The benefits of a capable and properly deployed File Integrity Monitoring (FIM) solution are plentiful:
- If you see unexpected or unexplained file changes, you can investigate immediately and resolve the issue quickly if your system has been compromised.
- You can reconcile changes against change tickets or a list of approved changes in a text file or spreadsheet.
- You can determine if changes take configurations out of policy (impact hardening standard).
- You can automate responses to specific types of changes—for example, flag the appearance of a DLL file (high-risk) but auto-promote a simple modification to a DLL file (low-risk).
And the importance of FIM cannot be understated. Let’s not forgot what the Center for Internet Security (CIS)says in Critical Security Control 3.5:
“Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered. The reporting system should: have the ability to account for routine and expected changes; highlight and alert on unusual or unexpected alterations; show the history of configuration changes over time and identify who made the change (including the original logged-in account in the event of a user ID switch, such as with the su or sudo command). These integrity checks should identify suspicious system alterations such as: owner and permissions changes to files or directories; the use of alternate data streams which could be used to hide malicious activities; and the introduction of extra files into key system areas (which could indicate malicious payloads left by attackers or additional files inappropriately added during batch distribution processes).”
But let’s face it, File Integrity Monitoring (FIM) can be “noisy” and a large time commitment if you let it get out of control. With a well-chosen solution, light care and feeding, and tuning to match environment changes, you can keep the Five Stages of FIM from overburdening your resources.
Let’s simplify (or look FIM for what value it provides an organization):
- Something in your monitored environment changed.
- Something changed, and it was unexpected.
- Something changed, it was unexpected, and it was bad.
- Something changed, it was unexpected, it was bad. and here’s how to get back to the known and trusted state.
- Something changed, it was unexpected, it was bad, here’s how to fix it, and let’s tune our solution to minimize noise in the future.
If you have no solution, or if your solution doesn’t help you quickly address these changes, it’s easy to understand how FIM can act like “the one that got away.”
One of the most important things you can do to advance FIM in your organization is to narrow its scope to the use cases that solve compliance, security, and operational problems. Probably in that order. And probably starting with the five opportunities/levels of complexity above.
A good example is SOX compliance where the organization has “locations” involved in producing SOX related content. Those may be files, directories, applications, even database fields. But NOT all files or all directories or all applications.
Organizations on the more mature side of FIM will say, “We have 135 locations associated with SOX data that could be audit points. We need to know what changes happened, including a baseline, to ensure there was not malfeasance in the creation of our financial reports in those (very specific) places.”
Organizations purchase FIM solutions for a few different reasons. Some are looking for an inexpensive “checkbox” solution to show due diligence against legal action, while others are concerned about the impact of change on operational uptime.
By recognizing the value of FIM, focusing your efforts where you HAVE to then WANT to, and narrowing your horizon to the critical few, you too can reap the advantages of FIM in your organization.