/* ---- Google Analytics Code Below */

Monday, March 15, 2021

File Integrity Monitoring

Certainly an element of security and a means of detecting anomalous behavior that pints to a threat.

How FIM Is More Than Just About Maintaining Compliance

Tripwire Guest Authors

The purpose of every security team is to provide confidentiality, integrity and availability of the systems in the organization. We call it “CIA Triad” for short. Of those three elements, integrity is a key element for most compliance and regulations.

Some organizations have realized this and decided to implement File Integrity Monitoring (FIM). But many of them are doing so only to meet compliance requirements such as PCI DSS and ISO 27001. However, file integrity monitoring is more than just about complying with regulations; it is also an important key to staying secure and safe. I will try to touch on these ideas below.

Change as a Source of Potential Insecurity

Changes are inevitable on IT systems. IT admins can change systems’ configurations or files, delete them or add new ones. These changes are normal if they are performed by authorized people.

However, not just authorized people make changes on systems, and not all authorized changes mean these changes are approved. When a penetration occurs, a threat actor also makes changes on an organization’s systems. They reflect his efforts to establish a lasting network and then to move laterally, try to find sensitive and more important data and ultimately exfiltrate it. All these operations require changes on the systems.

Fortunately, organizations can use a FIM tool to spot those malicious activities. That’s because a file integrity monitoring tool detects changes on the systems such as those made to files, services, registry, etc. The tool helps to identify changes, thereby helping to provide perspective on whether they are authorized or not.

As I mentioned above, most organizations that are using file integrity monitoring are doing so just to comply with regulations. For example, if they need to be compliant with ISO 27001 for one of their applications or departments, they’ll only deploy FIM to that department’s applications or servers. Of course, it is important to comply with regulations, but organizations need to think more widely about FIM. ... ' 

No comments: