File Integrity Monitoring Best Practices
09.09.2019
Read
Nowadays, most of the IT systems use file-based architectures to store and process information. In addition, the critical applications such as operating systems, application binaries, configuration data of systems and applications, organization’s sensitive data, logs, and data which is pertinent to security events are stored in files. If any of these files is compromised, the financial and reputational damage occur to organizations. Therefore, ensuring the integrity and security of critical files extremely is important than ever. This is the reason File Integrity Monitoring (FIM) services come into place.
The FIM is the process of checking important files such as operating system, utility programs, databases, applications, to determine if they have been tampered with or corrupted. FIM validates files by comparing the latest versions to trusted versions of these files; then identifies the unexpected and unauthorized changes to make sure if the file has been modified. In a nutshell, FIM helps in:
As mentioned before, FIM helps in meeting compliance standards. It is specifically suggested in PCI DSS regulatory standard.
PCI DSS mandates the following:
In addition**,** deploying file integrity monitoring software to alert analysts upon unauthorized changes of critical system files, configurations files, or content files is necessary; and configuring the software to perform critical file comparisons at least weekly is also crucial.
FIM is a powerful layer of data security which adds defense-in-depth to your overall security posture.
FIM uses one of the following approaches:
Of these, baseline comparison is the most commonly used approach.
Determining which files to monitor is one of the most crucial steps to FIM. Too many files can hamper analysis whereas too few can result in loss of crucial data that can help in identifying a security event. Following file types should be carefully monitored across the environment:
On Linux, the critical directories include:
/bin
/sbin
/usr/bin
/usr/sbin
Application Files: Application files involve various programs that normally perform day-to-day operations and activities on your system. Such programs include Firewalls, antivirus program, windows media players, and so on, as well as application files including binaries, configuration files, and libraries. These files must be monitored carefully. On Windows, most applications store their files in:
C:\Program Files
C:\Program Files (x86)
In Linux systems applications are present in:
/opt
/usr/bin
/usr/sbin
Configuration Files: The configuration files are an integral part of OS and applications and are typically accessed at the startup and running of the respective application or service. These define how the system and application will function. Typically, configuration files include Windows registry and various text-based config files stored in Linux and OSX systems. Monitoring of such files is indispensable.
Log Files: Log files contain transaction or activity history. Depending upon the application various activities are logged which may include access information, user activity, errors and other information. It is the main target of the attacker to hide his tracks after a successful intrusion. These are rich sources of information and aid in incident response. Log files should only be accessed and modified by the authorized application. To prevent tampering of log files, active log collection should be performed from the system and these should be stored on separate tamper-proof storage. In Windows, logs are stored in event viewer whereas UNIX based system store logs in /var/log.
Digital Keys, Certificates and Credentials: Digital keys are used in Cryptography and ensure the secure transition of data and information between authorized parties. Certificates are utilized in authentication systems to replace traditional login system that involves a user name and password. Lastly, credentials may include sensitive information such as your login details, financial statement, bank account details, or national security data. Digital keys, certificates, and credentials are all saved in the form of files and, there, their monitoring is extremely important to avoid massive disasters.
Security and integrity of files are necessary to avoid data breaches. Therefore, the use of Files Integrity Monitoring (FIM) services is always recommended for organizations. Fortunately, the integration of FIM is available with a SIEM tool that can collectively build a better layer of security.
