If you are familiar with IT security, you must have heard CIA triad: a security model that covers different parts of IT security.
Being one member of CIA triad, file integrity refers to the processes and implementations aiming to protect data from unauthorized changes such as cyber attacks. A file’s integrity tells if the file has been altered by unauthorized users after being created, while being stored or retrieved.
File Integrity Monitoring (FIM) is a control mechanism that examines the files and checks if their integrity is intact and alerts relevant security processes and/or professionals if files have gone through any change. This kind of software deems every change as a suspicious integrity issue if it is not defined as an exception.
As networks and configurations get more and more complex over time, file integrity monitoring is a must. In addition, it is one of the most preferred tools for breach and malware detection, and is a perquisite for many compliance regulations. PCI DSS refers to FMI in two sections of its policy.
As a tool against malware, FMI proves its strengths.
An attacker’s first move when they gained access to a system is to make changes to important files so that they go unnoticed. By employing a file integrity monitor, you catch an intruder the moment they try to alter files and configurations.
Moreover, FMI tools let you see what exactly changed when. This way you catch a data breach momentarily, before a real, harmful attack happens.
But how does FIM work?
In dynamic environments, files and configurations change rapidly and non-stop. The most important feature of FIM is distinguishing the authorized change from unauthorized even in the most agile systems.
To do so, FIMs can employ one of the two methods: checksum and hashing.
For checksum method, a trusted, good baseline is detected and the current state of file is compared with the baseline. This comparison usually includes calculating a known cryptographic checksum of the baseline and current state.
Hashing, or hash-based verification includes comparing the file’s hash value to a previously calculated value. If the two match, the file’s integrity is intact.
In addition to hash values; configuration values, content, credentials, core attributes and size, privileges and security settings can be monitored for unexpected change.
FIM acts are quite often automated using applications or processes. Such FIM acts can be performed real-time, at pre-defined intervals or randomly in accordance with the needs of business and system.
To satisfy the needs of your business, FIM must integrate with other areas of your security measures such as SIEM system. For instance, comparing your change data with other event and log data allows you to identify causes and correlation faster.