What Is File Integrity Monitoring?

Natasha Roberts by Published On - 03.28.2022   Data Security

File Integrity Monitoring

If you want to keep your valuable digital assets beyond the reach of adversaries, you will need timely insights into how your data is being accessed and used.

What is File Integrity Monitoring

File Integrity Monitoring (FIM) is a technology used to keep track of changes made to privileged accounts and sensitive data. Using a File Integrity Monitoring solution will give you visibility into what changes are made, when they are made, who made them, and how. Modern File Integrity Monitoring solutions can aggregate event data from multiple platforms, including your on-premise environment, and any cloud-based services you use.

They will also deliver real-time alerts to your inbox or mobile device, anytime critical changes are made.

Why File Integrity Monitoring is Important

These days, many data privacy laws mandate that covered entities maintain a detailed log of all changes made to sensitive personal data. Most proprietary File Integrity Monitoring solutions will offer a wide range of options that can help organizations comply with the most notable data protection regulations, such as; GDPR, CCPA, PCI-DSS, HIPAA, FISMA, SOX, and many more.

A typical File Integrity Monitoring solution will allow you to generate pre-defined compliance reports at the click of a button, which can be sent to the supervisory authorities to demonstrate your compliance efforts.

While File Integrity Monitoring solutions are typically designed to help you detect and respond to changes made by your own employees, they can also help you identify potential malware attacks.

For example, many sophisticated solutions use a technique called “threshold alerting”, which can be used to detect and respond to events that match a pre-defined threshold condition. For example, if X number of Y events occur over Z period of time, a custom script can be executed to prevent the attack from spreading.

In the case of a ransomware attack, when a certain number of files have been encrypted within a given time frame, a script can be executed which might disable a user account, stop a specific process, change the firewall settings or shut down the affected server.

Threshold alerting can also be used to detect and respond to multiple failed login attempts, or when an unusually large number of files are created, moved, modified, or removed.

How Does File Integrity Monitoring Work

The File Integrity Monitoring process generally involves the following key steps;

1. Discover and classify your critical assets

Knowing what data your store and where it is located will make it significantly easier to monitor changes to your data. While not officially a part of the FIM process, many File Integrity Monitoring solutions provide data discovery and classification tools out-of-the-box.

2. Determine which assets you want to monitor

Now that you know where your sensitive data resides, you will need to specify which data you want to monitor. All relevant changes will be recorded in the event logs, however, in order to minimize the number of false positives generated by the software, it is better to focus on your most critical assets. This will require carrying out some form of risk assessment beforehand.

3. Establish typical usage patterns

In order for File Integrity Monitoring solutions to automatically identify anomalous activity, you must first establish a baseline to work from. Most advanced File Integrity Monitoring solutions use machine learning techniques to establish typical usage patterns, which can be tested against in order to identify anomalous behavior.

4. Keep track of changes to your sensitive data

You will need to continuously monitor your accounts, files, and folders for suspicious activity, which also includes email accounts, configuration files, and so on. Anytime user activity deviates too far from the typical usage patterns established in the previous step, an alert can be raised, or a script can be executed in response. However, you will also want to receive alerts anytime sensitive data is accessed, moved, modified or removed. Alerts are typically sent to the administrator or security team who will launch an investigation ASAP.

5. Generate predefined reports

As mentioned previously, most File Integrity Monitoring solutions come with a wide range of “oven ready” reports which can be generated at the click of a button. These reports can either be archived for later scrutiny or used to meet the relevant compliance requirements.

If you’d like to see how the Lepide Data Security Platform can help audit and secure your data on the file server and Microsoft 365, schedule a demo with one of our engineers or start your free trial today.