Today, organizations simply use file integrity monitoring (FIM) to meet one of the many regulations, like PCI, that require it. But for most, the term “FIM” has become synonymous with “noise” due to the volume of change data it indiscriminately produces. Learn what true FIM is, and why it’s still critical for security and compliance.
Whitepaper here: http://www.tripwire.com/register/meeting-the-true-intent-of-file-integrity-monitoring/
2. Introduction
The term “file integrity monitoring,” or FIM, popped up however, a true FIM tool must provide additional information.
back in 2001 when the VISA started working on a security That information, or intelligence, would allow it to only alert
specification that would eventually become the Payment security teams to changes that pose increased threat to card-
Card Industry Data Security Standard (PCI DSS, or just PCI). holder data, and not to the hundreds of thousands or even
FIM was referenced in two requirements of PCI specification, millions of changes that occur daily on large, enterprise-level
but requirement 10.5.5 specifically instructed organizations IT infrastructure. It’s also important to understand that while
that processed, transmitted or stored cardholder data to FIM is valuable to PCI, it can and is used to reduce risk of
“Use file integrity monitoring/change detection software compromise to any IT asset, not just cardholder data.
(such as Tripwire) on logs to ensure that existing log data
cannot be changed without generating alerts.”
In reality, FIM had been around before its reference in the
Making FIM an Effective
evolving PCI standard. Previously, though, it used a different Security Tool
name: “change audit.” So here we are ten years later. Where To return FIM to its rightful place at the security table, we
is FIM now? Is it still relevant or important? Does it really must change how we use FIM and ensure our FIM solution
protect data and improve security? The answers, in order are: has specific capabilities. We must decide what in the infra-
1. FIM is still called file integrity monitoring (FIM), and is structure needs to be monitored and how to manage the
now part of almost every IT compliance regulation and changes to those IT assets that our FIM solution detects. We
standard and every IT security standard. Some refer to also need a solution that gives us more information than
FIM as “change audit.” a basic “something changed.” Finally, we need to analyze
each change to identify when changes introduce risk.
2. Yes, FIM is still relevant and important, although many
organizations that must use FIM solutions complain that
DETERMINING WHAT TO MONITOR AND MANAGING
the term “FIM” is now synonymous with “noise” due to
DETECTED CHANGES
the huge volume of changes these solutions detect.
Monitoring every file on every device or application all the
3. Yes, FIM does protect data and improve security, but only
time is impractical and unnecessary, so the first step for
when FIM has specific capabilities.
effective FIM is controlling what is monitored. Ideally, a
In this paper, we give an overview of FIM, an explanation FIM solution would provide a way to control what files are
of how FIM provides data protection and improves security, monitored for change and the level of monitoring these
and what capabilities FIM must offer to effectively provide files require. In other words, the solution would let you
that data protection and security. determine how much information about these files—the
file properties—you want to capture. You would make those
AN OVERVIEW OF FIM determinations based on the type of file being monitored
FIM is technology that monitors files of all types and detects and how much risk changes to a file might introduce. For
changes in these files that can lead to increased risk of data example, a permissions file for a financial application rep-
compromise. Unfortunately, many merchants subject to FIM resents a high-risk file. You would likely want to harvest
under PCI have lost sight of its intent and spirit. For these enough properties about changes to this file to help you
merchants, FIM means noise: too many changes, no context determine if a change is “expected” or if it is “suspect.”
around these changes, and very little insight into whether or Although you will limit the scope of the files you moni-
not a given detected change poses a risk or is just business- tor, as well as the properties you capture for each monitored
as-usual. It’s hard to argue with them given that this has file, even a medium-sized organization will generate a
been their experience with the FIM tools they’ve used. large amount of change data. Managing the large vol-
FIM actually is a critical tool in the fight against cardholder ume of change data captured by a FIM solution requires a
data compromise, and really, of any type of sensitive data;
2 | WHITE PAPER | Meeting the True Intent of File Integrity Monitoring
3. version-based architecture that is compact and fast, and proposed and scheduled does not mean that it was actually
that stores data permanently. One approach that has proven made or made correctly. Being able to confirm that a change
highly successful is to capture the initial state, or baseline, has successfully been made is critical; otherwise improve-
of every monitored file or element and store it in a data- ments that you think were made are not always realized and
base. From that point on, the solution detects any changes problems remain when you think they have been resolved.
to an element, including the properties you determined A true FIM solution needs to detect a change, and must also
need to be monitored, and stores that change data in the be able to compare that change against what was expected
database as the original baseline version plus these typically to change. Such capability provides independent confirma-
minor changes. These “delta” versions, where delta means tion of change processes and policies.
