With breaches now an operational reality, it is essential to have visibility of threats inside your corporate network.
File Integrity Monitoring is an essential layer of defence to help organisations identify and respond to malicious activity when it occurs.
What is File Integrity Monitoring?
File Integrity Monitoring (FIM) is the process of examining systems to identify unauthorised file modifications that could indicate a malicious compromise. FIM technologies monitor file changes on servers, databases, network devices, directory servers, applications and cloud environments to determine how, why, and by whom files have been modified and, when necessary, help restore them to a previous version.
FIM, also referred to as change monitoring, works by establishing a baseline of typical behaviour and identifying deviations from it. FIM tools monitor and analyse current file attributes, content and privileges and compare these to the baseline to identify and subsequently alert on suspicious changes.
File integrity monitoring is a common feature of host-based intrusion detection systems (HIDS). To help organisations achieve wider threat visibility, FIM tools are often deployed alongside complementary technologies such as SIEM.
Why do you need File Integrity Monitoring?
Regardless of the size of an organisation, the multitude of sophisticated threats targeting it mean that if a breach is yet to occur, it is likely only a matter of time. Changes on critical systems can often be the first sign of a compromise. Cybercriminals will target an organisations’ key assets and attempt to move undetected through a network, deactivate security controls and extract sensitive data.
File Integrity Monitoring provides an essential layer of defence to help identify illicit activity across critical system files, diagnose unwanted or inadvertent changes and shut down attacks before they have a chance to cause damage and disruption.
File Integrity Monitoring for PCI compliance
For organisation that process card payments, File Integrity Monitoring is an important requirement of the Payment Card Industry Data Security Standard (PCI DSS). It’s mandated by a range of other information security standards around the world too.
PCI DSS requirements 10.5.5 and 11.5 state that organisations must make efforts to control and monitor file modifications and ensure the integrity of critical logs from within their Cardholder Data Environment (CDE).
The scope of PCI DSS’s FIM requirements extend to critical files that do not regularly change, but the modification of which could indicate a compromise.
Choosing and deploying a FIM solution
When selecting a FIM tool for your business, it’s important to choose a solution that can provide IT and security teams with the visibility they need to monitor file changes across hybrid cloud and on-premise environments, with a full audit trail detailing who has accessed what and when.
The importance of deployment and integration in ensuring FIM is effective cannot be understated. FIM deployments must baselined correctly, which includes aligning to a well-established change management process, in order to to minimise false positives. It’s also important that FIM agents are lightweight to avoid excessive host resource consumption.
While File Integrity Monitoring is an essential tool for detection and response, it cannot operate effectively in isolation, and buyers should look to combine FIM capabilities with complementary detection technologies such as SIEM, IDS and behavioural monitoring.
How Redscan can support your file integrity monitoring needs
Redscan is a multi-award-winning provider of managed security services, specialising in threat detection and incident response.
ThreatDetect™, our Managed Detection and Response service, integrates file integrity monitoring technologies alongside a range of complementary network and endpoint detection tools, to detect, respond to and remediate threats around-the-clock.
As a fully managed service operating 24/7, ThreatDetect acts as an extension of in-house resources, providing the experienced red and blue team CSOC experts needed to help deploy, configure and monitor technologies. By combining expertise, technology and intelligence, ThreatDetect delivers the tangible security outcomes organisations need to make significant improvements to their cyber security posture.