File integrity monitoring

File integrity monitoring (FIM) is the process of using technology to centrally track every change made to critical files and folders to ensure the integrity of their contents.

What is file integrity monitoring?

Put simply: FIM is used to keep track of and validate changes made to files and folders. A FIM solution ensures the accuracy of data by preempting unauthorized changes. The changes could be the creation, deletion, access, modification, or renaming of files and folders, including failed attempts at performing any of these actions. 

The files in concern are typically data, system, and log files; in other words, files that are critical for any business. Unauthorized changes to these types of files can lead to adverse consequences.

  • Unauthorized changes made to personal data of customers or employees can lead to non-compliance and legal repercussions for the business.
  • Changes made to system files can cause servers or applications to malfunction. 
  • Malicious actors might try to tamper with log archive files to cover their tracks while carrying out an attack. 

The above cases illustrate the importance of monitoring file and folder activities, as well as staying on top of changes. Monitoring files for integrity is vital for ensuring security, so much so that FIM is mandated by various compliance regulations and forms a fundamental part of an organization's IT security strategy. 

The FIM process: Auditing, reporting, and alerting

The basic objective of FIM is to track file and folder changes and alert upon suspicious activity. FIM tools continuously audit files and folders, maintaining a record of all changes that have been performed. The details of the changes must include the four vital W’s of auditing: 

 

Who made the change

 

Which file was changed

 

When the change was made

 

What the new value is and what the old value was

The most efficient way to track these changes is to generate graphical reports that help visualize what's going on. Reports empower security teams to periodically review and validate all the changes that have been made to files and folders. To make the process efficient, security teams can schedule reports to periodically review the list of changes that have occurred.

Once reports are scheduled, alerts can be configured for detecting unauthorized changes. Because FIM is closely related to security information and event management (SIEM), most SIEM solutions come with built-in FIM capabilities, providing a one-stop solution for security teams. Furthermore, machine learning can be applied on the data collected by the FIM solution to discover anomalies with greater precision.

This is where user behavior analytics (UBA) comes into the picture. UBA augments FIM functionality by applying machine learning techniques to FIM data in order to spot anomalous activities. This goes a long way in curbing insider threats and data exfiltration attempts at an early stage. It's a good idea to look for a SIEM solution that not only offers basic FIM, but also has a UBA component. 

Log360's FIM capabilities

Log360, a comprehensive SIEM solution from ManageEngine, comes with a powerful FIM module that helps organizations meet their security and compliance objectives. The solution thoroughly audits file and folder activities to provide actionable insights. Log360 provides out-of-the-box FIM support for:

  • Windows file severs
  • Failover clusters
  • Linux file servers
  • EMC servers
  • NetApp filers

Log360 employs both agent-based and agentless mechanisms for FIM, giving security teams the flexibility to choose their implementation as per their requirements. Log360 generates reports to track every access, creation, deletion, modification, and permission change made to files and folders. The solution triggers alerts via SMS or email for unauthorized actions.

Log360's FIM module is augmented by its built-in UBA module that can raise alarms for anomalies based on count, time, and pattern of events. UBA helps security teams spot anomalies in user behavior to detect threats that might have been missed otherwise. 

FIM for meeting compliance regulations

To demonstrate compliance, security teams must maintain the audit trail of the file and folder changes, and be able to produce reports for any particular period of time. Some of the widely known compliance regulations that require FIM include:

  •  

    PCI DSSRequirement 11.5 requires organizations to deploy a FIM tool to track changes and alert upon unauthorized modifications of files. Log360's built-in FIM module helps meet this requirement. 

  •  

    SOXLog360's FIM plays a part in implementing internal IT controls as mandated by Section 404. 

  •  

    FISMALog360's audit reports play a crucial role in meeting the Audit and Accountability (AU) requirements of FISMA.

  •  

    HIPPAHIPAA's objective is to protect health information, and Log360's FIM capability helps monitor and ensure the integrity of patient health records.

Log360 provides prebuilt reports for meeting the requirements of the above regulations and other standards.

Use cases for Log360's FIM

 

  •  

    Audit report generation: Log360’s change reports are granular; they can be generated based on servers, users, and processes. The reports can then be scheduled for reviewing the changes periodically. 

  •  

    Alerting for multiple failed access events: Log360 tracks failed attempts to make changes, and can alert security teams when the number of failed access or change attempts crosses a threshold. 

  •  

    Alerting for multiple events occurring within a short time frame: File permission changes can expose sensitive data and result in compliance violations. Log360 instantly notifies security teams about changes made to the permissions of crucial files, folders, and shares. 

  •  

    Detecting permission changes that can expose sensitive data: Log360 can detect and alert when a suspicious chain of events occurs, such as a brute force pattern followed by modifications of files.

  •  

    Detecting unusual file activities: Log360's UBA module profiles user behaviors and builds a security baseline of user activities. If a user does something unusual, the anomaly is instantly detected and an alarm is raised. For example, when a user who normally works from 10am to 6pm deletes a file at 11pm, the solution flags the activity as an anomaly.

Log360 FIM

File integrity monitoring

Highlights of Log360's features

  • Log management, search, and archival: Log360 aggregates logs from various sources, provides an intuitive mechanism to search through the data, and securely archives the logs for as long as needed. 
  • Real-time Active Directory change auditing: The solution can track Active Directory changes in real time and alert about critical changes, such as those made to top-level groups. 
  • Out-of-the-box auditing: The solution supports a wide range of log sources, including domain controllers, databases, web servers, and firewalls. It comes with over 1,000 prebuilt audit reports that can be associated with alerts. 
  • Security alerting: The solution can trigger granular alerts for events of interest to help organizations detect security incidents at an early stage.  
  • Event correlation: The event correlation engine can associate events from various systems, and discover complex attack patterns at an early stage.  
  • Incident management: The solution can be integrated with an IT help desk to ensure that every alert that's triggered is raised as a ticket to the designated administrator, leading to more accountable resolutions.  
  • Threat intelligence: Log360's threat intelligence platform can process STIX/TAXII feeds and detect malicious traffic in a network, including outbound connections to malicious domains and callback servers. 

Interested in exploring the product?

Get started by downloading a 30-day free trial.

Download Now