File Integrity Monitoring Best Practices

Today, most IT systems use file-based architectures to store and process information. In addition, critical applications such as operating systems, application files, configuration data of systems and applications, sensitive organization data, logs, and security events are stored in files.

If any of these files are compromised, financial and reputational damage will be done to organizations. As a result, ensuring the integrity and security of critical files is more important than ever. This is why File Integrity Monitoring (FIM) services come into play.

See Also: PCI DSS and File Integrity Monitoring

FIM is the process of determining whether essential files such as operating systems, utilities, databases, and applications have been tampered with or corrupted. FIM validates the most recent versions of files by comparing them to trusted versions. It then identifies unexpected and unauthorized changes to ensure that the file has not been modified.

When used correctly, file integrity monitoring (FIM) is a critical tool against breaching the confidentiality of sensitive information, such as the breach of cardholder data.

See Also: File Integrity Monitoring Tools For PCI DSS

In our article, you can find best practices for efficiently deploying and configuring your file integrity monitoring solution. Enforcing best practices of file integrity monitoring can mean the difference between a functional FIM deployment and be caught off guard against compromised data.

What is the FIM’s Role in Your Organization?

Before we get into file integrity monitoring best practices, let’s take a look at what an FIM does for your organization.

File integrity monitoring solutions monitor and protect critical systems and data by:

  • FIM detects changes to files associated with applications, databases, routers, servers, and other devices in your IT infrastructure.
  • FIM captures the details of every change.
  • The interpretation of details and determines whether the change is a security risk.
  • Notifies you of changes and promptly fixes problems caused by inappropriate change.

Tracked files range from configuration files to directory permissions and executables. Ideally, all of the above file integrity monitoring processes should occur in real-time.

FIM software will scan, analyze and report unexpected changes to essential files in an IT environment. In doing so, file integrity monitoring helps accelerate incident response while providing a critical layer of file, data, and application security.

  • Illegal Activity Detection. If a cyber attacker infiltrates your IT environment, you must determine whether they are attempting to replace files critical to your operating systems or applications. FIM allows you to monitor and protect the security of your files, applications, operating systems, and data. FIM can detect changes in essential parts of your IT ecosystem even if log files and other detection systems are avoided or modified.
  • Detection of Unwanted Changes. Unwanted file changes are often made accidentally by a manager or other employee. Sometimes the consequences of these changes are insignificant and go unnoticed. At times, they can open security backdoors or disrupt business operations or continuity. File integrity monitoring simplifies forensics by assisting you in undoing or reverting the erroneous change.
  • Verifying Update Status and Monitoring System Health. With post-patch checksum, you can scan for versions installed on multiple locations and machines to check if files are included in the latest version.
  • Meeting Compliance Requirements. The ability to monitor changes and monitor and report certain activity types must comply with legal mandates such as GLBA, HIPAA, SOX, and PCI DSS.

File Integrity Monitoring Best Practices

File integrity monitoring examines file changes for any form of tampering or indications of a possible cyberattack. File integrity monitoring best practices include keen situational awareness, establishing and maintaining an accurate foundation, and paying particular attention to minor details.

The security and integrity of files are essential to prevent data breaches. Therefore, it is always recommended to use File Integrity Monitoring (FIM) services for organizations. We recommend that you follow these file integrity monitoring best practices to quickly detect a potential attack and minimize the possibility of a cyberattack.

Don’t just rely on File integrity monitoring.

At a basic level, FIM verifies whether essential system files and configuration files have changed. In short, it ensures that the integrity of the files remains intact or not modified in an unauthorized way. However, it does not provide comprehensive security on its own regarding data protection and security.

Along with other ways to help protect your IT assets, FIM creates another layer of security for an attacker to penetrate. That’s why you need to use multiple methods to detect unauthorized, suspicious changes and alert the relevant people. It is best practice to keep these layers as complex and impenetrable as possible.

Establish an organizational policy regarding FIM

File integrity monitoring is not only proper as a security auditing tool. Still, it is mandated by payment card industry (PCI) standards, the Health Insurance Portability and Accountability Act (HIPAA), and other regulations.

PCI DSS requires organizations to monitor changes to critical files, particularly audit logs, system files, and configuration files. These regulations also recommend drafting a plan detailing how often the FIM will be run. To ensure that the plan is executed quickly and effectively, you need to conduct periodic checks.

Plan the FIM deployment.

Careful planning before deploying FIM is required to ensure world-class monitoring and protection. To assist you in the planning process, you can answer the following questions:

  • How many assets or files will be tracked with FIM?
  • Which elements of systems need to be monitored with FIM?
  • Which operating systems and versions need to be followed with FIM?
  • Who will manage and monitor the FIM?

