File monitoring is an internal audit process of automatically observing and recording important aspects regarding how files are being accessed and how they change over time. Many controls defined by security standards require the implementation of such processes for compliance.
In essence, file monitoring is performed for two important reasons:
– To ensure the integrity and validity of critical system files (file integrity monitoring);
– To determine and record who accesses files, in what way and for which purpose (file access auditing).
File integrity monitoring
The operating system, as well as critical applications such as database servers, web servers, security sub-systems, etc., use various files to perform their specific tasks. Those files are also a target of malicious attackers who want to compromise computers, critical applications or services. Accessing and modifying security-sensitive files is one of the most important steps during a cyber attack.
A typical example of such an attack:
Web defacing attack – this attack requires the hacker to gain access to the source files of a website, to change the valid contents of the site, with other contents. Attackers gain access in various ways, but to achieve a successful defacing of a website, they need to replace files or file contents, as well as modify the source code of the website.
A relatively recent example involving a governmental website in Ohio, US can be found here.
Website source files should not change outside an authorized and controlled process, hence monitoring their integrity is crucial for ensuring the site is running as expected.
Another example is a security requirement part of PCI DSS: Requirement 10.5.5 “Requirement 11.5 deploy a change-detection mechanism (for example, file -integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) to critical system files, configuration files, or content files;”
By implementing file integrity monitoring, businesses and institutions ensure that critical systems, applications, and services are running properly and that any attempt to modify important files results in an alert that can be further investigated and addressed as per security best practices. For this purpose, most use file integrity monitoring solutions to alert when critical files are changed, and record the following about each incident:
– The target file name;
– The type of change (content change, attributes change, security attributes change);
– The timestamp.
File monitoring for access auditing
Most security standards and data protection regulations require that access to systems and files holding security sensitive information is monitored and recorded. This requirement is just a piece of a wider set of controls aimed at identifying data leakage incidents, reporting such incidents as per the legal requirements in place and investigating these incidents to understand:
– The volume of data being affected;
– The type of information involved;
– The premises leading to the incident and how to respond to avoid such events in the future;
– Who are the culprits (if any)?
An important part of complying with this requirement is implementing a process through which all access to valuable data and files is monitored and recorded in real-time. In the context of this process, most use dedicated file auditing solutions that can identify at least the following aspects about each file access attempt:
– The user who initiated the action;
– The process being used;
– The target file being used;
– The type of access (read, write, attributes changed)
– The timestamp
Companies and institutions gain visibility into how data is being manipulated and enforce access control policies by using dedicated file access auditing solutions.
A typical usage example of file access auditing PCI DSS Requirement 10.2.1 “Implement automated audit trails for all system components to reconstruct the following events: All individual access to cardholder information”;
Such information, collected by a file monitoring solution, helps companies identify data exfiltration attempts as well as unauthorized access to files. At the same time, in the case of data breaches, the audit record allows an investigation as per the legal requirements in place.
How we can help
TEMASOFT develops advanced file and folder monitoring functionality to cover all related use cases by delivering a unique set of features in an agent-based solution managed from a web-based interface. TEMASOFT FileMonitor is a helpful file access monitoring software that detects data incidents and is capable to analyze in real time complex file operations, and automatically raise alerts when suspicious activities are detected. At the same time, it provides file integrity monitoring in real time, unlike most similar solutions and can point out threatening changes to critical files for both Windows and Linux machines.
For more information, follow us on social media and subscribe to our newsletter.