File Integrity Monitoring Buyer's Guide

There is still no such thing as 100% secure. Nobody can offer a guarantee to stop every cyber attack. Breaches keep coming, even for the world’s largest and best resourced organisations.

File integrity monitoring (FIM), done properly, monitors and reports any change to the integrity of system and configuration files. Maintaining integrity is key because changes to files could represent a malware infection.

A complete FIM solution will cover platforms, system files, configuration and confidential data offering context-based file integrity monitoring and file whitelisting to assure all change activity is automatically analysed and validated.

What is FIM and why is it important?

File integrity monitoring (FIM) is an essential security control operated to expose any change to the integrity of system and configuration files. Maintaining integrity is key for two key reasons:

• Changes to files could represent a malware infection and FIM provides a forensic-level breach detection mechanism to combat this.
• With prevention better than cure, security defences can only be maintained via a secure, ‘hardened’ configuration, so monitoring for any decay or drift of configuration states is vital.

Integrity monitoring directly relates to the concept of change control. Any organisation’s ‘attack surface’ is affected by changes made, chiefly to installed software and configuration settings. And from a security standpoint, change control is the only way to distinguish between legitimate IT activity and a stealthy cyber attack.

In fact, the term ‘file integrity monitoring’, while accurate, may be a little misleading. Do we really only want to protect the integrity of our program files? What about, for example, firewall rules – one of the most critical configuration items in any network? And what about the Windows registry? This holds the entire security policy for all business-critical servers? Then we come to the applications themselves, which really do need protection – what about web applications and databases?

What should you look for in an effective FIM solution?

Below are eight essential considerations when selecting the right FIM solution.

1. Surveillance must be real-time and context-rich;
2. Monitoring must be cross-platform/application/device for any heterogeneous enterprise estate;
3. The ‘I’ in FIM is the most important element;
4. Must provide forensic detail while muting change noise. Files change, they are meant to change. Ensure your FIM solution can separate normal change from abnormal or unexpected;
5. Must integrate with SIEMs and SOCs to provide critical assistance during any route cause analysis;
6. Must support the complete GRC spectrum from DISA STIG through NIST 800, NERC, PCI and not stop until SOX;
7. Must be able to scale in a linear manner from 10 devices to 1 million+; and
8. Change control must leverage ITSM planned change/RFC data proprietary.

This Buyer’s Guide will allow you to develop a complete criteria checklist and discover key capabilities that will impact your decision when selecting the right FIM solution for your organisation.

Download a full copy of the FIM Buyer's Guide -https://www.netwrix.com/fim_buyers_guide.html