File Integrity Monitoring

File Integrity Monitoring (FIM) alerts you to changes in critical system files, configuration files, and content files. 

AlienVault Unified Security Management™ (USM) combines FIM with all the essential security controls—Vulnerability Scanning, Asset Discovery, IDS, SIEM, and more—so you can accelerate and simplify threat detection and compliance management.

In general, change can be good. But not for the security professional.

Changes on critical servers often signal a breach. That's why it's essential to use File Integrity Monitoring (FIM) for your critical servers so you're alerted as soon as changes happen. In fact, if those servers are in-scope, PCI DSS requirements 10.5.5 and 11.5 state you must install file integrity monitoring software in order to pass your audit.

FIM tracks who has accessed sensitive data on in-scope systems as well as what they did to that data. This provides a necessary audit trail, as well as allows you to validate that the changes were authorized, expected, and did not jeopardize the integrity and security of the data.

Where to Implement FIM

Typically, you'll want to be selective about where you install the FIM software, since many system and application files will change often in a dynamic network environment. You’ll want to focus on monitoring the integrity of critical files on in-scope assets to detect unauthorized modification of critical system files, configuration files, or content files, all of which could indicate compromised devices or applications. In other words, install file integrity monitoring software wherever you need to monitor WHO has done WHAT to in-scope servers WHEN.

The PCI DSS standard is explicit on this. If you need to demonstrate PCI DSS compliance, then you must install FIM software to track changes to:

  • Critical system files
    • System executables
    • Application executables
  • Configuration files / content files (including cardholder data)
  • Centrally stored, historical or archived, log and audit files

How FIM Works

Generally, FIM relies on agent-based technology that is installed on the host or server where sensitive files are stored. In AlienVault USM, we rely on lightweight agents that are provisioned, managed, and monitored centrally via our web-based console. As soon there is a change to a monitored file, the USM platform triggers an Alarm. Even though these changes might not require a response, it’s important to monitor all activity to first determine a baseline and then detect any abnormalities like policy violations or potential system compromise.

Implement File Integrity Monitoring with Integrated Host-based IDS (HIDS) Simplify the implementation of file integrity monitoring by using a single, multi-functional agent, rather than installing multiple single-purpose agents. With AlienVault USM, you can deploy a single agent to perform file integrity monitoring, as well as host-based intrusion detection. Deploying agents is easy, simply navigate to the HIDS view by clicking "Enable HIDS" in the Asset Properties window, and choose "Add Agent" as you can see in the screenshot to the right.

Monitor Privileged User Activity

Monitoring privileged user activity on your critical systems and files is an essential security best practice. In fact, many regulatory standards, including PCI DSS, explicitly require it. AlienVault's implementation of host-based IDS and file integrity monitoring enables you to track all activity on your critical systems. These events are forensically captured, processed, and correlated with other data to provide the necessary context you need for effective incident response. The screenshot to the right shows some examples of these privileged user activities, as captured and reported by AlienVault's agent.

Evaluate Threat Trends on Critical Systems

In addition to monitoring individual events on your critical systems, you'll also want to evaluate performance and threat trends over time. AlienVault USM provides graphical trending reports and dashboards so you can easily spot anomalies and issues that might require additional investigation. You'll be able to quickly identify deviations from operational baselines, which often signal a potential system compromise.