Build your inventory of assets that need to be tracked with FIM

Maintaining an asset inventory is the first step in securing your system. What you can’t see, you can’t secure your assets. Therefore, having a list of files and directories that are important to you is the first best practice you should implement in your infrastructure.

Create and maintain a comprehensive list of files and directories that need monitoring. These assets include system and configuration files, as well as files containing sensitive information. But too large a scope will cause too many warnings and too many false positives and warning fatigue, making your entire FIM unreliable and worthless.

Evaluate files to be monitored with FIM

Create a list of files and directories that need to be monitored. The list usually includes system files, configuration files, sensitive information such as credit card data or personally identifiable information (PII). But be careful; checking too many directories will only cause warning fatigue and make it harder for you to perform root cause analysis in the event of an attack.

Separate your assets to be tracked according to their functions.

Grouping your assets by function allows you to apply the same set of internal and external security policies. It is not unusual to monitor files and assets on different networks. On the other hand, if the servers contain similarly configured web servers, and various applications run on them, consider adding an application identifier to the server farm name.

Be as specific as possible when creating file integrity policies.

Your FIM will become more efficient at detecting changes if you narrow down your file and directory targets when creating file integrity Policies. When choosing your file and directory targets, it is not recommended to target directories and files that you know will change dynamically over time. Directories that can change dynamically can include log files, downloads, and temporary directories.

Evaluate, deploy and actively manage baselines.

Each unique server on your network requires a file integrity basis that describes the standard secure state of the configuration compared to a specific file integrity policy. While it’s ideal for laying the groundwork before deploying your file integrity monitoring, it’s not always practical.

If you have any doubts about the authenticity of a file, you must take precautions to protect it as much as possible. This is important because if you install FIM on an already compromised file and build your base from that compromised file, your FIM becomes a useless tool.

Monitor and archive FIM logs.

One of the most critical aspects of FIM’s initial configuration is ensuring that critical log messages are received, detected, forwarded to the appropriate administrator, and properly archived. Using a file integrity monitoring solution contains information about the overall status of the file.

It is also essential to use the same application to monitor the output of the file integrity application. You should collect and store logs for all system changes and protect these logs from unauthorized changes. You should also limit log images to authorized people only.

The more information you can collect with the file integrity monitoring tool, the easier it will be to trace and recreate events in the event of a compromise.

Evaluate IT infrastructure changes

Get notified when users or user groups are added to or deleted from access lists. Update your apps with patch fixes and the latest software versions. Integrate file change monitoring software with your security information and event management (SIEM) tool for automatic threat detection. Audit data obtained from these tools are essential as post-incident analysis and forensic evidence.

Build incident detection and response generation processes

Contextual information about each file change is essential to verify file integrity, including who made the change, when, and from where. Set up alerts and automatic responses for excessive file changes triggered by malware or insider activity.

Use file change notification software to detect mass file changes or deletions and respond instantly to activity by turning off the user device.

Use FIM file data not only for change alerting but also for forensics.

Forensics is the most reliable way to understand the depth of a violation. If a hacker breaks into your infrastructure, you must go beyond understanding the current state of the network but also have a clearer picture of what it looked like minutes before the attack.

If you have reliable and adequate forensic information, you can significantly reduce the cost of cleanup after a settlement and answer the following critical questions:

  • What happened in infiltration and compromise?
  • How badly were my files exposed?
  • How can I prevent infiltration and compromise from happening again?

Test and evaluate your FIM strategy

Use a virtual installation that mirrors your infrastructure to test scenarios. Review how processes and procedures work in case of unauthorized file changes. When deploying file integrity monitoring software, viewing a demo on your infrastructure will help you choose the right tools and configurations for your environment. Take the time to communicate any changes to implement file integrity monitoring practices to all employees.

Surkay Baykara
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

What are the PCI DSS Audit Requirements

The primary purpose of the PCI DSS audit is to validate an organization's ability to protect cardholder data and all systems that interact with payment transactions.

PCI DSS Control Objectives

PCI SSC has developed controls to protect electronic or physical forms of payment, with or without a card transactions.

How to Successfully Pass a PCI Compliance Scan

If you have a website where you get credit card numbers directly from your visitors, you must comply with PCI DSS requirements, and one of those requirements is PCI compliance scans.

Related posts

Latest posts

What are the PCI DSS Audit Requirements

The primary purpose of the PCI DSS audit is to validate an organization's ability to protect cardholder data and all systems that interact with payment transactions.

PCI DSS Control Objectives

PCI SSC has developed controls to protect electronic or physical forms of payment, with or without a card transactions.

How to Successfully Pass a PCI Compliance Scan

If you have a website where you get credit card numbers directly from your visitors, you must comply with PCI DSS requirements, and one of those requirements is PCI compliance scans.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!