Malware threats are evolving and becoming ever more sophisticated, continuously using new and undetected methods to tamper with valuable files. In the midst of these malware attacks, everyday users constantly make modifications to operating system and application software files. How can you differentiate which of these changes are legitimate and which are the result of attacks?
This is where file integrity monitoring (FIM) comes in. FIM security validates the integrity of system and program files, alerting system administrators to any suspicious changes.
What is FIM security?
In the course of business, users regularly modify system configurations, files, and file properties. The majority of system and file modifications are harmless, but others may be caused by malware. If these malware modifications aren’t found and addressed immediately, they can wreak havoc on a network.
The volume of file changes over the course of just one day is already far too large for a system administrator to keep track of manually. File integrity monitoring solutions, or FIM tools, were developed as an automated way to stay apprised of file modifications. FIM software runs continuously in the background, logging changes at set intervals or random times, and will alert administrators of any suspicious activity.
File integrity monitoring tools are a crucial way to protect against hackers. Important system files are a rich target for damaging attacks. In the event of an attack, FIM software will raise a red flag so you can begin to fix the damage. It’s also useful for auditing and breach reporting in the aftermath of an attack.
FIM tools can also provide assistance in situations where malware and hackers aren’t involved. Sometimes a well-meaning employee might make a file change that accidentally causes functionality or security issues. Integrity monitoring can catch these changes before they lead to problems. Some file integrity tools even have the built-in capability to automatically roll back the troublesome changes. In addition, FIM is useful for monitoring the status of system updates, as FIM tools can verify whether updates have been performed on all relevant files.
FIM is a required component of many regulatory compliance standards. The Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act (SOA), Federal Information Security Management Act (FISMA), and the Health Insurance Portability and Accountability Act (HIPAA) all mandate file integrity monitoring. It’s clear that FIM is an essential part of any organization’s security suite.
How does file integrity monitoring work?
FIM software keeps track of both operating system and application software files. It monitors user credentials, privileges and security settings, file attributes and sizes, and configuration values. FIM works by comparing the current state of a file with a known baseline. If there’s a discrepancy, the software will issue an alert.
In its most basic implementations, FIM software checks simple file properties like time, date, and size against the baseline. However, these properties can be easily spoofed by hackers. That’s why most FIM tools opt to use a more advanced checksum method instead. The software calculates a cryptographic checksum from the file’s original baseline (often using the MD5 or SHA-2 hashing algorithms). The checksum is then compared with that of the current file, flagging any mismatches that may indicate a problem.
For key system files, FIM may use real-time change notification rather than baseline comparison. This method sends an alert any time the file is accessed or modified. Real-time change notification is usually implemented as part of an operating system’s kernel or as an extension to it.
FIM is necessary in both Windows and Linux/Unix environments, with different priorities in each. In Windows, the registry is used for most configuration changes, resulting in a more secure environment. Nevertheless, Windows file integrity monitoring needs to keep an eye on bootup and startup, password, Active Directory, Exchange, and operating system files. In Linux/Unix, core configuration files are more exposed. Without robust file monitoring, they are vulnerable to hackers. Linux/Unix FIM should track user profiles, kernel parameters, boot loaders, daemons and service, and run commands.
FIM through SolarWinds
By staying aware of changes in their environments, managed services providers (MSPs) can better protect their customers. File integrity monitoring is an integral part of SolarWinds Security Event Manager (SEM). SEM tracks file and directory access, movement, and sharing to detect zero-day malware and advanced persistent threats, and includes integrated compliance reporting tools..
With automated incident responses, SEM can block IP addresses, change privileges, disable accounts, block USB devices, and kill applications to help swiftly neutralize security threats. If an incident does take place, SEM’s advanced search and forensic analysis can be used to help prove the limited impact of a breach, potentially saving your business from negative outcomes.
For more advice on protecting your files, read through our Security Resource Center.