Deciding which file integrity monitoring (FIM) product to deploy can be challenging. Unlike many other IT security tools, there are not an overwhelming number of options available. Still, understanding which product is the best for your environment in terms of functionality, security, and usability can be difficult. Knowing what to look for in a solution is the first step in making an informed decision.
Newer file integrity software boasts many improvements over the open-source options available. It also has advanced, capabilities that are simply not available with other commercially available solutions. With FIM required by compliance regulations including PCI-DSS, NIST 800-53 and SANS Consensus Audit Guidelines, the need to understand the current generation of file integrity monitoring software is now more important than ever. This paper will explore current file integrity monitoring capabilities and how file integrity monitoring is used to keep data secure and enterprises in compliance.
How it works
All file integrity monitoring products are essentially comparison tools that keep track of cryptographic hashes of files at different points in time. Hashes are used because they provide a unique “fingerprint” of each file and they can be easily analyzed since they are simply a string of characters. When a file is altered in some way, the hash for that given file changes to a unique new value. A strong hash provides absolute certainty, or non-repudiation, that a file has indeed changed. Integrity checking products use various hash algorithms, along with other file parameters, as a basis for proof that a file has, or has not been altered. However, file integrity monitoring products differ drastically in speed, performance impact, and capabilities in how they accomplish these steps. Advanced solutions such as CimTrak software, utilize innovative technologies that maximize file integrity monitoring performance.
Compliance Drivers
One of the major changes is the trend toward the incorporation of compliance checking and reporting. The impetus for this was the tight correlation between various compliance standards and integrity monitoring. Several well-established compliance standards call for file integrity monitoring to be implemented.
Payment Card Industry Digital Security Standard (PCI-DSS)
The Payment Card Industry Digital Security Standards (PCI-DSS) was the first compliance standard to require monitoring of critical systems that handle payment card data. Section 11.5 specifically requires FIM be implemented to check files in the PCI environment. Given the extremely sensitive nature of payment card data, the ability to ensure the integrity and security of systems that handle it is extremely critical.
NIST 800-53 System And Information Integrity (SI) Guidelines
NIST 800-53 “Recommended Security Controls for Federal Information Systems and Organizations” lays out a framework for U.S. government agencies to safeguard IT systems. While it was developed for government use, it can be applied to any organization as “best practice” guidelines. For this reason, many commercial organizations also adopt the framework. Two main sections, SI-4 and SI-7 of the standard specifically discuss the need for integrity monitoring. Both sections deal with monitoring the IT environment for changes, which could affect security and compromise sensitive information. SI-7 specifically calls for a “… system that detects and protects against unauthorized changes to software and information.” It further states that “commercial off-the-shelf integrity mechanisms” should be deployed.
SANS Consensus Audit Guidelines (CAG)
SANS Consensus Audit Guideline #3, Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers, also calls for monitoring to be implemented. SANS Consensus Audit Guideline #3 discusses how deploying file integrity monitoring can detect security threats and notify appropriate personnel in a timely manner. Requirement 3.5 requires integrity checking tools be placed on servers to monitor the security of the operating system as well as applications. CAG requirement 3.7 requires monitoring for critical system files including “executables, libraries and configurations” to ensure that changes are detected and that appropriate IT personnel are alerted.
Key Questions When Evaluating a File Integrity Monitoring Solution
Is the solution capable of truly real-time detection?
Is the solution easy to install, configure and use?
Does the solution only log file changes or does it have other capabilities?
Does the solution give you important information regarding changes such as who made the change, what process was used, and the originating IP address of the change?
Can the solution show you exactly what within a file was changed, giving you a side-by-side comparison with the original file?
Does the solution integrate with other security solutions such as SIEM’s?
What inherent security does the solution have?
File Integrity Monitoring plays a critical role in maintaining the security, integrity, and compliance of you organization’s IT assets. By providing you key information on changes, file integrity monitoring allows you to be are of, and react to, changes efficiently. Understanding how various solutions differ is the first step in finding and implementing solution that meets your needs. Read more about file integrity monitoring at www.fileintegritymonitoring.com and learn more about advanced file integrity monitoring tools.