File Integrity Monitoring (FIM) is a security practice which consists of verifying the integrity of operating systems and application software files to determine if tampering or fraud has occurred by comparing them to a trusted "baseline."
Want a quick rundown of File Integrity Monitoring? Our dedicated Whiteboard Wednesday video illustrates the basic framework of FIM in under five minutes.
Remember that pesky sibling or cousin who was always messing with your belongings, whether it was drawing on your wall, cutting up your homework, or stealing your toys? Anything they could get their hands on—whether just to annoy you or because they truly wanted to wreak havoc, they would, meaning you constantly had to be on the lookout. Today, malicious actors or insiders can cause the same mayhem inside your networks, changing configuration files, critical system or application files, or data—and then delete event logs to hide their tracks.
Knowing who’s accessing critical files and when changes occur to them is required by regulatory standards and laws, like PCI DSS, HIPAA, and GDPR, and is necessary to protect your organization's critical assets and data and detect a breach. Fortunately, meeting these regulatory requirements with a SIEM solution is easy. File integrity monitoring (FIM) automatically identifies anomalous file changes across your environment and notifies you when suspicious activity takes place on critical files, so you can take action and prove compliance.
Changes to configurations, files, and file attributes across your IT infrastructure can be common, but hidden within this deluge of daily changes can be the few that impact file or configuration integrity. These changes can put your compliance stature and security posture at risk, as it can indicate an attacker tampering with critical files to gain persistence or access confidential data.
File integrity monitoring from Rapid7 is a modern file event tracking system delivered by our cloud SIEM, InsightIDR. Our Insight Agent watches for file modification events on assets of your choosing (e.g. PII, PHI) and directly attributes users to this activity through our industry-leading User Behavior Analytics (UBA). InsightIDR alerts you when users edit, move, or delete a critical file or folder, and shows you real-time metrics so you can catch issues before they escalate. Whether you have a large or small environment and an audit policy or not, Rapid7’s FIM capabilities can help centralize monitoring and alerting for you and your team.
While InsightIDR will help you solve multiple compliance regulations, including audit logging & log management, user monitoring, and FIM, its primary value comes from helping your team reliably detect and respond to attacks. You won’t just see when an attacker modifies critical files—you’ll be able to see the lateral movement, privilege escalations, and other key behaviors behind the breach—across your users, assets, and cloud services.
Because InsightIDR fully integrates with your existing network and security tools, you can detect malicious activity starting with initial compromise, whether it stems from phishing, malware, or the use of stolen credentials. With File Integrity Monitoring, file modification events can be looped into an investigation to understand how the actions relate to normal user activity across your environment. You can visualize file modification activity as fully customizable, exportable dashboard charts for easy visibility and to proactively meet audit requirements.
File integrity monitoring is an important security defense layer for any organization monitoring sensitive assets. With the Rapid7 cross-product Insight Agent, you get the benefit of FIM along with proactive threat detection and containment capabilities. Other use cases you can solve with the endpoint detection and response (EDR) capabilities in InsightIDR include: