If File Integrity Monitoring (FIM) were easy, everyone would be doing it. Actually, it is pretty easy. It’s not exactly rocket science. Practically anyone with a modicum of Python, Perl or development skills can write an app or a script to gather the checksum of a file, compare it to a list or baseline, and tell you whether or not said file has changed.

Hell, turn the auditing of most operating systems on and start sending change data off to your favorite syslog server or SIEM, and you can go to sleep at night thinking you have invented the latest and greatest FIM solution. (The sales folks at Splunk and hard drive vendors will LOVE you if you do this…but the folks who are responsible for the performance of the servers will HATE you….

Why do you even need FIM? Why does it matter? If it’s such a foundational control, why aren’t more folks doing it?

Because while detecting change is easy, reconciling it is not, and there is the core of the problem that folks who offer checkbox FIM solutions or logging solutions don’t seem to be able to solve. They offer up the customer, the idea that all you need to do is set their solution into place and start collecting change data, and the auditors will be happy. For many of them, FIM is just an item to be checked off on a list of products that they are trying to sell you.

What they don’t tell you is that while you might get away with such an approach with an inexperienced auditor, it can lead to significant findings if you come across one that knows what they are looking for.

I’ve had customers who have run into both. The customer who was prepared with (Read more...)