Monitor the integrity of your files efficiently with PRTG

FIM examines different aspects of a file and creates a digital fingerprint, which is then compared with the fingerprint of a known baseline fingerprint.

Even though you can find many native auditing tools on the market, all of them have some shortcomings like decentralized storage of security logs from numerous domain controllers, not being able to recover the configuration or object from audit logs, or insufficient information about the old settings in the log entry. This is why organizations with complex IT environments turn to enterprise solutions.

FIM software looks at numerous aspects of the file including its credentials, contents, configuration values, permissions and settings, security, size, core attributes, and hash values. The monitoring can be done on a regular, snapshot, or continual basis and can either happen randomly or according to other rules set up by the security team.

File integrity monitoring essentially involves five steps.

Step #1: Set a policy

The first step in FIM is for the organization to define a relevant policy. In this step, the organization needs to identify the files that it needs to monitor and which computers hold those files.

Step #2: Establish a baseline

Before an organization can go ahead and actively monitor different files for any change, they first need to define a reference point that can be used to detect any modifications. This is why companies should document a known good state (or baseline) of all the files that’ll be monitored by FIM.

Here, it’s important to take data like the modification date, creation date, and the version into account to help assure IT professionals that the file is legitimate.

Step #3: Monitor changes

Once organizations have a detailed baseline, they can go ahead and start to monitor all the files that are part of the FIM solution for any changes. They can even go a step ahead and auto-promote expected changes to minimize the chances of false positives.

Step #4: Send an alert

Whenever the FIM solution detects unauthorized changes, individuals responsible for the process must send an alert to relevant personnel so that they can fix the issue quickly.

Step #5: Report results

In some cases, organizations use FIM to ensure PCI DSS compliance. In cases like these, the organization might have to generate reports for audits to support the deployment of their FIM.

There are typically two ways of protecting files. Either a checksum can be calculated on the file’s properties when it is written by an authorized process, or a copy of the file can be made and the live file can then be compared with the backup.

Some systems only send an alert in the case of an unauthorized change, which means you’ll need a separate restore and backup procedure in place. Thus, you’ll get a heads-up that there’s something fishy going on when the cybercriminal tries to hide.

Meanwhile, other systems help to restore files to the original state and are preferable to those that only detect unauthorized changes. Being able to see the records that were changed by an intruder makes it easy to know the compromised accounts, which speeds up the remediation process. 

While a comprehensive system does sound like a great option, it has its drawbacks. For instance, if all the log files on the system are copied, you’ll need lots of disk space. Keep in mind that log files already need lots of room and simply doubling the volume will make things worse.

And even though small networks don’t have that much log traffic, the same is not true for larger systems, and processing a greater volume of logs requires a good amount of processing power. So, the ideal, fully-featured system with a live FIM would need more file space and processing power as compared to the original system. This means that your organization will have to spend more on log file management as compared to the core operations. Keeping all of this in mind, it’s clear that the best FIM system must be somewhat of a compromise.

So, if you want to keep your security services manageable, it’s important that you have a smart file integrity monitoring system that can keep your files safe without taking over the whole IT system. One of the most important compromises you’ll have to make is whether FIM actions are performed periodically or in real time.

You should also look out for a log management system that can help identify the most important and least important messages for security purposes. By cutting down the volume of logs or records that must be protected, FIM becomes more manageable.

FIM is important for both Unix and Linux systems and Windows-based environments. In Windows, the registry is used for most of the configuration, along with the Win32 API, so it’s a more restricted and tightly-controlled area.

However, in Unix and Linux, the configurations are exposed as a part of the whole file system, making them highly vulnerable to hacked binary executables and attacks. Plus, replacing and updating core files means that attackers can inject malicious code easily.

This is why FIM should be able to track the changes to the operating system, critical business files, application, directory, and database and inform you of suspicious or potentially sensitive changes.

Some important areas for change control are Exchange SQL, Active Directory, OS, password, and bootup in Windows and hosts, bootloader, profiles, cron jobs, run comments, kernel parameters, and services and daemons in Linux or Unix.