that offered advanced features such as real-time monitoring, automated remediation, and detailed reporting capabilities, was introduced. In the 2010s, Tripwire released Tripwire LogCenter – a solution providing entities with a centralized log management and analysis platform – and Tripwire IP360, which introduced comprehensive vulnerability management capabilities.

More recently, Tripwire integrated its FIM solutions with cloud platforms to give organizations the visibility and control they needed to protect their cloud assets and ensure compliance. We then debuted Tripwire ExpertOps, a managed services offering that provided firms with expert support and guidance for their FIM needs.

The Current State of FIM

That brings us to the present day. We’ll now explore Tripwire’s FIM solution’s features and advantages, as well as some of the challenges associated with other solutions.

How Tripwire’s FIM Works

Let’s quickly recap how Tripwire works. FIM solutions enforce the integrity of digital systems by continuously monitoring for changes to files, operating systems, servers, endpoints, and more in real time to show security teams what changed, when it changed, and who changed it so they can respond to security incidents. Tripwire’s FIM solution works in the following stages:

• Setting a Policy: Defining the relevant policies and what the client needs to monitor for.
• Establishing a Baseline: Setting a reference point of a known good state against which the client can use to detect alterations.
• Monitoring Changes: Monitoring all designated assets for changes and auto-promote expected changes to minimize false positives.
• Sending Alerts: Sending an alert to security teams when unauthorized changes are detected.
• Reporting Results: Generating reports for audits and leadership.

Why Use FIM?

FIM is a crucial technology because it helps security teams ensure security and compliance. It monitors assets for unauthorized changes to meet compliance requirements set by regulations such as PCI DSS and HIPAA. Moreover, it provides advanced monitoring to protect assets from unauthorized changes.

More specifically, FIM provides security teams with:

• Full Visibility of Changes: FIM solutions capture all details of changes, including who made the change and when so they can determine if the change indicates a threat and act accordingly.
• Customizability: Tripwire’s FIM solution allows security teams to customize severities and scoring to reflect their organization’s profile and business context for more accurate threat detection and threat reporting.
• Reduced Noise: As Tripwire’s FIM can automatically reconcile changes, monitoring is streamlined, and the solution differentiates between good and bad changes.
• Regulatory Compliance: FIM is a crucial control of almost all compliance regulations and security standards, meaning with FIM, your organization is both safe and compliant.

Challenges of FIM

Some other solutions are what is known as “checkbox FIM.” These solutions present challenges that can lead to missed security issues and compliance failures. They are:

• Excessive Noise: These solutions generate large amounts of change data, making it difficult to identify meaningful security threats.
• Performance Impact: Monitoring too many changes can slow down systems.
• Reconciliation Challenges: They fail to properly differentiate between authorized and unauthorized changes.
• Inadequate Monitoring Guidance: They lack support for deciding what and how to monitor effectively.

Why is Tripwire’s FIM Different?

Tripwire’s FIM solution is part of our wider Tripwire Enterprise offering. It pairs FIM with security configuration management to provide real-time change intelligence and threat detection. From a compliance perspective, it proactively hardens systems and automates compliance enforcement to reduce audit cycles and costs.

What’s more, as part of the Fortra brand, our FIM solution is backed by a huge range of products and customer experiences, meaning it is informed by different insights to provide better customer experience, security, and compliance. If operating systems change, we can adapt to that. If your requirements change, we can meet them.

No vendor is better placed to scale protection for complex environments. Whether you manage your data on-premises, in the cloud, or in a hybrid environment, our FIM solution has got you covered.

In on-premises environments, Tripwire Enterprise uses agents that sit on endpoints and monitor real-time changes—all while using minimal network resources. Moreover, it covers databases, ports, registries, network devices, Active Directory, and more. Tripwire Enterprise also works in private, public, and hybrid cloud environments to monitor Azure containers or S3 buckets and objects in AWS and provide visibility into every relevant change in your environment.

The Future of FIM

And now we can look to the future. As the inventor of FIM, Tripwire is at the absolute cutting edge of FIM technology. We’re adapting to emerging technologies, integrating with systems running on AWS Graviton processors. And utilizing eBPF (extended Berkely Packet Filter) to further improve performance and scalability in cloud, hybrid, and on-prem Linux environments.

Graviton processors, based on ARM architecture, are optimized for cost-efficiency and energy consumption. eBPF allows for high-performance monitoring by enabling programs to run within the Linux kernel without modifying its source code. Together, they help Tripwire’s FIM solution monitor system integrity on cloud-native platforms with greater speed, flexibility, and lower resource overhead, making it more adaptable to modern infrastructure.

Perhaps most importantly, however, is that Tripwire’s FIM solution supports both legacy (such as older versions of Windows, Linux, and Unix) and new technologies (like AWS, Azure, and Google Cloud) – something that no other vendor can do. Moreover, we offer phased implementations, meaning organizations transitioning from legacy to new technologies can do so with ease.

Find out What Tripwire Can Do for You

Want to learn more about what Tripwire Enterprise can do for your organization? Contact one of our security and compliance experts. We look forward to learning about your specific needs and answering any questions you have about taking advantage of these Tripwire Enterprise use cases to overcome your biggest security and compliance challenges.