There’s no shortage of file integrity monitoring products available, all aiming to provide a HIDS (host intrusion detection system solution). With Tripwire no longer the default go-to option it once was, understanding which one is right for your environment and how the options stack up against other solutions is not always easy. To aid your selection process we have compiled a checklist of the main areas that should be catered for when looking for a FIM based solution.
As a minimum, FIM solutions should identify who made the change; the account name and process used to make that change and should deliver both real-time and scheduled reports, providing details of folder, file, configuration and registry changes for all devices, such as Windows, Linux, UNIX, Network Devices, and Firewalls.
Top tips for selecting a FIM solution:-
Real-time detection of File Changes is essential
Time is of the essence, data theft and system damage can begin from the instant the malware is introduced. Real-time FIM is essential - a once daily check on file integrity will miss interim file changes, particularly with polymorphous malware which can change its identity or even cloak itself completely once installed. The traditional Tripwire 'once-per-day file system poll' approach could leave a breach undetected and doing damage.
Who Made the Change?
‘Who made the change’ must be recorded. Unless your FIM solution is recording who made a change, you have no straightforward means of establishing this information. Mining logs will only tell you who was logged onto a server at the time of a change and this could run to tens or hundreds of users. Knowing who made a change allows you to corroborate this with the individual - otherwise all file changes must be investigated equally and treated as serious threats.
FIM must operate forensically
There are plenty of solutions that purport File Integrity Monitoring but close examination can often reveal just a basic check on the modification date and/or size of the file (this will not cut it from a Compliance standpoint). There has to be some checksum/hashing of the file system to truly guarantee system integrity and provide a HIDS function, particularly if this is to serve a compliance mandate such as PCI DSS.
FIM isn't just for servers
Firewalls, routers, appliances, switches all contribute to the security of your IT estate. Real-time monitoring of rule and configuration settings for these devices may prove to be the difference between stopping a breach before damage is done. The same FIM solution should be able to cover all Windows, Linux, Unix and network devices.
FIM should underpin and re-enforce Change Management
FIM changes should be reported as either unplanned/unauthorized, or planned and authorized with the corresponding Change Authorization and detail available for cross reference (what actually changed and does that correlate with the planned change record?). Unplanned changes should always be investigated and reconciled with RFC details, even for emergency or unexpected changes.
Monitoring systems for unusual or unexpected activity is vitally important if we are to properly protect sensitive data. FIM provides a perfect host intrusion detection solution because any breach will leave some kind of change to the settings or file system. To do this effectively you must first be able to ‘define what a good and compliant state’ looks like within your environment and then capture any changes to that state with context and severity applied such that you are able to quickly determine whether or not the change is really serious and what needs to be done to mitigate any consequential problems, as well as learning from the alert to prevent the same thing from happening again.