We recently added File Integrity Monitoring (FIM) to the Guardicore Centra Security Platform and wanted to share how it can help your organization detect breaches and achieve compliance with regulations such as PCI DSS and HIPAA. These regulations require integrity monitoring as an internal control that must be deployed to ensure protection of an organization’s critical assets and data. Overall, organizations that apply FIM gain increased confidence that their critical data is protected against unauthorized changes.
What is FIM?
FIM is a change-detection mechanism that is designed to alert on any unauthorized modification of files. The way to do this is compare the current file state with a known, good baseline. By ‘baseline’ we’re referring to an agreed description of the attributes of the file, at a point in time, which serves as a basis for defining change. This comparison method involves calculating a known cryptographic checksum of the file’s original baseline and comparing it with the calculated checksum of the current state of the file. Guardicore uses the SHA-256 hashing algorithm.
FIM helps detect malicious activity and configuration errors
While constant file and configuration changes are completely normal, sudden changes to the contents of critical system files can be indicative of a breach. Attackers may want to change, add or delete file contents to avoid detection after gaining entry into a network. Monitoring the organization’s critical system and application files for modifications can trigger an alert for malicious activity before it escalates into a breach.
Many security frameworks include FIM
FIM also plays an essential role in breach investigation. Using FIM data, security teams can determine which critical files were modified, which assets were involved and the communication flows at the time of the breach. That’s why compliance frameworks such as PCI DSS and HIPAA, the March, 2017 report from Gartner Market Guide for Cloud Workload Protection Platforms and the report from Forrester “Vendor Landscape: Cloud Workload Security Solutions, Q3 2017” include a control for file integrity monitoring.
- Section 10.5.5 of PCI DSS v3.2 requires FIM and other change detection tools to make sure alerts are generated for every change in log data: “10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).”
- Section 11.5 of PCI DSS v3.2 requires FIM for alerting on unauthorized modifications of critical data files and requires file comparisons at least once a week: “11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”
- Gartner includes FIM within System Integrity Monitoring/Management which is one of five core components of a server protection platform according to the Gartner Market Guide for Cloud Workload Protection Platforms.
FIM capabilities in the Guardicore Centra Security Platform
Using its lightweight agent module, Centra performs routine integrity checks to identify file alterations across cloud and data center environments. FIM is low on CPU consumption and has no impact on performance.
Need to meet integrity monitoring requirements? Looking for a comprehensive Cloud Workload Protection solution? Give us a call or Request a Demo