+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is file integrity monitoring?

File Integrity Monitoring systems generate alerts when intruders make unexpected changes to the files on your servers – either by changing existing files or creating new ones.

Robust cybersecurity can be most effectively achieved by adopting a ‘defence in depth’ approach.  This means deploying several layers of protection, using different technologies so that the overlapping coverage means if any one layer of defence is defeated there remains at least one more level of protection.

Different technologies should be used so that the best possible chance of defeating an attack is provided. By using different approaches effectiveness is increased because if one system should fail to stop an attack, another technology may detect it because it works in a different way.  And this diversity of tools applies not just to the technical methods deployed but also the very design purpose of the tools. In particular, some security tools are designed to provide protection in order to prevent a breach whereas others are designed to provide detection of a breach should it occur.  Protection and detection are the two fundamental types of security control and technology – the first tries to prevent a breach, and the second identifies when a breach has happened as quickly as possible.

When a network intrusion is detected quickly, it minimises the opportunity for the attackers to survey the network and deploy malware and tools which would otherwise facilitate a persistent presence in your systems.

What is File Integrity Monitoring?

File Integrity Monitoring is class of technical control that detects changes made to files on your network that could indicate the presence of intruders.  With a typical network containing many thousands of critical files, it is not possible to manually check those files for unexpected changes – only an automated tool can provide the scale and speed of coverage needed.

File Integrity Monitoring (FIM) tools require careful configuration to ensure they are watching for changes to files that are not expected to change regularly – and where the existence of a change could be an indicator of compromise.  FIM tools typically come with template configurations which have the key files and folders for popular operating systems and applications already defined.

Why is File Integrity Monitoring helpful?

The presence of intruders in your network can be inferred by the changes they make on systems in order to either try to hide their presence or to facilitate lateral movement across the network or deploy a persistent backdoor into the network.

An intruder may attempt to alter or delete log files in order to remove evidence of their activity on your systems.  An FIM system would alert that a log file has been amended or deleted allowing security operations staff to investigate further.

Configuration files for applications, middleware and even security tools could be edited by an intruder in order to facilitate continued access to your network or to help exfiltrate data.  An FIM system would detect the changes to the usually static configuration files and raise an alert prompting an investigation by your security team.

The FIM system works by comparing an image of what each server’s filesystem ‘should’ look like and raises alerts when anything changes.

PCI-DSS mandates the use of File Integrity Monitoring in order to demonstrate compliance with clauses 10.5.5 (Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed) and 11.5 (Deploy a change-detection mechanism… to alert personnel to unauthorized modification … of critical system files, configuration files, or content files).  An FIM system can also aid the operational security controls required for ISO 27001 compliance.

How does a File Integrity Monitoring system work?

An FIM system works by comparing the current status of a file system with a known ‘good’ state – which means you need to start with a trusted system that is correctly configured. Then some form of snapshot is taken by the FIM software which is then used as a basis for future comparisons.  Modern FIM systems look beyond simple file attributes (such as file size and modification timestamps) and create a known cryptographic checksum which is compared against the calculated checksum of the current file in future integrity checks.

Integration with your Change Management system can simplify and expedite the clearing of alerts that are generated as a result of planned changes to files – such as a planned change to a configuration file for a web server.  The alert in the FIM system can be linked to the relevant record in the Change Management system and closed down accordingly.

The FIM system may be able to capture before and after images of the files it is monitoring, allowing changes to be reviewed and rolled forward and back in chronological order – a great help during forensic investigations and may allow the lateral movement of attackers through the network to be tracked.

Using a File Integrity Monitoring system can help reduce the amount of ‘dwell’ time enjoyed by intruders who gain access to your network before they are discovered. By detecting file creations (as intruders install the tools they will use in later stages of the attack) or changes made to configuration settings – the presence of intruders and the systems they are interacting with can be identified.

An FIM system can help you detect when servers on your network deviate from your known good security baseline – indicating either a mistake by your operations team or the actions of an intruder.

Before deploying an FIM system, servers should be hardened so you have confidence that the underlying system and configuration that is being protected is as secure as possible.

SecureTeam can help you define the security baseline for your servers through our secure configuration review services and conduct penetration tests to validate your server hardening and network security.

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.