Phase II: Why Have I Not Yet Implemented File Integrity Management (FIM)?
In my last blog I ran out of time and space. This blog covers how FIM works and where to search for vendors that provide related tools.
Here's how File Integrity Monitoring works. The files of interest are scanned initially to create a baseline.
Then, each time the file is scanned again, according to any period of time you wish to specify, the current configuration is compared against the original. Any changes detected to the file are logged and included in reports.
The results of a file scan are stored as a hashed value, a one way encryption technique that is used for verifying other data that is too important to be stored in the clear, such as user credentials.
The hash value of a rescanned file is compared with the hash value of the initial scan and if a difference appears, then a change was made.
Various vendors of FIM tools can define the granularity of their reporting by how granularly they decide to store subsets of data within a file.
For instance some vendors will test and report upon changes to access permissions to a file and details about what has been changed within a specific permission.
Vendors of FIM tools also differ in how their tool is deployed and the deliverables. So some of the key variables to consider when evaluating FIM tools are:
- Granularity of reporting.
- Are agents required on each endpoint and what is the total lifecycle cost of managing the agents.
- Can the tool provide more than FIM, such as the ability to communicate with a policy compliance software tool.
- Triage of vulnerabilities by risk and can risk levels be ascribed by the user.
- Auto discovery of files in order to identify forgotten files / servers.
- Flexibility in scheduling and period for re-scanning.
- Ability to remotely manage the tool.
Vendors can be easily found by using keyword phrases such as: file integrity monitoring, file integrity checking, file integrity monitoring comparison, file integrity managing, file integrity monitoring, Windows file integrity monitoring, and open source file integrity monitoring.
You will find many vendors including:
- Cimtrak, File and Server Monitoring
- Tripwire, maintaining a desired state
- Bit9, file integrity monitoring and registry protection
- Symantec data loss prevention (DLP),
- Websense Data Security Solutions (DSS) Ncircle Agentless File Configuration Auditing
- LogRhythm FIM
- Windows file integrity checkers
Hope this is helpful. Have a secure week.
Ron Lepofsky CISSP, CISM, www.ere-security.ca/