File Integrity Monitoring Tools For PCI DSS

File Integrity Monitoring Software (FIM) becomes an essential tool for any organization to protect sensitive information from data breaches. File Integrity Monitoring Software (FIM) helps improve the security of data necessary to any company and should not be overlooked.

To protect cardholder data, PCI-DSS outlines a set of 12 requirements that apply to any business that stores, processes, or transmits payment card data. Two of these requirements are; PCI DSS requirements 10 and 11 provide specific guidelines on how to protect data stored in computer networks:

  • PCI DSS Requirement 10.5.5 requires businesses to use file integrity monitoring or change-detection software for logs to ensure that existing log data cannot be changed without generating alerts.
  • PCI DSS Requirement 11.5 requires businesses to use a change detection mechanism to alert personnel against unauthorized modification of critical system files, configuration files, or content files and configure the software to perform critical file comparisons at least once a week.

To meet the PCI requirements mentioned above, security teams use file integrity monitoring software or other security software with built-in FIM capability. FIM tools track all file changes, including new files created, modifications, and deletions, and alert specified personnel when unauthorized changes occur to files and directories.

See Also: PCI DSS and File Integrity Monitoring

If not correctly implemented, unauthorized modifications can cause other security controls to become ineffective and cardholder data to be stolen with no other detectable effects.

FIM solutions are specifically designed to track changes in files, unlike other security measures. Usually, the program takes a “snapshot” of the system and then compares that snapshot regularly with the system’s current state. When FIM software detects unauthorized and unauthorized changes to identified files, it can alert IT or take action to minimize the threat.

Who Should Apply File Integrity Monitoring?

Any organization can use File Integrity Monitoring software to monitor their essential files. But others prefer to use it as they are in a critical situation. For example, PCI DSS requires you to use File Integrity Monitoring software. So if you are in the financial industry and work with payment cards, File Integrity Monitoring tools are more of a necessity than a choice.

Likewise, although not mandatory, File Integrity Monitoring software should be rigorously evaluated by any organization dealing with sensitive information. Whether you are storing customer data or trade secrets, using FIM tools is an obvious benefit and can save you from all sorts of misfortunes.

See Also: How Should Change Control Management be for PCI DSS?

But monitoring file integrity isn’t just for large organizations. While both large businesses and midsize businesses tend to be aware of File Integrity Monitoring software’s importance, it should be taken into account by small companies as well. File Integrity Management tools are available in the market to suit any need and budget. In the list below, you can find some paid and open source FIM software options.

Almost any business can benefit from investing in FIM software, but for many, choosing the best file integrity monitoring software can be a necessity:

  • Regulated Sectors: Some standards, such as PCI DSS, Sarbanes-Oxley, or HIPAA, require FIM software or specify its use to no small extent. FIM is a non-negotiable issue whether you work in finance or healthcare or accept credit or debit cards.
  • Sensitive Information: FIM should be considered by any organization dealing with sensitive information. Sensitive information includes both consumer data and trade secrets. It is beneficial for your company and can help prevent a PR disaster.
  • All Sizes’ business: Medium-sized companies and large companies have long recognized the importance of FIM software. But being a small business is no longer a reason not to use FIM solutions. FIM solutions are available to suit every need and budget.

File Integrity Monitoring Tools For PCI Compliance

Numerous tools offer functionality in File Integrity Monitoring. Some are special tools that do nothing else. On the other hand, some are a comprehensive IT security solution that integrates File Integrity Monitoring with other security-related functions.

We tried to include both types of FIM tools in our list. After all, file integrity monitoring is part of managing IT security, which often includes other functions. This list includes both open-source and commercial File Integrity Monitoring Tools.

SolarWinds Security Event Manager

SolarWinds Security Event Manager is an enterprise-ready solution that centralizes all the information and other essential monitoring tasks you need to monitor file integrity effectively. The tool’s SIEM capabilities will quickly monitor events in the recording, file, and folder and alert you.

SolarWinds Security Event Manager allows you to create detailed alerts and reports by showing which users are responsible for file changes and other user activities. For example, the home page sidebar shows you how many change events have occurred under the Change Management heading and allows you to filter events by keyword when something goes wrong.

SolarWinds SEM provides many application features that are made ready for an audit and suitable for regulated industries and confidential information.

While monitoring file integrity, SolarWinds Security Event Manager can show which users are responsible for specific file changes. It also allows you to create different alerts and reports by monitoring additional user activities. When something looks suspicious, and you want to dig deeper, you have the option to filter events by keyword.

SolarWinds SEM also has event response features. For example, the detailed real-time response system will actively respond to every threat. Since an incident response is based on behavior rather than a signature, you are protected against unknown or future threats and zero-day attacks.

SolarWinds Security Event Manager’s control panel is easy to use thanks to its simple design and fast identification of anomalies. If you want to check it out and see how it works in your environment, you can download a free, fully functional 30-day trial version.

