January 25, 2023
Knowing who’s accessing critical files and when changes occur to them is required by regulatory standards and laws. A crucial utility for keeping track of this is File Integrity Monitoring, or FIM. FIM is one of the critical services Rimstorm offers as part of our premium cyber managed security services package. What is FIM and how does it work? Read on.
What is file integrity monitoring?
FIM is without a doubt a highly important layer of defense for any network that’s worth protecting. FIM monitors critical system files, operating system components, and even network devices for any unauthorized changes. Malicious actors often try to cause mayhem inside your networks, changing configuration files, critical system or application files, or data — and then delete event logs to hide their tracks. FIM prevents them from hiding what was changed and alerts you to what it was.
Changes to configurations, files, and file attributes across your IT infrastructure can be common, but hidden within this deluge of daily changes can be the few that impact file or configuration integrity. These changes can put your compliance stature and security posture at risk, as it can indicate an attacker tampering with critical files to gain persistence or access confidential data.
How does file integrity monitoring work?
When you initially install FIM, it creates a baseline to determine your status quo, which is stored in a database as cryptographic hashes that cannot be edited, deleted, or altered. Since we are trying to prevent one of the most sophisticated types of hacks, we must utilize a truly infallible means of guaranteeing file integrity. This requires each monitored file to be “fingerprinted,” using a secure hash algorithm such as SHA1 or MD5 to produce a unique hash value based on the contents of the file.
If a difference is detected between the state and baseline, this is registered as a change and an alert can then be generated.
FIM can be integrated directly, working in tandem with tools such as Security Information and Event Managers (SIEM). This can combine reporting by providing up-to-date log information directly to your SIEM solution for visualization and analysis. As part of Rimstorm’s premium cyber managed security services package, FIM is fully integrated into our existing SIEM framework.
File integrity monitoring allows your organization to step beyond safeguards and respond to risks in real-time. And because it fully integrates with your existing network and security tools, you can detect malicious activity starting with initial compromise — whether it stems from phishing, malware, or the use of stolen credentials. With FIM, file modification events can be looped into an investigation to understand how the actions relate to normal user activity across your environment. You can visualize file modification activity as fully customizable, exportable dashboard charts for easy visibility and to proactively meet audit requirements.