|
File Integrity Monitoring (FIM)
File Integrity Monitoring (FIM) is the capability to monitor files and directories on a server for change. The changes can be made to content, permissions or both. Note that only certain changes are relevant in a given situation. For example, PCI DSS compliance specifies that changes to existing data in log files must be detected, whereas the addition of new data can be ignored. For other files, such as critical configuration files, any change may be important. When a change of interest occurs, the FIM solution needs to provide an alert.
Approaches to File Integrity Monitoring
There are two approaches to file integrity monitoring: Periodic File Integrity Monitoring (PFIM) and Continuous File Integrity Monitoring (CFIM).
- Periodic File Integrity Monitoring (PFIM). Traditional monitoring solutions can be characterized as PFIM solutions. They detect changes to files by scheduling periodic system scans. They compare changes made between scanning periods and report any differences. Changes that are made during the actual scanning process will not be detected.
- Continuous File Integrity Monitoring (CFIM). The latest technology monitoring solutions are referred to as CFIM solutions. CFIM solutions monitor files constantly. Changes are detected as they happen and any violations are immediately reported.
Comparing the Approaches
Continuous FIM is a newer technology that compares favorably to Periodic FIM in every respect. The following table compares CFIM and PFIM against key selection criteria:
As outlined from the table above, there are four main benefits of using CFIM technology instead of PFIM:
1. Detects all changes: Continuous FIM captures every single change to the file. Periodic FIM will miss changes if more than one change happens between scans. Detecting all changes is important for sustaining compliance because it allows you to see where your compliance policies are being challenged, and addresses inappropriate change at the source.
2. Identifies transient violations: Related to the point above, if a file is changed inappropriately and then changed back, it creates a transient compliance violation. Periodic FIM solutions are unable to detect this violation. Because Continuous FIM captures every change, it provides an alert to the change that created the transient violation, even if that change is subsequently reversed.
3. Captures rich forensic data: Continuous FIM is able to capture details about every change including the exact time of the change; who was logged into the machine at that time; what processes (like editors) were running; if the change was manual or made by an authorized program; and if manual, which user made it. This information is critical for distinguishing between a safe change made to a trusted site, and a violation. It also enables rapid investigation of change-related problems. Periodic FIM does not capture this information.
4. Operational trade-offs: Scanning the entire system can be expensive, so Periodic FIM solutions optimize the scan by looking for changes to specific files only. This approach can miss changes which are unknown -- for example, if a patch introduced a new file or directory that has not been added to the scanlist. CFIM solutions operate with very low overhead so the entire infrastructure can be monitored without impact.
Solidcore and Continuous File Integrity Monitoring
Solidcore introduced its breakthrough CFIM technology in 2005 and it has been rapidly adopted by customers worldwide. It is deployed in over 100 countries, across 5 continents and in organizations ranging from the Fortune 10 to small stores near you. Leading Qualified Security Assessors (QSAs), auditors, and other experts have endorsed CFIM as a preferred solution for meeting PCI and operational control requirements.
Solidcore’s solution is available for most major platforms (32 and 64 bit) including Windows (NT, 2000, 2003, XP), AS400, Solaris, AIX, HPUX, and Linux. About Solidcore Systems Solidcore is a leading provider of change control for critical systems. Solidcore’s S3 Control software is the industry’s first and only solution to automate the enforcement of change management policies. Solidcore automatically reconciles infrastructure changes against change tickets, and provides real-time change auditing so enterprises can measure the effectiveness of change management processes and policies.
|
