The benefits of a capable and properly deployed File Integrity Monitoring (FIM) solution are plentiful:

  • If you see unexpected or unexplained file changes, you can investigate immediately and resolve the issue quickly if your system has been compromised.
  • You can reconcile changes against change tickets or a list of approved changes in a text file or spreadsheet.
  • You can determine if changes take configurations out of policy (impact hardening standard).
  • You can automate responses to specific types of changes—for example, flag the appearance of a DLL file (high-risk) but auto-promote a simple modification to a DLL file (low-risk).

And the importance of FIM cannot be understated. Let’s not forgot what the Center for Internet Security (CIS) says in Critical Security Control 3.5:

Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered.  The reporting system should: have the ability to account for routine and expected changes; highlight and alert on unusual or unexpected alterations; show the history of configuration changes over time and identify who made the change (including the original logged-in account in the event of a user ID switch, such as with the su or sudo command). These integrity checks should identify suspicious system alterations such as: owner and permissions changes to files or directories; the use of alternate data streams which could be used to hide malicious activities; and the introduction of extra files into key system areas (which could indicate malicious payloads left by attackers or additional files inappropriately added during batch distribution processes).

But let’s face it, File Integrity Monitoring (FIM) can be “noisy” and a large time commitment if you let it get out of control. With a well-chosen solution, light care and feeding, and tuning (Read more...)