Five phases of file integrity monitoring, file integrity monitoring

Five phases of file integrity monitoring, file integrity monitoring

If the file integrity monitoring (FIM) solution is deployed well, the benefits are great:

If you see unexpected or uninterpretable file modifications, you can immediately start the investigation: if the investigation finds that the system is intruded, the problem can be quickly solved.

These changes can be coordinated based on approved changes listed in the text or workbook.

Determines whether these modifications have moved to the policy configuration (which affects the curing standard ).

Response actions that can be automated for specific types of modifications-for example, marking the appearance of DLL files (high risk), but automatically promoting simple modifications to DLL files (low risk ).

However, we cannot underestimate the importance of FIM. Don't forget what the Internet Security Center says in key security control 3.5:

Use a file integrity check tool to ensure that critical system files (including sensitive systems and applications, binary files, and configuration files) are not tampered.

The report system should be up:

Ability to identify regular and expected changes;

Abnormal tag and alarm or unexpected modification;

Display the configuration change history and change persons (including the original Logon account during user ID switching, for example, when executing the "su" or "sudo" command ).

These integrity checks should identify suspicious system modifications, such:

Modification of the owner and permissions of files or directories;

Use Backup Data streams that can hide malicious activities;

Add files in critical locations of the system (which may be malicious attack loads left by attackers or files improperly introduced during batch processing ).

However, FIM may be "annoying" if it is not well controlled, and it will consume a lot of time and effort. Only by carefully selecting solutions, carefully maintaining, appropriately feeding, and fine-tuning based on environment changes can you avoid the five phases of FIM from overwhelming your security team.

To put it simply, the five phases of FIM are:

Changes found in the monitored environment;

Changed and unexpected;

Changes, unexpected, and bad changes;

There are changes, unexpected, and adverse consequences, but there is a way to restore to the known credibility status;

Changes, unexpected, can cause adverse consequences. There is a way to fix them and adjust the solution to minimize future noise.

If a solution has not been deployed, or the existing solution cannot quickly deal with such changes, FIM's "useless" perception may occur.

The best way to improve the effectiveness of FIM is to narrow the scope of its monitoring to use cases that can solve compliance, security, and operational problems, and it is best to determine the priority in this order. The complexity of the above five stages is also sequential.

SOX (Sarbanes-Oxley Act) compliance is a good case for enterprise FIM. When an enterprise produces SOX-related content, it must have "location" information, such as files, directories, and applications, or even database fields. But not all files, directories, or applications.

FIM applications for more mature enterprises may say: "Our SOX data is associated with 135 locations that can be used as audit points. We need to know what changes have taken place, including baseline changes, to ensure that no errors occur when generating financial reports for these key points ."

Enterprises can purchase FIM for a variety of reasons. Some of them want a cheap "checked" solution to show that due diligence has been performed in accordance with the law, while others are more concerned about the impact of changes in the environment on normal operations.

As long as you realize the value of FIM, you can turn the necessary due diligence into proactive security compliance, and narrow the line of defense to critical nodes, the benefits and advantages brought by more FIM are not empty talk.