The Role of File Integrity Monitoring in Security
What is File Integrity Monitoring?
File Integrity Monitoring(FIM) is knowing when and how your files have changed at any given time.
The overall goal is to detect a potential security breach as soon as possible. A true FIM solution starts by setting a policy and identifying what files need to be monitored. These are typically system files, configuration files, and sensitive data files.
Baseline files act as the safe master state of each file to check their state against. Baseline files assess whether a file is in a known good state. After that, monitoring begins.
When an unauthorized change is detected, it will alert an administrator to take corrective action.
Finally, reporting on all observed activity is a must, especially for compliance.
The term “File Integrity Monitoring” first came about when VISA was working on the Payment Card Industry Data Security Standard (PCI DSS, or just PCI) back in 2001. Almost all IT compliance regulations now require it.
Why File Integrity Monitoring?
Between insider threats, sensitive file security, and compliance, file integrity monitoring is a fairly obvious necessity for any business’s security program.
Insider Threats
Insider threats can be malicious or non-malicious. Either way, files in an environment should not change unless an authorized user makes the change.
Non-malicious threats stem from unintentional or poorly judged exposure of critical data. If an employee loses a laptop or phone, the data that the system has access to is now at risk. A common recent example of this is the misconfiguration of an AWS S3 bucket. With the increase in Bring Your Own Device(BYOD) networks and IoT devices, this is a growing concern.
Malicious insider threats are employees motivated by financial gain or pure anger. The most damaging breaches are caused by authorized users with elevated privileges who were not being monitored properly.
External Threats
These cases can lead to external breaches as well. For example, a hacker plants a “backdoor” into a key program file to steal sensitive data. These types of attacks escalate rapidly and do a severe amount of damage to a business beyond data theft if the criminal so chooses.
Sensitive Personal Information Integrity
The original FIM use-case was made to protect cardholder data. While this data must be kept safe from bad actors it must remain accessible to its legitimate intended users. Another snag is that the security tools do not have access to that data either. That is why file and folder access monitoring is a key dimension of a FIM solution.
To prevent data theft by malware or program modifications a FIM should be configured to watch system files. This is anything in the Windows/System32 or SysWOW64 folder, program files, or Linux/Unix key kernel files.
For example, if a trojan is installed on a Card Transaction server it could be used to transfer details right off of the server. If disguised as a common operating system program and process by name it would be extremely hard to detect without a FIM.
Compliance
Although the original use-case for FIM was to protect cardholder data, it is a critical component in any IT environment. Compliance is the main driver for FIM implementations for most organizations.
PCI calls for FIM in two specific areas. Requirement 10.5.5 requires file integrity monitoring on logs to ensure they can’t be changed. Requirement 11.5 requires the deployment of a change-audit mechanism to detect and alert on unauthorized modification of critical system files, configuration files, or content files. This regulation focuses on monitoring changes to files that already exist rather than the creation of new files.
Failing a PCI audit is no joke and the repercussions are nothing to brush off. Noncompliance can result in security breaches, fines, and even the loss of the ability to charge credit cards. HIPAA is notorious for being a more vague regulation compared to a compliance regulation like PCI. However, see this excerpt from the Federal Register:
Integrity (§ 164.312(c)(1)) We proposed under the ‘‘Data authentication’’ requirement, that each organization be required to corroborate that data in its possession have not been altered or destroyed in an unauthorized manner and provided examples of mechanisms that could be used to accomplish this task.
You are required to track changes to key file systems to protect all covered sensitive data and information from unlawful and unwanted access. Click here for a list of more, common regulations that require a FIM/change audit.
Do I need an FIM?
FIM is an absolute must for any organization that accepts, transmits, or stores any cardholder data.
Do you want to risk losing sensitive information to malicious actors? Do you want the risk of accruing hefty fines even without experiencing an actual security incident?
The repercussions reach farther than an initial financial hit. Brands can be permanently scarred, or destroyed. Any organization that needs to be compliant with cybersecurity regulations or houses sensitive data should have an FIM solution.
How Sedara Can Help You
If you aren’t sure about what regulations you need to comply with or what you need in order to be compliant definitely don’t hesitate to get in touch!
Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do.