When hackers and other cybercriminals target businesses, they’re typically searching for sensitive files. These files may include information they can use to steal resources from the company directly or seize operations until a ransom is paid. One way to ensure this doesn’t happen is to monitor for integrity across all files and file locations. File integrity monitoring (FIM) is a cybersecurity domain that includes various controls, some of which may be required for your business. Let’s take a closer look.
What is File Integrity Monitoring?
File integrity monitoring is a set of approaches and practices that aim to ensure your files remain secure across all internal and external storage locations and networks through continuous monitoring. There are many tools and techniques to achieve this end, along with challenges impeding it.
This blog will break down all that you need to know about FIM across two primary sections:
- A detailed 101 on FIM, including the approaches companies may take, the primary goals, most significant challenges, and top implementation tools
- A look at how and why FIM interacts with compliance obligations, then three detailed subsections accounting for FIM requirements across three regulatory frameworks
By the time we’re done, you’ll be prepared to optimize and integrate the perfect FIM solution for your business, either on your own or with professional help. But first — do you even need FIM?
Do You Need File Integrity Monitoring?
While all companies can benefit from implementing a robust FIM program, it’s not required for all businesses. It’s most impactful and necessary for companies that process or host a large amount of sensitive information, such as biographical, payment, or other data on personnel or clientele. Companies with large, varied IT infrastructure should also consider FIM, along with those that utilize or provide other companies with remote or cloud services (SaaS).
If your company falls into one of these categories, there’s a good chance you may “need” FIM. Not because of any legal requirement, but because your stakeholders’ security depends on it.
There are also companies for which a form of FIM is a formal legal requirement because of regulatory compliance guidelines. We’ll detail three specific use cases for this below. For now, consider companies that store medical or payment data or companies responsible for the critical infrastructure that individuals and businesses rely on across the country — these companies need FIM.
File Integrity Monitoring (FIM) 101
FIM is less a discrete practice or control than an umbrella term that refers to all measures a company may take to monitor the integrity of its files. Companies may take different approaches, depending on the nature and amount of files they need to monitor. But two critical distinctions categorize the vast majority of FIM approaches available:
- Standalone or integrated – FIM programs or applications may run independently of other security measures and programs, providing file analysis only and irrespective of risk and threat analysis. This is a standalone FIM. These programs and applications may also be integrated into other systems.
- Agented or agentless – FIM programs may involve target agent installation or node installation on all hardware and software involved in storing and processing files for the maximum possible insight. This is agented FIM. When FIM programs monitor and analyze resources without these agents, this results in more straightforward implementation and upkeep but less data intelligence.
At RSI Security, we believe that integrating security practices is critical to optimization and seamless implementation. Below, when detailing file integrity monitoring tools companies should consider, we’ll focus almost exclusively on integrated ones.
First, let’s take a closer look at the primary goals of FIM, regardless of approach, along with the most significant challenges.
Top File Integrity Monitoring Aims
File integrity monitoring’s goals are exactly what its name implies: ensuring files’ integrity stays uncompromised. FIM ensures integrity even as changes happen across their names, locations, contents, and properties. In particular, FIM should be focused on monitoring changes to the following security-critical characteristics:
- Content or metadata on or about user accounts and IDs, such as the usernames, passwords, security questions, resources used for multi-factor authentication (MFA), etc.
- Content or metadata on or pertaining to access privileges, settings, and configurations for all users, especially those with access to the most sensitive files in the system(s).
- Metadata on or about files’ attributes and sizes, such as hash and configuration values, ensures hackers aren’t duplicating, replicating, or otherwise compromising file integrity.
In monitoring for integrity, the FIM program needs to account for files’ status at rest and continuity of security settings and safeguards when approved changes occur. The goal of FIM is never to minimize changes but rather to ensure that files remain protected despite changes.
File Integrity Monitoring Challenges
One major challenge to implementing FIM is the sheer volume of files that need monitoring. Companies that command a more extensive file system, or an amount that is prone to sudden and rapid growth, may find the task of monitoring all files’ integrity more complex than a company with a relatively smaller amount of files. This is a way that file nature can impact volume.
Another significant challenge for successful FIM involves the variety and system-wide consistency of file characteristics, such as type (.pdf, .txt, .docx, etc.). Some file types are larger and more complex than others, with varying degrees of adaptability to different FIM tools and programs. Some files may interact more easily with an FIM agent, whereas others may not, requiring an agentless approach. An integrated, flexible solution is best suited for most cases.
Best File Integrity Monitoring Tools
Many individual FIM approaches, such as file integrity monitoring open-source tools, come as single-use or standalone programs. To address the challenges detailed just above and increase the efficacy of your overall cyberdefense, we recommend integrated FIM approaches, including:
- PII / PAN Scanners – Scanning devices trained look for specific data content across all files and other network locations. In particular, this FIM approach can focus on monitoring for personally identifiable information (PII) or primary account numbers (PAN).
