{"id":360,"date":"2023-07-21T19:22:28","date_gmt":"2023-07-21T13:52:28","guid":{"rendered":"https:\/\/pxldev.in\/dev\/inside-traffic\/?p=360"},"modified":"2023-09-26T18:20:41","modified_gmt":"2023-09-26T12:50:41","slug":"file-integrity-monitoring-fim","status":"publish","type":"post","link":"https:\/\/pxldev.in\/dev\/inside-traffic\/file-integrity-monitoring-fim\/","title":{"rendered":"File Integrity Monitoring (FIM)"},"content":{"rendered":"<p><b>Introduction:<\/b> <span style=\"font-weight: 400;\">File Integrity Monitoring (FIM) is the process of examining systems to identify file modifications created in an unauthorised manner that could indicate a malicious compromise. FIM technologies monitor file changes on databases, servers, network devices, applications, directory servers, and cloud environments. They help identify how, why, and by whom the files have been modified. It may also help in restoring them to a previous version.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">It works by establishing a baseline of typical user behaviour and then identifying modifications from it. <\/span><span style=\"font-weight: 400;\">If there are any changes made to the file after the baseline, it results in a different hash value which could be attributed to an authorised or unauthorised change.<\/span><span style=\"font-weight: 400;\"> FIM tools monitor and analyse file attributes, content and privileges. These are compared to the baseline to identify and alert suspicious changes. FIM is a very common feature of Host Based Intrusion Detection Systems (HIDS) and also is an essential module of any Endpoint Detection and Response (EDR) system. FIM provides an essential layer of file, data and application security by helping to <\/span><b>identify unauthorised activity<\/b><span style=\"font-weight: 400;\">, <\/span><b>diagnose unwanted changes, verify update status, assist in incident response <\/b><span style=\"font-weight: 400;\">and <\/span><b>shut down attacks<\/b><span style=\"font-weight: 400;\"> across critical system files before they have a chance to cause damage and disruption.<\/span><span style=\"font-weight: 400;\"> FIM helps organisations reduce the risk of data theft or data being compromised, which would cost time and money in lost productivity, lost revenue, reputation damage, and legal and compliance penalties<\/span><\/p>\n<p><span style=\"font-weight: 400;\">File Integrity Monitoring (FIM) market has been forecasted to grow at a compounded annual growth rate (CAGR) of 16% over the period 2020 \u2013 2028. FIM market size worldwide in 2022 was valued at USD 792.9 million and is expected to be valued at <\/span><span style=\"font-weight: 400;\">USD 1,817.2 million by 2028. Market analysis also suggests that agent-less installation will dominate the market in the coming years as it improves detection risks in real-time. The Asia-Pacific market has been predicted to grow much faster because of the increased need for security in industries.<\/span><\/p>\n<p><b>Benefits of FIM:<\/b> <span style=\"font-weight: 400;\">FIM is mandated by many regulatory standards, which include the following:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>HIPAA <\/b><span style=\"font-weight: 400;\">recommends continuously auditing data security and access controls.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>NIST <\/b><span style=\"font-weight: 400;\">encourages incorporating real-time FIM as part of a baseline data security policy.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>PCI DSS<\/b><span style=\"font-weight: 400;\"> requires FIM for awareness of suspicious changes to critical data and system files, along with file comparisons minimum every week.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>ISO 27001<\/b><span style=\"font-weight: 400;\"> (International Organization for Standardization) requires real-time FIM as the basis of data security policy.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The benefits of File Integrity Monitoring include the following \u2013<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">FIM is a continuously running process in every endpoint or host that automatically looks for any change in any system files against the baseline.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">FIM produces a file access report which enables the system administrator to know the access details of each file, including the user, access permissions, access patterns, etc.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">FIM helps in improving threat intelligence and hence is an essential feature of HIDS and EDR.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The real-time alerting mechanism of FIM helps the system or network administrator know about any suspicious activity being taken place on any critical files.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">FIM software is capable of detecting <\/span><a href=\"https:\/\/sectigostore.com\/blog\/what-is-ddos-breaking-down-a-distributed-denial-of-service-attack\/\"><span style=\"font-weight: 400;\">DDoS attacks<\/span><\/a><span style=\"font-weight: 400;\">, <\/span><a href=\"https:\/\/sectigostore.com\/blog\/phishing-statistics-phishing-stats-to-help-avoid-getting-reeled-in\/\"><span style=\"font-weight: 400;\">phishing attacks<\/span><\/a><span style=\"font-weight: 400;\">, unauthorised system access, data theft, malware or ransomware injections, and insider threats.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">FIM is capable of restoring any unauthorised change being made to any system files, system configurations, security settings, user credentials, etc.<\/span><\/li>\n<\/ol>\n<p><b>Key Players in FIM Market:<\/b> <span style=\"font-weight: 400;\">Key players in the FIM market, along with some of their competitive features, include the following \u2013<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SolarWinds<\/b><span style=\"font-weight: 400;\"> \u2013\u00a0 Database monitoring, network traffic analysis.