File integrity monitoring (FIM) is the process of using technology to centrally track every change made to critical files and folders to ensure the integrity of their contents.
Put simply: FIM is used to keep track of and validate changes made to files and folders. A FIM solution ensures the accuracy of data by preempting unauthorized changes. The changes could be the creation, deletion, access, modification, or renaming of files and folders, including failed attempts at performing any of these actions.
The files in concern are typically data, system, and log files; in other words, files that are critical for any business. Unauthorized changes to these types of files can lead to adverse consequences.
The above cases illustrate the importance of monitoring file and folder activities, as well as staying on top of changes. Monitoring files for integrity is vital for ensuring security, so much so that FIM is mandated by various compliance regulations and forms a fundamental part of an organization's IT security strategy.
The basic objective of FIM is to track file and folder changes and alert upon suspicious activity. FIM tools continuously audit files and folders, maintaining a record of all changes that have been performed. The details of the changes must include the four vital W’s of auditing:
Who made the change
Which file was changed
When the change was made
What the new value is and what the old value was
The most efficient way to track these changes is to generate graphical reports that help visualize what's going on. Reports empower security teams to periodically review and validate all the changes that have been made to files and folders. To make the process efficient, security teams can schedule reports to periodically review the list of changes that have occurred.
Once reports are scheduled, alerts can be configured for detecting unauthorized changes. Because FIM is closely related to security information and event management (SIEM), most SIEM solutions come with built-in FIM capabilities, providing a one-stop solution for security teams. Furthermore, machine learning can be applied on the data collected by the FIM solution to discover anomalies with greater precision.
This is where user behavior analytics (UBA) comes into the picture. UBA augments FIM functionality by applying machine learning techniques to FIM data in order to spot anomalous activities. This goes a long way in curbing insider threats and data exfiltration attempts at an early stage. It's a good idea to look for a SIEM solution that not only offers basic FIM, but also has a UBA component.
Log360, a comprehensive SIEM solution from ManageEngine, comes with a powerful FIM module that helps organizations meet their security and compliance objectives. The solution thoroughly audits file and folder activities to provide actionable insights. Log360 provides out-of-the-box FIM support for:
Log360 employs both agent-based and agentless mechanisms for FIM, giving security teams the flexibility to choose their implementation as per their requirements. Log360 generates reports to track every access, creation, deletion, modification, and permission change made to files and folders. The solution triggers alerts via SMS or email for unauthorized actions.
Log360's FIM module is augmented by its built-in UBA module that can raise alarms for anomalies based on count, time, and pattern of events. UBA helps security teams spot anomalies in user behavior to detect threats that might have been missed otherwise.
To demonstrate compliance, security teams must maintain the audit trail of the file and folder changes, and be able to produce reports for any particular period of time. Some of the widely known compliance regulations that require FIM include:
PCI DSSRequirement 11.5 requires organizations to deploy a FIM tool to track changes and alert upon unauthorized modifications of files. Log360's built-in FIM module helps meet this requirement.
SOXLog360's FIM plays a part in implementing internal IT controls as mandated by Section 404.
FISMALog360's audit reports play a crucial role in meeting the Audit and Accountability (AU) requirements of FISMA.
HIPPAHIPAA's objective is to protect health information, and Log360's FIM capability helps monitor and ensure the integrity of patient health records.
Log360 provides prebuilt reports for meeting the requirements of the above regulations and other standards.
Audit report generation: Log360’s change reports are granular; they can be generated based on servers, users, and processes. The reports can then be scheduled for reviewing the changes periodically.
Alerting for multiple failed access events: Log360 tracks failed attempts to make changes, and can alert security teams when the number of failed access or change attempts crosses a threshold.
Alerting for multiple events occurring within a short time frame: Log360 can detect and alert when a suspicious chain of events occurs, such as a brute force pattern followed by modifications of files.
Detecting permission changes that can expose sensitive data: File permission changes can expose sensitive data and result in compliance violations. Log360 instantly notifies security teams about changes made to the permissions of crucial files, folders, and shares.
Detecting unusual file activities: Log360's UBA module profiles user behaviors and builds a security baseline of user activities. If a user does something unusual, the anomaly is instantly detected and an alarm is raised. For example, when a user who normally works from 10am to 6pm deletes a file at 11pm, the solution flags the activity as an anomaly.
Get started by downloading a 30-day free trial.Download Now