Five phases of file integrity monitoring, file integrity monitoring

Source: Internet
Author: User

Five phases of file integrity monitoring, file integrity monitoring

If the file integrity monitoring (FIM) solution is deployed well, the benefits are great:

If you see unexpected or uninterpretable file modifications, you can immediately start the investigation: if the investigation finds that the system is intruded, the problem can be quickly solved.

These changes can be coordinated based on approved changes listed in the text or workbook.

Determines whether these modifications have moved to the policy configuration (which affects the curing standard ).

Response actions that can be automated for specific types of modifications-for example, marking the appearance of DLL files (high risk), but automatically promoting simple modifications to DLL files (low risk ).

However, we cannot underestimate the importance of FIM. Don't forget what the Internet Security Center says in key security control 3.5:

Use a file integrity check tool to ensure that critical system files (including sensitive systems and applications, binary files, and configuration files) are not tampered.

The report system should be up:

Ability to identify regular and expected changes;

Abnormal tag and alarm or unexpected modification;

Display the configuration change history and change persons (including the original Logon account during user ID switching, for example, when executing the "su" or "sudo" command ).

These integrity checks should identify suspicious system modifications, such:

Modification of the owner and permissions of files or directories;

Use Backup Data streams that can hide malicious activities;

Add files in critical locations of the system (which may be malicious attack loads left by attackers or files improperly introduced during batch processing ).

However, FIM may be "annoying" if it is not well controlled, and it will consume a lot of time and effort. Only by carefully selecting solutions, carefully maintaining, appropriately feeding, and fine-tuning based on environment changes can you avoid the five phases of FIM from overwhelming your security team.

To put it simply, the five phases of FIM are:

Changes found in the monitored environment;

Changed and unexpected;

Changes, unexpected, and bad changes;

There are changes, unexpected, and adverse consequences, but there is a way to restore to the known credibility status;

Changes, unexpected, can cause adverse consequences. There is a way to fix them and adjust the solution to minimize future noise.

If a solution has not been deployed, or the existing solution cannot quickly deal with such changes, FIM's "useless" perception may occur.

The best way to improve the effectiveness of FIM is to narrow the scope of its monitoring to use cases that can solve compliance, security, and operational problems, and it is best to determine the priority in this order. The complexity of the above five stages is also sequential.

SOX (Sarbanes-Oxley Act) compliance is a good case for enterprise FIM. When an enterprise produces SOX-related content, it must have "location" information, such as files, directories, and applications, or even database fields. But not all files, directories, or applications.

FIM applications for more mature enterprises may say: "Our SOX data is associated with 135 locations that can be used as audit points. We need to know what changes have taken place, including baseline changes, to ensure that no errors occur when generating financial reports for these key points ."

Enterprises can purchase FIM for a variety of reasons. Some of them want a cheap "checked" solution to show that due diligence has been performed in accordance with the law, while others are more concerned about the impact of changes in the environment on normal operations.

As long as you realize the value of FIM, you can turn the necessary due diligence into proactive security compliance, and narrow the line of defense to critical nodes, the benefits and advantages brought by more FIM are not empty talk.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.