What is File Integrity Monitoring? What tools are used today?
Two questions that require attention in every company or organization in which data and more generally its information assets are the basis of the business or vital internal processes, practically all of them.
Once upon a time, the custody of one's documents was devolved to a now disappeared figure, the archivist. Then, (wild) digitization meant that this figure was replaced or more often eliminated, giving everyone the possibility of "storing" their data in more or less regulated and structured file servers, creating the illusion that in this way it was It is possible to recreate the archive that was once paper-based.
Yet many did not realize that the archivist was also a custodian, the custodian of the integrity of the documents and therefore of the organization's data. He was responsible for checking that the folders were in their place, that mold was not attacking the older documents and was able to find, like a librarian, the documents needed at the higher levels to be able to make decisions.
But now who does these things in his place?
Some might argue that there is no longer any need for all this and I agree with them in part, but there are equivalent activities that no one takes care of.
Databases and file servers, the equivalent of paper archives, are subject to variations, updates, deletions and additions both in the data and in the structure and above all in the software, without realizing the damage that can be created, even simply for error or distraction. And all this without considering the malicious actions of competitors, hackers, disgruntled employees and so on and so forth.
This is how the File Integrity Monitoring (FIM). Now we can see what it is.
FIM refers to security control mechanisms used in IT organizations. An FIM is responsible for examining the integrity of the most sensitive and important files, the data contained in the registers and folders of the operating systems (and not only), verifying whether they have been altered or compromised, through the tracking of all the activities carried out on the same (log). Periodically, a check is carried out on the data stored to see what has changed, how it has changed, who has changed it and whether the change was authorised. To do this, of course, automatic tools are used.
If you are interested in learning more about any of these FIMs you can use TrustRadius (https://solutions.trustradius.com/), which provides comparisons on technology products or another site of your choice, there are several. In the list of File Monitoring products on the TrustRadius website, the first is AT&T's AlienVault® Unified Security Management® (USM), followed by CrowdStrike's Falcon Endpoint Protection and SolarWinds Security Event Manager (which is in fact a SIEM, something more of an FIM).
In general, these products are based on modern cryptographic techniques applied to file security management and their analysis.
The last objection that someone could make is the following: but what is the point of all this? These FIMs are an additional complication.
I cannot deny that this objection makes sense but this does not mean that FIMs are not useful. Imagine what could happen if the blood groups of hospital residents were canceled or, even worse, arbitrarily changed!
As always, thanks to our friends at SICYNT for the stimuli and continuous discussion.
To learn more:
- https://www.trustradius.com/file-integrity-monitoring
- https://www.solarwinds.com/resources/it-glossary/file-integrity
- https://www.crowdstrike.com/cybersecurity-101/file-integrity-monitoring/
- https://kinsta.com/blog/file-integrity-monitoring/
- https://www.tripwire.com/state-of-security/file-integrity-monitoring
- https://www.comparitech.com/net-admin/file-integrity-monitoring-tools/