OSSEC

OSSEC is an open-source intrusion detection software for Linux and Mac OS X. It also has a basic file monitoring feature called “Syscheck.” By default, it runs every six hours to check for changes in the key file checksum. It is designed to reduce CPU usage, which means it is a potential option for organizations that want a FIM solution with a small footprint.

However, OSSEC can only be used in server agent mode for Windows. Using it in server agent mode means that rootkits are not detected in Windows. Also, you will have to grapple with all the time-consuming problems that come with open source systems.

When installed on operating systems running on Linux or Mac OS, the program focuses primarily on log and configuration files. It generates checksums of essential files and verifies them periodically, alerting you when something abnormal happens. It will also monitor and alert any suspicious attempts. Unauthorized registry changes on Windows hosts, which may imply malicious behavior, are also monitored by the device.

When it comes to file integrity monitoring, OSSEC has a dedicated feature called Syscheck. By default, the tool runs every six hours and looks for changes in the master file checksum. Because the module is designed to minimize CPU consumption, it is potentially the right choice for organizations that need a space-saving solution for file integrity management.

Since it is a host-based intrusion detection system, OSSEC must be installed on every computer or server you want to protect. However, it has a central console that consolidates information for easier management.

The central OSSEC console only works on operating systems running Linux or Mac OS. However, a Windows Host Protection Agent is available. Any detection will trigger an alert displayed on the central console while email notifications are also sent.

Trustwave Endpoint Protection

Trustwave Endpoint Protection, a cloud-based solution, is useful for monitoring files’ integrity but designed for more. It includes daily monitoring, weekly comparison of critical files, event management, and reporting.

Trustwave Endpoint Protection provides adequate public visibility across multiple data sources so that businesses can find this a useful option. If you want to have file integrity monitoring features, this sophisticated tool might not suit you.

SecureTrust File Integrity Monitoring uses fast, transparent messaging to clarify complex changes and improvements to files. It allows you to prioritize by guiding you to the most critical changes. All adjustments are collected and analyzed for quick access to collective event information in the TrustKeeper database.

Tripwire File Integrity Manager

Tripwire is another product known for its intrusion detection system but also offers powerful FIM capabilities. Tripwire has a user-friendly interface and ready-to-use functionality. Easy-to-read graphs easily explain platform-specific changes and show whether they are approved or not.

The changes can be examined to see the date, time, user, and other relevant information at a detailed level. It comes with compliance checks that follow CIS, NIST, and ISO directives.

Tripwire File Integrity Manager (FIM) has proprietary noise reduction capability by providing multiple ways to distinguish low-risk changes from high-risk changes while evaluating detected changes. As a result, you’ll have more time to look at improvements that might have a significant effect on safety and danger.

Tripwire FIM uses brokers to capture who has completed real-time details and when constantly. Agents help you track all changes, gather information about each, and use it to assess security risk or non-compliance.

Tripwire allows you to integrate File Integrity Manager with other security tools such as log management and SIEM tools. Tripwire FIM can intuitively tag and process data from these controls in ways that help protect data.

The Event Integration Framework (EIF), for example, integrates important change data from the File Integrity Manager with the Tripwire Logging Center or almost any other SIEM. The security of your IT infrastructure can be quickly and effectively managed with EIF and other essential Tripwire security controls.

Tripwire File Integrity Manager uses automation to detect all changes and fix those that remove them from a policy configuration. Providing quick control, BMC Remedy can be integrated with existing ticketing systems such as HP Service Center or Service Now.

Its integration feature also guarantees traceability. Also, automatic notifications enable user-specific responses when specific changes reach a severity threshold that a change alone would not cause.

QualysGuard FIM

Qualys Cloud Agent is a well-known and widely used product. It can quickly note changes in files and allows you to set notifications for all directories or at the file level.

You can capture changes such as creating, renaming and deleting files. It is a cloud solution that most businesses are looking for today.

Qualys File Integrity Monitoring effectively detects changes in real-time using standard methods in antivirus technologies. Change notifications can be generated for all directory structures or at the file level. Qualys File Integrity Monitoring uses existing operating system kernel signals to identify the files accessed, rather than on computationally intensive methods.

Qualys File Integrity Monitoring detects the creation or removal of files or directories, renaming files or directories, changing file attributes. It can also detect changing file or directory protection settings such as permissions, ownership, inheritance, and checking or modifying file data stored on disk.

AIDE (Advanced Intrusion Detection Environment)

AIDE (Advanced Intrusion Detection Environment) is a checker for the integrity of files and directories. It works by creating a database from its config file according to the regular expression conventions it finds. It uses the database to test the integrity of files.

AIDE uses various algorithms to make sense of messages used to examine the file’s integrity. Besides, all the usual file attributes can be checked for inconsistencies. It can also read old or newer versions of databases.