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Tripwire<\/b><span style=\"font-weight: 400;\"> \u2013 Noise reduction, real-time intelligence, user activity tracking.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Trustwave<\/b><span style=\"font-weight: 400;\"> \u2013 FIM event management, log collection, unauthorised device monitor.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Cimcor<\/b><span style=\"font-weight: 400;\"> \u2013 Quick threat identification, anomaly detection.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>InsightIDR<\/b><span style=\"font-weight: 400;\"> \u2013 Intruder traps\/honeypots prioritise severity.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Qualys<\/b><span style=\"font-weight: 400;\"> \u2013\u00a0 Source and File reputation context, noise control, event prioritisation.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Trend Micro (OSSEC) <\/b><span style=\"font-weight: 400;\">\u00a0\u2013 Detect unauthorised changes, automated alerting.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>ManageEngine<\/b><span style=\"font-weight: 400;\"> \u2013 Data loss prevention, incident management, threat intelligence.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>McAfee<\/b><span style=\"font-weight: 400;\"> \u2013 Verify changes against the source, and block unauthorised applications and URLs.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Netwrix<\/b><span style=\"font-weight: 400;\"> \u2013 Prioritize sensitivity monitoring, regular monitoring, and log management.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>AlienVault<\/b><span style=\"font-weight: 400;\"> \u2013 HIDS, periodic scans and stores checksums of watched files.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>LogRhythm<\/b><span style=\"font-weight: 400;\"> \u2013 Timeline of activity, user behaviour analytics, endpoint threat detection.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">While evaluating FIM solutions for endpoint and perimeter protection, one should look for the following features in the solution.<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Support for Multiple Platforms<\/b><span style=\"font-weight: 400;\"> \u2013 The solution should protect different systems supporting various platforms like Windows, Linux, MAC, Solaris, etc.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Efficient Change Detection<\/b><span style=\"font-weight: 400;\"> \u2013 The solution should be able to report any change in any system files, configuration files, database or system log files almost in real-time. It should also report any change in access permissions or user credentials as well.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Integration with Other Security Tools<\/b><span style=\"font-weight: 400;\"> \u2013 The solution should be easily integrable with other security solutions like anti-virus solutions, malware-preventing technologies, host-based IDSes, and Security Visibility solutions as well so as to support holistic and complete security policy enforcement.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Real-Time Monitoring <\/b><span style=\"font-weight: 400;\">\u2013 FIM solution should work in real-time so that suspicious network activities or communications can be detected and traced in real time in order to prevent further damage to the system and the network.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Easily Configurable to Support Perimeter Protection<\/b><span style=\"font-weight: 400;\"> \u2013 FIM solution and its rules should seamlessly work for all networked devices \u2013 not just the desktop or laptop. It should extend its solution to include switches, firewalls, routers and any other security tools as well. This means any change in any of the system files or configurations in any of these networked devices should also be alerted by the solution.<\/span><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Introduction: File Integrity Monitoring (FIM) is the process of examining systems to identify file modifications created in an unauthorised manner that could indicate a malicious compromise. FIM technologies monitor file changes on databases, servers, network devices, applications, directory servers, and cloud environments. They help identify how, why, and by whom the files have been modified. &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/pxldev.in\/dev\/inside-traffic\/file-integrity-monitoring-fim\/\"> <span class=\"screen-reader-text\">File Integrity Monitoring (FIM)<\/span> Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":568,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","footnotes":""},"categories":[1],"tags":[12,14],"class_list":["post-360","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-digital-life","tag-inside-traffic"],"acf":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/pxldev.in\/dev\/inside-traffic\/wp-json\/wp\/v2\/posts\/360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pxldev.in\/dev\/inside-traffic\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pxldev.in\/dev\/inside-traffic\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pxldev.in\/dev\/inside-traffic\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pxldev.in\/dev\/inside-traffic\/wp-json\/wp\/v2\/comments?post=360"}],"version-history":[{"count":2,"href":"https:\/\/pxldev.in\/dev\/inside-traffic\/wp-json\/wp\/v2\/posts\/360\/revisions"}],"predecessor-version":[{"id":571,"href":"https:\/\/pxldev.in\/dev\/inside-traffic\/wp-json\/wp\/v2\/posts\/360\/revisions\/571"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pxldev.in\/dev\/inside-traffic\/wp-json\/wp\/v2\/media\/568"}],"wp:attachment":[{"href":"https:\/\/pxldev.in\/dev\/inside-traffic\/wp-json\/wp\/v2\/media?parent=360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pxldev.in\/dev\/inside-traffic\/wp-json\/wp\/v2\/categories?post=360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pxldev.in\/dev\/inside-traffic\/wp-json\/wp\/v2\/tags?post=360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}