File integrity monitoring – Are you doing it properly?

The integrity of system and configuration files of various services and applications is critical for building and maintaining secure IT environments. Hence, multiple compliance objectives (HIPAA, PCI DSS, SOX, FISMA and more) require implementing file integrity monitoring to ensure that these critical files are changed as part of authorized, documented and controlled processes only.

Many companies invest in file integrity monitoring solutions to ensure business continuity, uptime, and security. However, file integrity monitoring is a process where software solutions play a major role, but do not get the job done on their own. The vastly common way of delivering change detection functionality is scan based: create a baseline of whatever it is you are monitoring, and compare all snapshots, resulting from subsequent scans, with the baseline. If anything is different – report it. In spite of excellent marketing messaging, you might not get real visibility into the changes:

Limitations of scan based file integrity monitoring solutions:

1. They are too late, most of the time

You only know about changes when the scan process is over – in most real cyber attacks, it is too late. Once attackers gain access to important configuration files, it is a matter of minutes, if not seconds, until they can damage your organization;

2. Blind between the scans

You only know about the last change: if a file has changed three times between the scans, you will get a report saying it has changed only once. An attacker may alter an important file, perform the malicious activity, and then change it back as it was. You will never know what happened.

3. Visibility? Not really.

You know what changed and how much, but you do not get a context: who performed the change, at what time was it performed, and which process/application was involved. Hence, you cannot investigate a change (as required in the compliance process);

4. Which change is a dangerous change?

Many important files change very often as part of normal operations, so usually reports on the changes are rather vast. In most cases, it is up to you to determine which changes represent a threat and are important from the security perspective. This task can be very time-consuming, and results are usually relative and unreliable.

5. May impair business processes

Scans read much information from the hard drives, calculate checksums, and manipulate large amounts of data to detect changes. The bigger the scope of the scan, the longer it takes to deliver, and impact on computer performance is usually visible.

Further reading on these limitations is available in this whitepaper by SANS.

The effective approach – real-time file integrity monitoring

New solutions build technologies that overcome most of these limitations completely, by implementing real-time file change detection mechanisms, at the cost of having an agent installed on the machines you want to monitor.

Real-time file change detection does not use snapshots or baselines but instead detects when a file changes as it happens. Hence, it can alert you in real time and also delivers a context around the change, allowing further investigation and superior visibility into what happened. At the same time, such an approach guarantees that changes are never lost, no matter when they occur. Usually, the agent implementations have a small footprint without any noticeable performance impact on the target machine. However, these agents need to be deployed and maintained.

The one issue which remains even with this approach, in most cases, is that of identifying dangerous changes, of the vast amount of changes that usually take place on a computer.

How we can help

TEMASOFT is one of the few companies that delivers real-time file integrity monitoring functionality and continuously invests into addressing the remaining limitation, to help IT admins identify threatening changes and equip them with actionable information around them. In this respect, TEMASOFT FileMonitor, our file monitoring software has a particular set of features that also make it a very efficient file integrity monitoring application. Furthermore, along with the benefits of the real-time file integrity functionality, our technology can narrow down the list of changes by correlating each detected change with:

• Real-time detection of suspicious file activity;
• Real-time detection of impersonated access to files: Impersonation is widely used by attackers to hide compromised user accounts. If a file operation is flagged as impersonated, and also results in a change of the file, it may be interesting;
• Detection of file operations outside work hours;
• Detection of suspicious file manipulation by processes and threads.

TEMASOFT offers this functionality for FREE for up to two workstation PCs, for personal use.

Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.