It supports multiple algorithms that can decode messages such as AIDE, md5, sha1, sha256, sha512, tiger, crc32, rmd160, and whirlpool. It can search multiple file properties, including AIDE, File type, Permissions, Inode, Uid, Gid, Link name, Height, Block number, Link number, A time, Ctime, and Mtime.

AIDE uses its configuration files in its database in plain text. One of its most interesting features is its powerful regular expression support, which allows you to manually add or remove files and directories you need to monitor. This feature in itself makes it an extremely versatile and flexible tool.

AIDE has been actively developed since 1999. It is available under GNU’s general public license and will run on most modern Linux variants.

AFICK (Another File Integrity Checker)

Developer Eric Gerbier’s open-source file monitoring tool called AFICK (Another File Integrity Checker) is a more comprehensive tool than traditional open-source software.

AFICK can track any changes in the file systems it monitors and supports multiple platforms such as Linux, Windows, HP Tru64 Unix, HP-UX, and AIX (SUSE, Redhat, Debian, and more). The software is designed to be fast and portable and can run standard modules on any computer that supports Perl.

AFICK is easy to install and does not require any compilation or installing a large number of dependencies. It is also a simple tool, partly due to its small size.

Despite its small size, dangling links will be displayed and new, deleted, and modified files. It uses a simple text-based config file that supports exceptions and wildcards. If you prefer to avoid a command-line tool, both a graphical user interface and a webmin-based web interface are available.

For portability and resource access, AFICK (Another File Integrity Checker) is written entirely in Perl. Because it is open-source (GNU General Public License), you are free to add functionality to it as you see fit. AFICK uses MD5 as it is fast for checksum needs. It is integrated into all Perl distributions and uses DBMS instead of using a plain text database.

Samhain File Integrity

Samhain is a free host intrusion detection system that provides file integrity checks and monitoring and analysis of log files. Additionally, Samhain can detect File Integrity, rootkit identification, port monitoring, rogue SUID executable identification, and hidden processes. Samhain is designed to monitor multiple systems with central logging and maintenance of different operating systems.

On the other hand, Samhain can be used as a standalone program on a single computer; It can run on POSIX systems such as Unix, Linux, or Mac OS, and it can also run under Cygwin on Windows.

Samhain can take advantage of the inotify mechanism on Linux hosts to monitor file system events in real-time. The Inotify mechanism allows you to receive instant notification of changes and eliminates the need for frequent file system scans that can cause high I / O overhead. Also, various checksums such as TIGER192, SHA-256, SHA-1, or MD5 can be verified.

With Samhain, you can also check the file size, mode/permission, owner, group, timestamp, inode, hard link count, and linked symbolic link path. More features such as SELinux attributes, POSIX ACLs, Linux ext2 file attributes, and BSD file flags can also be controlled with Samhain.

One of Samhain’s unique features is its stealth mode, allowing attackers to operate without detecting it. A large number of intruders try to act unnoticed, deactivating the detection mechanisms they notice.

This method hides processes from others using steganography techniques. It also protects central log files and configuration backups to prevent tampering with a PGP key. Overall this is a potent tool that provides much more than just monitoring the quality of files.

Enhance PCI Compliance with File Integrity Software

For companies managing a large number of sensitive data files, it is essential to choose the best and most useful file integrity monitoring software. Thus, the file integrity monitoring solution; provides a vital layer of protection for information, data, and applications while also improving incident response.

File Integrity Monitoring checks and verifies whether an application or operating system files have been compromised.

Understanding why FIM (File Integrity Monitoring) is a vital component for securing payment card and cardholder details will also increase your security level.

The most significant benefit of using FIM as a solution type is to detect unauthorized changes. For example, it allows you to determine whether malicious code has been placed in critical applications and operating system files.

Similarly, the configuration files that govern the security and functionality will need to be monitored for any changes. This includes essential operating system files such as firewall rules, router configurations, and host files.

Monitoring critical system files, configuration files, and content files for unusual or unauthorized activity is essential for the PCI-DSS’s security standard.

Therefore, file integrity monitoring (FIM) is necessary for companies that process or store credit card data.

Surkay Baykarahttp://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Biznet. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Biznet, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

6 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Latest posts

What You Need to Know About PCI Validated Point-to-Point Encryption (P2PE) Solutions

P2PE, or point-to-point encryption, is a security standard developed by the Payment Card Industry (PCI) to ensure that payment card data is encrypted from the start to the finish of a transaction.

Email Security Best Practices

Most organizations rely heavily on emails for their daily business communication, but email remains one of the most common vectors businesses are attacked. This is why it is essential to implement email security best practices.

What Is Documentation Security and Why It Matters?

Documentation security is the maintenance of all essential documents stored, filed, backed up, processed, delivered, and eventually discarded when they are no longer needed.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!