What Is File Integrity Monitoring?
FIM is a security technology that monitors and detects changes in files that could be indicative of a cyberattack.
“We are trying to make sure that files that should not be tampered with are not tampered with,” says Timothy Brown, vice president of security at IT management solutions company SolarWinds. “FIM is used not just for single files but for systems and applications. We define an initial state and then look to see if anything is different.”
Where other cyberdefenses may detect aberrant behaviors in a system, FIM looks at the systems themselves. “Basically, it’s a verification method,” says Shawn McCarthy, research director at IDC Government Insights. “It compares the current state of a file to a previously measured baseline.”
Why focus on change as a marker of potential threat? Because virtually every cyber exploit will seek to alter key system elements, including Windows registry, drivers, installed software and applications. “Most breaches don’t take place without having some kind of change to these elements,” says Gartner Principal Analyst Mitchell Schneider. “The sooner you can detect these signs of compromise, the faster you are able to respond.”
Ideally, FIM will be configured to pay special attention to the most sensitive functions and files. In federal government, this means watching for alterations in any systems that may handle personally identifiable information.
“Does it have a driver’s license or Social Security numbers? If so, there will be restrictions for which users can access that file, who is entitled to open it, who has access to modify it, and who has the ability to copy it or use it; for example by attaching it to an email,” says Morey Haber, CTO and CISO at BeyondTrust.
By keeping a constant check on the integrity of such files, “FIM raises up the policy level, enabling you to control access on a data-centric model,” Haber says.
How Does File Integrity Monitoring Work?
When FIM notices an unanticipated file change, it sends an alert to the administrators. The art here lies in defining the parameters in order to not be deluged by false positives. Rather than raise a flag every time a comma gets changed, FIM should be configured to look for deep system changes, especially tweaks to functions and processes that ought to be left alone.
“There are certain baselines that never change, like the operating system file: It came with the operating system, and it should never be altered until a patch comes out. A policy document should never change unless it’s an approved change,” Brown says.
If a file suddenly becomes encrypted, or executable files are altered, those actions should set alarm bells ringing.
“When we talk about FIM we’re talking about not just the content of the file but the attributes of the file — read, write, execute. FIM is looking at key settings that could be used to make an application work or make it vulnerable,” Haber says.
For changes at the system level, the IT shop should have a change management process in place to authorize and validate changes that are legitimate and necessary. FIM is looking for alterations that take place outside those parameters. “What you want is an alert when something happens that is not part of the normal runtime. A common case on a Linux box would be the host file and the password file: No one is supposed to modify those,” Haber says.
In addition to issuing alerts, FIM can be configured to drive automated response. It generally won’t remediate potential threats — those go to human operators for review — but it can weed out the false positives. For example, it can compare a change with a whitelist of approved changes, such as scheduled patches. This helps ensure the IT team sees only those alerts that represent true potential threats.
“It’s checking changes against what is happening according to plan, and only warning the analysts when something falls outside that existing loop of planned or accepted changes,” Schneider says.
What Are Baseline Comparison and Real-Time Change Notifications?
Two key concepts in FIM are the baseline comparison and real-time change notification. Essentially, these represent two different ways of implementing FIM that can be used separately or in tandem. Each approach can yield valuable insights, although the real-time strategy will, as the name suggests, offer more opportunity for timely response.
A baseline comparison starts with a snapshot or template that depicts the system in its optimal, initial state. “It’s basically like an image of your system,” McCarthy says. A subsequent scheduled review looks for variations from that initial state. “The software can notify system managers if a discrepancy is found. Some tools may allow different levels of notification, depending on what is found and where it occurs, such as whether the change is detected in individual files, operating systems or access control.”
Real-time notification on the other hand tracks changes as they occur. “It looks at the operating system and records the activity: Someone read this file, someone rewrote this file,” Brown says.
Real-time notification may seem like the obvious choice. If you know what’s happening as soon as it happens, you’re obviously in a better position to take timely action. But there are limitations to real-time scanning that can tilt the balance in favor of a baseline approach. If files are extraordinarily large, for example, or if users need superfast access to systems, the real-time review can slow down the works. In such cases, Haber says, a baseline comparison may be preferable.
When real-time notification is available, though, it can deliver powerful capabilities. “Doing it in real time allows you to block the change,” Haber says. “It gives you more of the protective capability, versus baseline, which has no defensive or blocking capability.”
How Can File Integrity Monitoring Benefit Federal Agencies?
Feds need FIM for regulatory compliance, as noted. In addition, given the particular nature of the federal IT infrastructure, FIM can be a powerful addition to an existing cybersuite.
Government IT is heavy with legacy and idiosyncratic systems, many of which may carry undocumented cyberweaknesses.
“There are still a lot of those things in place, and government needs a way to make sure a vulnerability has not taken hold in one of those systems,” Brown says. “Typically, the exploit will act in a certain way: It will put something in the registry or change a file system. FIM allows you to identify those changes, which in turn shows you whether a vulnerability has been exploited.”
Moreover, FIM can be fine-tuned to give special priority to high-value assets, such as those containing personal information. “Sensitivity of data is the first concern on the federal side,” Haber says. “FIM can detect whether a file has sensitive information on it and can help with change control by ensuring that changes to files are done appropriately, and by helping to prevent any inappropriate changes.”
Such capabilities can make FIM an especially attractive solution to those charged with safeguarding government systems.