In this week’s Whiteboard Wednesday, Eric Sun, senior solutions manager for incident detection and response, explains what file integrity monitoring (FIM) is and its importance in a modern security strategy. He also breaks down some obstacles you may encounter when dealing with FIM, and what to look for in a FIM solution.
Are you looking to solve compliance regulations with file integrity monitoring? If so, this video is for you. Welcome to this week's Whiteboard Wednesday.Show more Show less
Today's topic is file integrity monitoring or FIM in 2019. We'll talk a little bit about what it is, why it's important for compliance, some cautions you should be aware of and how we recommend at Rapid7, this fold into your broader detection strategy.
I'm Eric Sun, part of the Threat Detection and Response team at Rapid7.
So first a refresher on the definition of FIM. File integrity monitoring gives you file level visibility into whatever's important in your organization. So the classic use case is sensitive data, protected health information, customer data, but those use cases have extended to include things like system app files, configuration files and key and credential files.
And basically it gives you the visibility to see if anybody is deleting, editing, moving or basically has unauthorized access to this sensitive files.
For these compliance frameworks, the five here, there is explicit recommendations to deploy FIM and report on the status of FIM in your organization. For HIPAA and GDPR they don't explicitly demand FIM but it certainly helps during compliance audits and there is language around having that type of visibility into your assets.
So FIM isn't a particularly new technology, so if you're looking at deploying in 2019 here are a couple of cautions to be aware of.
The first is that classic noise challenge. It's really important to be very prescriptive and precise on exactly what you're going to put under monitoring. If you're a little bit too broad and perhaps do something like C Windows System 32, that could easily create a deluge of alerts and activity when everything in those parent or subdirectories get edited or modified.
The second piece is taking action, and so that's investigating a FIM alert. And so if you get the stand alone tool you might not have the context to see what other users were affected, what other assets do I need to take containment or remediation actions on. So our recommendation is to certainly have an investigation platform or a log management tool that can aid in the investigation if you get any alerts around FIM.
The last piece is that detection strategy, so at worse case if a FIM alert fires that could be an advisory with internal access to your network tampering with your files. And so if we look at, for example, the MITRE Att&ck framework that means that the advisory likely compromised another asset, they went ahead and they performed a network scan to find other assets on the network, stole credentials, impersonated as employees, and so certainly although it's good to have the FIM alert, you certainly want to have detection for those other malicious behaviors earlier in the attack framework.
At Rapid7 FIM comes included with our cloud SIM InsightIDR and you can also meet a number of compliance regulations and also have layered detections across the attack chain.
So in summary if you're looking for file level monitoring, visibility and access, certainly looks towards FIM, but be aware of those cautions and certainly in 2019 look for a tool that can solve multiple use cases such as compliance regulations and proactive detection within a single tool. That's it for this week's Whiteboard Wednesday, catch you at the next one.