Phase II: Implementing File Integrity Management (FIM)

Wednesday, March 23, 2011

Ron Lepofsky

39b6d5c1d3c6db11155b975f1b08059f

Phase II:  Why Have I Not Yet Implemented File Integrity Management (FIM)?

In my last blog I ran out of time and space. This blog covers how FIM works and where to search for vendors that provide related tools.

Here's how File Integrity Monitoring works. The files of interest are scanned initially to create a baseline.

Then, each time the file is scanned again, according to any period of time you wish to specify, the current configuration is compared against the original. Any changes detected to the file are logged and included in reports.

The results of a file scan are stored as a hashed value, a one way encryption technique that is used for verifying other data that is too important to be stored in the clear, such as user credentials.

The hash value of a rescanned file is compared with the hash value of the initial scan and if a difference appears, then a change was made.

Various vendors of FIM tools can define the granularity of their reporting by how granularly they decide to store subsets of data within a file.

For instance some vendors will test and report upon changes to access permissions to a file and details about what has been changed within a specific permission.

Vendors of FIM tools also differ in how their tool is deployed and the deliverables.  So some of the key variables to consider when evaluating FIM tools are:

  • Granularity of reporting.
  • Are agents required on each endpoint and what is the total lifecycle cost of managing the agents.
  • Can the tool provide more than FIM, such as the ability to communicate with a policy compliance software tool.
  • Triage of vulnerabilities by risk and can risk levels be ascribed by the user.
  • Auto discovery of files in order to identify forgotten files / servers.
  • Flexibility in scheduling and period for re-scanning.
  • Ability to remotely manage the tool.

FIM Vendors

Vendors can be easily found by using keyword phrases such as: file integrity monitoring, file integrity checking, file integrity monitoring comparison, file integrity managing, file integrity monitoring, Windows file integrity monitoring, and open source file integrity monitoring.

You will find many vendors including:

  • Cimtrak, File and Server Monitoring 
  • Tripwire, maintaining a desired state
  • Bit9, file integrity monitoring and registry protection
  • Symantec data loss prevention (DLP),
  • Websense Data Security Solutions (DSS) Ncircle Agentless File Configuration Auditing
  • LogRhythm FIM
  • Windows file integrity checkers

Hope this is helpful.  Have a secure week. 

Ron Lepofsky CISSP, CISM, www.ere-security.ca/

Possibly Related Articles:
11081
General
Data Loss Prevention Hashes Monitoring Database Activity Monitoring File Integrity Management FIM
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.