For some, a FIM (File Integrity Monitoring) solution is a compliance necessity, for others it features as a core component of their change management process. In either case, file integrity monitoring provides a mechanism for alerting when applications, system files or configurations change unexpectedly.
ITIL (Information Technology Infrastructure Library) defines an unauthorised change as “change made to the IT infrastructure that violates defined and agreed change policies”. That could be anything from a system or software update, to a configuration change, to a malware infection.
Typically, a file integrity monitoring solution will monitor devices for instances of change. Notifications or alerts can then be configured to inform an interested party of the event.
Change Noise and Alert Overload
Where this can become a burden on IT teams, system analysts or SOCs (Security Operation Center), is when the number of alerts and notifications of change to be investigated is overwhelming. Referred to as change noise or alert overload, a solution which was originally intended to give greater control, becomes troublesome to maintain and understand.
Based on research conducted by New Net Technologies, change noise and alert overload is something which haunts Tripwire and their customers. With the number of alerts generated by the Tripwire Enterprise solution being far too frequent, difficult to manage and virtually impossible to investigate reliably.
This leads to alerts being ignored or missed and worst still, a administrator just accepting a deluge of changes in the FIM solution to clear the list.
What IT teams, system analysts and SOCs really want to know, is when a change is suspicious or represents a potential threat. This highlights the need for flexible and contextual change notifications; and a FIM solution which can understand the nature of a change and not just, that it is a change.
File Approved-Safe Technology
In order to provide change noise reducing capabilities a file integrity monitoring solution will ask the question: Is the detected new or changed file event known to be safe?
Comparing these change events to a database of whitelisted changes such as Microsoft Windows Updates, which typically represent the lion share of change alerts, will mean that known "good" changes do not need flagging. Only those which are not identified in the whitelist will be flagged, resulting in a dramatic reduction in change noise and better overall change control visibility.
FIM solutions such as NNT Change Tracker have a vast database containing billions of known and safe change hashes. Each time a change is detected on a monitored device or server, a hash value representing the change is compared to the database. Known changes are accepted as benign and everything else is reported as unknown.
If you own a file integrity monitoring solution or are investigating the use of one, ensure that the result of its application does not introduce additional headaches. Any implemented solution should help to solve a problem and increase your overall cybersecurity posture, not create another.