What is File Integrity Monitoring?
At the highest level, File Integrity Monitoring(FIM) is knowing when and how your files have changed at any given time.
The overall goal is to detect a potential security breach as soon as possible. A true FIM solution starts by setting a policy and identifying what files need to be monitored. These are typically system files, configuration files, and sensitive data files.
Baseline files are created which basically act as the safe master state of each file to check their state against. Baseline files are used to assess whether a file is in a known good state. After that, the monitoring begins. When an unauthorized change is detected an alert will be created allowing the administrator to take corrective action.
Finally, reporting on all observed activity is a must, especially for compliance.
The term “File Integrity Monitoring” first came about when VISA was working on what is now known as the Payment Card Industry Data Security Standard (PCI DSS, or just PCI) back in 2001. In some cases, it is referred to as “change audit.” Regardless of what you call it, almost all IT compliance regulations and standards now require it.
Why File Integrity Monitoring?
Between insider threats, sensitive file security, and compliance, file integrity monitoring is a fairly obvious necessity for any businesses security program.
Insider threats can be either malicious or non-malicious. Either way, files in an environment typically should not change unless an authorized user makes the change. Non-malicious threats stem from unintentional or poorly judged exposure of critical systems and data. If an employee loses a laptop or phone, the data that system has access to is now at risk.
A common recent example of this is the misconfiguration of an AWS S3 bucket. With the increase in a Bring Your Own Device(BYOD) networks and IoT devices, this is only going to be a growing concern. Malicious insider threats are employees motivated by financial gain or pure anger. The most damaging breaches are caused by authorized users with elevated privileges who were not being monitored properly.
These cases sometimes lead to external breaches as well. An example of an attack would be planting a “backdoor” into a key program file making a very stealthy and effective way to steal sensitive data. These type of attacks can escalate rapidly and do a severe amount of damage to a business beyond data theft if the criminal so chooses.
Personally Identifiable Information/ Sensitive Personal Information Integrity
The original FIM use-case was made to protect cardholder data. While this data must be kept safe from bad actors it must remain accessible to its legitimate intended users. Another snag is that the security tools do not have access to that data either. That is why file and folder access monitoring is a key dimension of a FIM solution.
To prevent data theft by malware or program modifications a FIM should be configured to watch system files. This is anything in the Windows/System32 or SysWOW64 folder, program files, or Linux/Unix key kernel files. For example, if a trojan is installed on a Card Transaction server it could be used to transfer details right off of the server. If disguised as a common operating system program and process by name it would be extremely hard to detect without a FIM.
Although the original use-case for FIM was to protect cardholder data, it is a critical component in ANY healthy IT environment to protect any kind of sensitive data or files. That being said, compliance still seems to be the main driver for FIM implementations for most organizations.
PCI calls for FIM in two specific areas. Requirement 10.5.5 requires file integrity monitoring on logs to ensure they can’t be changed. Requirement 11.5 requires the deployment of a change-audit mechanism to detect and alert on unauthorized modification of critical system files, configuration files, or content files. This regulation focuses on monitoring changes to files that already exist rather than the creation of new files.
Failing a PCI audit is no joke and the repercussions are nothing to brush off. Noncompliance can result in security breaches, fines, and even the loss of the ability to charge credit cards. HIPAA is notorious for being a more vague regulation compared to a compliance regulation like PCI. However, see this excerpt from the Federal Register:
- Integrity (§ 164.312(c)(1)) We proposed under the ‘‘Data authentication’’ requirement, that each organization be required to corroborate that data in its possession have not been altered or destroyed in an unauthorized manner and provided examples of mechanisms that could be used to accomplish this task.
There are a few other sections that cover ensuring system, file and data integrity. Even though it is not as specific as PCI DSS, the bottom line is that you are required to track changes to key file systems to protect all covered sensitive data and information from unlawful and unwanted access. Click here for a list of more, common regulations that require a FIM/change audit.
Do I need a FIM?
FIM is an absolute must for any organizations that accepts, transmits, or stores any cardholder data.
Do you want to risk losing sensitive information to malicious actors? Do you want the risk of accruing hefty fines even without experiencing an actual security incident?
The repercussions reach farther than an initial financial hit. Brands can be permanently scarred, or even destroyed. Any organization that needs to be compliant with cybersecurity regulations or houses sensitive data should have a FIM solution.
If you aren’t sure about what regulations you need to comply with or what you need in order to be compliant definitely don’t hesitate to get in touch!