File Integrity Monitoring (FIM)

• Friday July 21, 2023

Introduction: File Integrity Monitoring (FIM) is the process of examining systems to identify file modifications created in an unauthorised manner that could indicate a malicious compromise. FIM technologies monitor file changes on databases, servers, network devices, applications, directory servers, and cloud environments. They help identify how, why, and by whom the files have been modified. It may also help in restoring them to a previous version.

It works by establishing a baseline of typical user behaviour and then identifying modifications from it. If there are any changes made to the file after the baseline, it results in a different hash value which could be attributed to an authorised or unauthorised change. FIM tools monitor and analyse file attributes, content and privileges. These are compared to the baseline to identify and alert suspicious changes. FIM is a very common feature of Host Based Intrusion Detection Systems (HIDS) and also is an essential module of any Endpoint Detection and Response (EDR) system. FIM provides an essential layer of file, data and application security by helping to identify unauthorised activity, diagnose unwanted changes, verify update status, assist in incident response and shut down attacks across critical system files before they have a chance to cause damage and disruption. FIM helps organisations reduce the risk of data theft or data being compromised, which would cost time and money in lost productivity, lost revenue, reputation damage, and legal and compliance penalties

File Integrity Monitoring (FIM) market has been forecasted to grow at a compounded annual growth rate (CAGR) of 16% over the period 2020 – 2028. FIM market size worldwide in 2022 was valued at USD 792.9 million and is expected to be valued at USD 1,817.2 million by 2028. Market analysis also suggests that agent-less installation will dominate the market in the coming years as it improves detection risks in real-time. The Asia-Pacific market has been predicted to grow much faster because of the increased need for security in industries.

Benefits of FIM: FIM is mandated by many regulatory standards, which include the following:

• HIPAA recommends continuously auditing data security and access controls.
• NIST encourages incorporating real-time FIM as part of a baseline data security policy.
• PCI DSS requires FIM for awareness of suspicious changes to critical data and system files, along with file comparisons minimum every week.
• ISO 27001 (International Organization for Standardization) requires real-time FIM as the basis of data security policy.

The benefits of File Integrity Monitoring include the following –

1. FIM is a continuously running process in every endpoint or host that automatically looks for any change in any system files against the baseline.
2. FIM produces a file access report which enables the system administrator to know the access details of each file, including the user, access permissions, access patterns, etc.
3. FIM helps in improving threat intelligence and hence is an essential feature of HIDS and EDR.
4. The real-time alerting mechanism of FIM helps the system or network administrator know about any suspicious activity being taken place on any critical files.
5. FIM software is capable of detecting DDoS attacks, phishing attacks, unauthorised system access, data theft, malware or ransomware injections, and insider threats.
6. FIM is capable of restoring any unauthorised change being made to any system files, system configurations, security settings, user credentials, etc.

Key Players in FIM Market: Key players in the FIM market, along with some of their competitive features, include the following –

1. SolarWinds –  Database monitoring, network traffic analysis.
2. Tripwire – Noise reduction, real-time intelligence, user activity tracking.
3. Trustwave – FIM event management, log collection, unauthorised device monitor.
4. Cimcor – Quick threat identification, anomaly detection.
5. InsightIDR – Intruder traps/honeypots prioritise severity.
6. Qualys –  Source and File reputation context, noise control, event prioritisation.
7. Trend Micro (OSSEC)  – Detect unauthorised changes, automated alerting.
8. ManageEngine – Data loss prevention, incident management, threat intelligence.
9. McAfee – Verify changes against the source, and block unauthorised applications and URLs.
10. Netwrix – Prioritize sensitivity monitoring, regular monitoring, and log management.
11. AlienVault – HIDS, periodic scans and stores checksums of watched files.
12. LogRhythm – Timeline of activity, user behaviour analytics, endpoint threat detection.

While evaluating FIM solutions for endpoint and perimeter protection, one should look for the following features in the solution.

1. Support for Multiple Platforms – The solution should protect different systems supporting various platforms like Windows, Linux, MAC, Solaris, etc.
2. Efficient Change Detection – The solution should be able to report any change in any system files, configuration files, database or system log files almost in real-time. It should also report any change in access permissions or user credentials as well.
3. Integration with Other Security Tools – The solution should be easily integrable with other security solutions like anti-virus solutions, malware-preventing technologies, host-based IDSes, and Security Visibility solutions as well so as to support holistic and complete security policy enforcement.
4. Real-Time Monitoring – FIM solution should work in real-time so that suspicious network activities or communications can be detected and traced in real time in order to prevent further damage to the system and the network.
5. Easily Configurable to Support Perimeter Protection – FIM solution and its rules should seamlessly work for all networked devices – not just the desktop or laptop. It should extend its solution to include switches, firewalls, routers and any other security tools as well. This means any change in any of the system files or configurations in any of these networked devices should also be alerted by the solution.