- Cloud Security Suites – FIM can (and should) also be integrated into and across all cloud computing infrastructure, paying particular attention to files located in cloud servers rather than on specific physical endpoints (computers, IoT devices).
- Vulnerability Management – Another approach to FIM integration involves a risk-focused threat and vulnerability management and mitigation program. A critical part of scanning for risks and amassing threat intelligence is understanding the files threatened.
- Managed Detection/Response – Finally, companies may seek to integrate FIM into a cybersecurity program focused on real-time, attack-based detection and recovery. Files can be a catalyst that triggers recuperation when an unauthorized change is detected.
These and other FIM approaches that work together with other cybersecurity practices offer optimal visibility and communication between systems and resources. This can be especially critical for companies who need to implement (and document) FIM for legal, regulatory reasons.
Compliance Requirements for FIM
Depending on the nature of your business and the industries you operate within or adjacent to, you may be legally required to implement FIM. As noted above, FIM is critical for companies that regularly process and store a large amount of sensitive information. In some instances, classes of information are protected by regulatory frameworks that specify controls and practices you need to implement (and document) to ensure their compliance with given standards.
Three of the most widely applicable regulatory frameworks that require FIM directly or indirectly are those needed for businesses that process credit card payments, those operating in or around the healthcare industry, and those in or doing business with the bulk power supply industry. To be effective, comprehensive patch management or compliance advisory services for businesses in these categories must include robust, integrated FIM approaches.
FIM and the PCI-DSS Framework
If your company processes payments via credit or debit card or online payment platforms, you must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS is a publication of the Security Standards Council (SSC), founded by critical stakeholders in the industry (Visa, Mastercard, AmEx, JCB International, and Discover).
The PCI DSS comprises 12 requirements spread across six categories to safeguard sensitive cardholder data, nearly all of which are indirectly related to or facilitated by FIM.
Requirement 11 within the PCI DSS framework pertains to regular monitoring for integrity across all system resources, including but not limited to files. Moreover, PCI DSS sub-requirement 11.5 calls explicitly for a “change detection mechanism” to notify all stakeholders about changes to sensitive files. Sub-requirements and testing procedures for PCI DSS 11.5 name FIM as a preferred approach and specify specific configurations to optimize FIM for PCI DSS compliance.
FIM in the HIPAA Framework
According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), all health providers, health insurance administrators, and health clearinghouses are considered covered entities. They need to follow the HIPAA Rules to safeguard protected health information (PHI):
- Privacy Rule – Covered entities must ensure that PHI is only used by or disclosed to the subject of the PHI, under their permission, or in a variety of permitted use cases.
- Security Rule – Covered entities must also implement administrative, physical, and technical safeguards to ensure PHI’s confidentiality, integrity, and availability.
- Breach Notification Rule – Covered entities must notify all impacted stakeholders when the Privacy or Security Rules are broken, and PHI is exposed in a data breach.
The Privacy Rule requires FIM to ensure files are not inappropriately accessed, whereas the Security Rule’s explicit focus on integrity also necessitates FIM. Furthermore, FIM can be a critical indicator of a data breach, leveraging FIM for adherence to the Breach Notification Rule. HIPAA Compliance may be technically possible but significantly more challenging without FIM.
FIM Within the NERC CIP Framework
Finally, if your company is part of the bulk power system (BPS), the network of vendors and suppliers that help power all of North America, you likely need to follow the North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection (CIP) Standards.
The CIP exists to ensure that critical infrastructure necessary for the generation and distribution of power across North America maintains its integrity and continuity. To that effect, 11 protections are required for all BPS stakeholders, and like with PCI-DSS and HIPAA, nearly all of these are either related to or facilitated by FIM. One CIP standard, in particular, requires FIP or a similar practice: CIP-010-2, titled “Configuration Change Management and Vulnerability Assessments.”
CIP 010-2 comprises three parts in total. Each breaks down into one or more sub-parts detailing differences in applicability and monitoring of individual systems based on factors such as the impact on the BPS as a whole and sensitivity of data within a given system. Altogether, the family of controls necessitates robust reporting on changes made to files of every type across networks and software critical to the BPS, making FIM critical to NERC CIP compliance.
Professional FIM and Cybersecurity
To recap from above, FIM is a critical element of cybersecurity architecture and infrastructure. If your company wants to keep its files safe from attack and secure even if an attack happens, it will require a robust, systematic approach to integrity monitoring. Plus, if you fall into one of the compliance categories detailed above, you’ll need to implement FIM to avoid non-compliance.
Integrating an effective FIM program can be challenging. This is especially true for smaller or newer companies with more modest IT and cybersecurity resources. Working with a quality managed security services provider (MSSP) like RSI Security can be one of the best ways to get a robust file integrity monitoring program up and running for companies of all sizes. To get yours started, contact RSI Security today!