FIM Test: A Method for Distinguishing True FIM Capabilities in a Crowd of Claims
In a previous blog, we presented NIST’s benchmark definition of integrity monitoring.
The conclusion was clear: Many vendor claims of file integrity monitoring (FIM) capabilities do not match this definition.
Change detection across system components, including files, is crucial and implemented in many tools, including EDR/XDR. However, while these systems often claim FIM capabilities, file change detection alone falls short of true FIM.
Checking FIM: A Test Method
We revisit this problem and present a test to evaluate vendor FIM claims. The test is derived directly from NIST SP 800-53 integrity control mechanics.
A control that fails any of these mechanics cannot satisfy FIM in accordance with the NIST benchmark.
| File Integrity Monitoring (FIM) Claim Truth Table |
|
For each control capability below, assign: 1 → Capability explicitly satisfied 0 → Capability not satisfied |
|
Control Capability Statement |
Score |
Importance |
|
1. Detects file/state/configuration changes |
Indicates system (Read more...) |
*** This is a Security Bloggers Network syndicated blog from Cimcor Blog authored by Dan Schaupner. Read the original post at: https://www.cimcor.com/blog/fim-test-a-method-for-distinguishing-true-fim-capabilities
