How does file integrity monitoring work?
FIM software keeps track of both operating system and application software files. It monitors user credentials, privileges and security settings, file attributes and sizes, and configuration values. FIM works by comparing the current state of a file with a known baseline. If there’s a discrepancy, the software will issue an alert.
In its most basic implementations, FIM software checks simple file properties like time, date, and size against the baseline. However, these properties can be easily spoofed by hackers. That’s why most FIM tools opt to use a more advanced checksum method instead. The software calculates a cryptographic checksum from the file’s original baseline (often using the MD5 or SHA-2 hashing algorithms). The checksum is then compared with that of the current file, flagging any mismatches that may indicate a problem.
For key system files, FIM may use real-time change notification rather than baseline comparison. This method sends an alert any time the file is accessed or modified. Real-time change notification is usually implemented as part of an operating system’s kernel or as an extension to it.
FIM is necessary in both Windows and Linux/Unix environments, with different priorities in each. In Windows, the registry is used for most configuration changes, resulting in a more secure environment. Nevertheless, Windows file integrity monitoring needs to keep an eye on bootup and startup, password, Active Directory, Exchange, and operating system files. In Linux/Unix, core configuration files are more exposed. Without robust file monitoring, they are vulnerable to hackers. Linux/Unix FIM should track user profiles, kernel parameters, boot loaders, daemons and service, and run commands.
FIM through SolarWinds
By staying aware of changes in their environments, managed services providers (MSPs) can better protect their customers. File integrity monitoring is an integral part of SolarWinds Security Event Manager (SEM). SEM tracks file and directory access, movement, and sharing to detect zero-day malware and advanced persistent threats, and includes integrated compliance reporting tools..
With automated incident responses, SEM can block IP addresses, change privileges, disable accounts, block USB devices, and kill applications to help swiftly neutralize security threats. If an incident does take place, SEM’s advanced search and forensic analysis can be used to help prove the limited impact of a breach, potentially saving your business from negative outcomes.
For more advice on protecting your files, read through our Security Resource Center.