incremental change to the element’s properties, must be While most changes are intentional, or at least not harm-
stored indefinitely in the database. But to truly add value, ful, some changes simply shouldn’t be made because they
the solution must allow this captured history of each ele- pose increased risk to the environment. Critical configura-
ment to be accessed, analyzed and acted upon at any point tion files are one example. Each of these files contains
in time. one or more configuration settings values that must be in
predefined states or ranges to meet and maintain security
DETERMINING WHAT CHANGED AND WHO MADE policy. If any of these configuration files are changed, the
THE CHANGE settings values must immediately be re-evaluated to deter-
Knowing only that a file has changed is of little use unless mine if they still conform to the security policy. Application
you know what about the file or what within the file has executable (.exe) files of mission critical applications are
changed. Each file has dozens of attributes that, if changed, another example of file types that should probably generate
could spell trouble. Capturing these attributes can provide an alert if they change for any reason. A true FIM solution
information essential in determining if the change is harm- must know what has changed, what specific files are sup-
ful or harmless—it tells you exactly what within a file posed to change, and if a given change is within policy. This
changed so you can quickly determine if the change was ability to analyze changes converts volumes of change data
high-risk and provides the information required to fix the from “noise” into actionable intelligence.
issue. A true FIM solution will be able to harvest this level
of information, including changes to configuration files and ADDRESSING THE ISSUE OF UNAUTHORIZED VS.
even character-for-character differences to human-readable UNDESIRED/SUSPECT CHANGE
file types like Word documents or PDF files. PCI DSS 11.5 requires merchants to “…alert on unauthorized
In addition, knowing who made a change is often key to modification of critical system, content or configuration
determining if a change is suspect or low-risk. But captur- files…,” but the term “unauthorized” is fairly misleading.
ing the “who data” is not easy, and most FIM solutions are Many interpret the term to mean that they must measure
unable to provide this important information. Most FIM how well the organization adheres to change process policy.
solutions available today need to enable OS Auditing on the In fact, the intent of the term in the requirement is for
monitored device to get this “who” information; yet most IT organizations to be alerted to changes that are undesirable
professionals will not allow this due to concerns about secu- and could put cardholder data at risk of compromise. The
rity. The use of real-time detection agents installed on each 11.5.b Testing Procedure that was added in version 2.0 of
monitored device can overcome this issue. the security standard clarifies that it is an audit require-
ment to “Verify the tools are configured to alert personnel
DETERMINING IF EXPECTED, ACCEPTABLE CHANGES to unauthorized modification of critical files…”.
WERE MADE Auditors have typically required proof that appropriate
Many changes are intended to make improvements or change data has been captured, but there has been incon-
to correct problems. However, just because a change is sistency in verifying whether the FIM solution was also
Meeting the True Intent of File Integrity Monitoring | WHITE PAPER | 3
4. configured to determine if any of detected changes were change is the issue that must be addressed by FIM—and
not authorized. Too often, the change data has just been that is the true intent of the PCI DSS 11.5 requirement. And
stored “in bulk” in an effort to meet compliance require- not only should FIM detect bad change, it should detect it
ments. However, if the data is not continually analyzed for immediately so the damage can be minimized. A true FIM
“high-risk” change, the FIM solution provides limited—or solution helps merchants automatically determine if detect-
no—protection against cardholder data compromise. Even ed change is authorized (or even most likely authorized).
in cases where the FIM solution is being used to help deter- More importantly, a true FIM helps automatically determine
mine which changes don’t follow approved change process, if a change is suspect and needs immediate investigation, or
unauthorized change differs a great deal from suspect or is expected and can be considered low- or no-risk.
undesired change. Unfortunately, many presume that unau-
thorized change is always “bad,” which is not necessarily
true. While an unauthorized change may not have followed
Conclusion: True FIM Makes
defined change process policy, it may actually resolve a FIM Relevant
critical problem. On the other hand, defining a change as So again, we ask, “Is FIM still relevant and important?” The
authorized presumes it is a “good” change, which may be answer is a resounding yes. FIM is a critical capability IT
security and compliance need to protect the IT infrastruc-
THE CAPABILITIES OF TRUE FIM
ture and its sensitive data. But for FIM to be relevant, it
Detects changes must do a lot more than just detect changes. “True FIM”
Determines which changes introduce risk must use change detection to help determine whether the
Determines which changes result in non-compliance changes are good or bad. It must also provide multiple ways
to distinguish low-risk change from high-risk change. And it
Distinguishes between high- and low-risk changes
must do this at the speed of change.
Integrates with other security point solutions In addition, True FIM should also work with other security
point solutions, like those for log and security event man-
equally untrue. Many authorized changes cause problems agement. Correlating change data with log and event data
and have to be rolled back or modified—sometimes using an allows security professionals to better protect their environ-
unauthorized process. ment, including cardholder data environments. Doing so,
Whether a detected change can be reconciled to some allows security professionals to quickly see, trace and relate
form of authorization or not fails to address the issue of a problem-causing activities with each other. Such visibility
“bad” change; that is, a change that exposes a device or and intelligence provides the key for quickly remediating
application to increased risk of compromise. Finding bad issues before they cause real damage.
4 | WHITE PAPER | Meeting the True Intent of File Integrity Monitoring