What Is File Integrity Monitoring? And Do You Need It?

An organization’s IT environment is an ever-changing place. Software programs and hardware assets both change. So do configuration files and other important assets. Most of these are authorized changes – they’ll occur when files are being patched, for example. But unexpected changes are cause for concern. That’s where file integrity monitoring comes in.

File integrity monitoring, or FIM, is about more than knowing what’s going on with your system. It’s about keeping personal data safe and avoiding an attack while also complying with regulations. Let’s discuss what FIM is, why you need it and how it works.

What Is File Integrity Monitoring?

File integrity monitoring gives you file-level visibility into what’s important for your organization. That includes:

• Configuration files
• Customer data
• Health information
• Key and credential files
• System app files

Then, FIM lets you know who is editing, deleting or moving the files, and who has unauthorized access to those files.

There are regulatory standards that require companies to know who has access to critical files and which changes occurred. FIM is mandated for companies that have to abide by compliance regulations like NERC CIP, NIST CSF and PCI DSS, among others. While FIM isn’t specifically required for GDPR and HIPAA, it can be helpful during audits. That type of visibility into assets is important for those two regulations – so in those cases, FIM definitely won’t hurt.

What Threats Does It Protect You From?

When an unauthorized or harmful user has access to your network, they can change anything they want. They can also delete the event logs to avoid detection. Here’s the worst-case scenario: A FIM alert goes off because someone has gained internal access to your network and is tampering with your files. The attacker can scan your network to find other assets and compromise them, pose as an employee, steal credentials, etc. If someone gains access to your system, they can do whatever they want – until they’re caught, at least.

How Does FIM Work?

Regardless of the software you choose, FIM essentially works like this:

• You set which system files and registries to monitor. Ideally, you’ll narrow the scope so you’re not infiltrated with unnecessary alerts.
• You establish a baseline so that the FIM tool has a reference point to check files against.
• The FIM tool monitors the predetermined files and registries around the clock.
• When a critical event occurs (a file that’s edited or deleted, for example), the FIM tool captures data. That data includes what event took place, the affected asset, the user who made the change and a timestamp.
• Analysis of the event data along with other data gives a fuller picture of what happened and if it’s out of the norm.
• If the event is malicious or suspicious, an alert will go out. (Good changes, like patches and security updates, go on a whitelist so that you won’t get an alert.)
• The FIM tool will (hopefully) provide other data surrounding the event so that your IT team can figure out exactly what happened.

How To Implement File Integrity Monitoring With WordPress

Implementing FIM with WordPress goes beyond finding a tool that will alert you when there’s a file change. FIM is best used along with other security measures, like audit logging and user monitoring. Your security tool should have layered detection, including compliance regulations and proactive detection. You need to detect other actions earlier in the attack so that you can stop them ASAP.

Rapid7 is a cloud-based file event tracking system. You choose which assets to monitor, and then the software watches for file modifications and who made them. You’ll get an alert if a critical file or folder is deleted, edited or moved. You can also view real-time metrics if you want to keep an eye on activity in-the-moment. On top of the FIM alert, you’ll be able to see all of the other movement that happened around it so that you can investigate and respond to the attack, and you can export modification activity as a dashboard chart. Learn more about the Rapid7 WordPress extension here.

Qualys is another FIM tool that you can use for WordPress. While you’re figuring out the scope of what to monitor, Qualys’ out-of-the-box profiles mean you can get up and running right away, then tweak the scope as you learn more about your needs. The cloud platform also has real-time change detection. When a file changes, the data collected includes the user, the file name, asset details and a timestamp. Plus, you can scale up without having to buy more software or storage.

Other highly rated FIM tools include OSSEC and Tripwire. We also have a list of the best WordPress security plugins you can install right now in case you want to pair one of them with your FIM solution.

Final Thoughts About File Integrity Monitoring

If your company has to comply with regulations like FISMA, SOX, or a host of others that require FIM, then you definitely need a file integrity monitoring tool. Not only will it keep your customers, data, files and system safe, but it will also keep your company in good standing during an audit.

The main thing to avoid is a trap that many companies fall into: too much noise. If there are too many files under watch, that will result in an overabundance of FIM alerts. And if alerts come in without any context, it’s impossible to determine what is and is not a threat. An efficient FIM solution will monitor only necessary files and folders, then provide alerts with helpful insight.

Lastly, remember these two FIM best practices. Be precise about what files are going to be monitored. If monitoring is too broad, you can get overwhelmed with alerts and activity when anything is modified. Then, take action by investigating a FIM alert. It’s important to know if other users or assets were affected. Some stand-alone tools don’t offer this much context. You need a log management tool or investigation platform that can help in your investigation.

Do you use a FIM solution that you suggest? Tell us about it!