File Integrity Monitoring (FIM) is an essential security control that is designed to monitor and expose any change to the integrity of the system and configuration files.
Maintaining integrity is critical for two reasons. Firstly, because changes to files could represent a malware infection, FIM provides a forensic-level breach detection mechanism. Secondly, with prevention better than cure, security defenses can only be maintained via a secure ‘hardened’ configuration, so monitoring for any drift from your hardened configuration state is crucial.
Changes and configuration drift will always occur before most major outages, or even worse, cyber-attacks. Having FIM in place allows organizations to retrace their steps by conducting a very granular forensic and behavioral analysis to see exactly what changes, on which system, by who, and at what time. This information allows organizations to not only validate the changes that occur on a regular basis, but in the event of a breach, will help decrease their time to detect, thus mitigating the devastating effects of the breach as well as reducing the overall attack surface.
The term File Integrity Monitoring, while accurate, can be a bit misleading. Do we really want to only protect the integrity of our program files? What about, for example, firewall rules, one of the most critical configuration items in your network? What about core operating system files, Windows Registry, network devices, registry keys, web applications and databases? The thing is, everything in IT is based on software, and software is built on files. This means if you buy the right FIM solution, everything can be protected from attack.
But what should you look for when comparing FIM solutions? What makes a FIM solution effective? Here are the 5 key elements of an effective FIM solution:
1. Managing and Reducing Change Noise – Files change, they are meant to change, but too much change can lead to an overwhelming amount of change noise and alert fatigue. If the problem of change “noise” is not addressed in a comprehensive manner as a critical detective control for mitigating the risk of downtime and security breaches, operational instability and exposure to breaches will continue to rise. To help minimize this noise, an effective FIM solution should have the ability to differentiate between planned and unplanned changes. Without the ability to determine if changes are expected, authorized or non-malicious, an organization is essentially driving blind to risk of availability, compliance or security issues.
Another feature that’s important to note when discussing managing changes and change noise is the ability to roll back changes. While at first glance this sounds like a convenient strategy, it is a potentially dangerous feature that you simply would not want to use in the real world. Most changes happen for good reason, like security updates for example, so you wouldn’t want your FIM product interfering with good operational work, unpicking these ‘good / legitimate’ changes and leaving your systems open to vulnerabilities and worse case – a cyberattack. Instead, you want to have SecureOps in place to be able to automatically approve good, planned changes, but also automatically highlight the unplanned, potentially malicious ones. If you combine this approach with a robust change management process, you’ll be sure that all changes have been approved prior to implementation.
2. File Safe Validation – While knowing what has changed is helpful, it’s even better to know if what has changed is harmful or not. The best FIM solutions leverage automatic analysis of file changes and go beyond the simplistic ‘here’s a change to investigate’. One approach is to use threat intelligence in the form of file reputation which can be referenced as a Trusted File Whitelist. The best solutions on the market provide file reputation data for over 9 billion files from over 650 publishers.
3. Scalability – As change control management solutions have been extended to incorporate some or all of the ‘must have’ features, scaling as a result has become more difficult and expensive to deliver. Most FIM solutions on the market today can handle device counts in the range of 0 - 8,000, but once in the 10,000+ device bracket, some systems reach their breaking point, unable to process and analyze these higher levels of events. Whether you are looking to cover large numbers of devices, or you anticipate needing to handle high volumes of events and reports, make sure you have a clear picture of how scalability is achieved and at what cost, both in terms of hardware resources and software requirements.
4. Change Management System Integration – Organizations that want to redeem control of their infrastructure’s security often times will implement a change process which includes some kind of change management system such as ServiceNow, Cherwell, or BMC Remedy. Administrators will raise a change ticket, then the change ticket makes its way through the approval process. With most tools, it ends there – the rest of the process is manual. The user must implement the changes, then compare and contrast what happened with the change ticket. However, superior FIM products have integration capabilities with ITSM tools. Changes made during a planned change window get validated against the expected change profile – any exceptions such as misconfigurations or additional non-scoped changes are exposed for review and remediation where required. All unplanned changes are recorded in full – including who made the change, with before and after exposure of changes clearly reported. These are then raised to the change management system and prioritized as incidents – changes will be automatically analyzed using continuously updated threat intelligence.
5. Continuous Compliance & Configuration Drift Handling – Many organizations are required to demonstrate compliance with a wide range of standards so it is important to verify that compliance standard specific reports are available and included without additional charge. The best FIM products on the market have pre-defined policies that can be applied in a matter of seconds across a wide variety of systems to determine if the systems are in compliance with a particular standard. You can even automate the process of validating the compliance as well as be notified of any configuration drift with scheduled reporting and real-time detection.
With data breaches and cyber-attacks becoming increasingly more common, organizations must adopt a comprehensive FIM solution to help mitigate risk and reduce the attack surface. NNT’s FIM and Change Control solution – Change Tracker Gen 7 R2 combines self-learning intelligence to determine the validity of activity with the world’s largest file whitelisting service combined with the ability to integrate with your current change management process, harvesting vital details associated with expected changes. The result? A precision system that will sift through the volume of safe file changes and only alert you to those that may be potentially harmful.
Learn more about our File Integrity Monitoring solution by watching our latest video What is File Integrity Monitoring?
Learn more about File Integrity Monitoring by downloading our whitepaper Threat Intelligence & Closed Loop Intelligent Change Control: Enhancing the Value of FIM for Breach Detection
Share this post