W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G

W H I T E PA P E R

Best Practices
In File Integrity Monitoring

In any security monitoring strategy, file integrity monitoring (also commonly refered to by its acronym, ‘FIM’) is one of
the most powerful host-intrusion techniques available to detect compromised IT assets and data against both known
and unknown threats. File integrity monitoring is also required to meet many compliance regulations such as PCI DSS,
NERC-CIP, FISMA, Sarbanes-Oxley, HIPAA, and GLBA.

The high success rates of phishing attacks, the ongoing adaptation of malware, and an ever-growing list of software
vulnerabilities means that compromise is not a question of “if”, but rather “when”. Just a quick news search will
produce countless articles on successful hacking attempts, from the infamous Target Corporation breach in late 2013
to the recent re-emergence of the Dridex malware.

The fact is, as soon as a bad actor–whether malware, malicious hackers, or unscrupulous employees or contractors–
get on to a system in your IT environment, they often try to alter files and access your data. Being alerted the moment
that critical system, configuration, or data files and directories have experienced a change goes a long way in
protecting your organization. This is the realm of file integrity monitoring, a critical tool in the security defense of any
organization that wants to protect its assets.

In this paper, you’ll read about the fundamentals of file integrity monitoring, best practices in file integrity monitoring,
and then how the AlienVault® Unified Security Management™ (USM™) approach can help you quickly and easily
enable FIM capabilities across your IT assets.

What Is File Integrity Monitoring?

The premise is simple: If malware, hackers, or trusted insiders abuse
their privileges and cause a security breach, that breach won’t exist in
a vacuum. Instead, it will generate change activity in the infrastructure,
leaving a trail that can be detected and used to reveal the breach. The
faster and more accurately you can detect and pinpoint such changes,
the more secure your organization’s services and data will be.

If we look at the vast majority of IT systems that store and process

information today, they are all file-based in their architecture. Whether
Windows, Unix, or Linux, the core operating system, applications, and related configuration and log data is stored in
files that are loaded at boot time and updated during the operation of the system. These files ultimately:

›› Determine how the operating system, its subsystems, and applications will operate

›› Track (in log files) the actions and activities that take place across the operating system and applications

›› Store business data

© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 1
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
 W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G

An attack can exhibit itself across any of these three areas and either cause the operating system or application to
not operate as intended, to capture or change mission-critical information, and/or to manipulate log files to hide the
activities of any malicious activity. Even authorized changes may result in misconfigurations that could expose the
organization to increased risk and compromise. A good example of this was highlighted in a recent SC Magazine
article covering a data breach at Scottrade Bank, where a trusted vendor uploaded a file to a Scottrade Bank server
without enabling the proper security protocols. The result was the personal information of 20,000 customers being
exposed to the internet in an unencrypted state.

File integrity monitoring is a proven and well-regarded security countermeasure to address these types of risk, which
is designed to monitor critical files across your infrastructure and ensure that you are notified when suspicious activity
is detected. To detect such activity on files, typically one of the following file monitoring approaches will be used:

1. Baseline comparison, where one or more attributes of a file will be captured or calculated and stored as a baseline
that can be compared against at some future time. This can be as simple as the time and date of the file. Of course,
since this data can be easily spoofed, a more trustworthy approach is to periodically assess the cryptographic
checksum for a monitored file (e.g. using the MD5 or SHA-2 hashing algorithm) and then compare the result to the
previously calculated checksum.

2. Real-time change notification, which is typically implemented within or as an extension to the kernel of the
operating system, will generate a change record when a file is accessed or modified.

Of the two approaches, the baseline comparison approach was one of the first techniques used for file integrity
monitoring and tends to be the more widely practiced. Equally, it can be implemented across any system. Real-time
change notification is not usually supported by the monitored operating system, so it makes it far more complex and
costly to build a solution with this approach, resulting in much higher costs for the end user. Some solutions may take
a combined approach or implement other ways to monitor files for changes, while also monitoring file permissions and
file access. Regardless of the approach used, the result is the same. A security alert will be generated if a monitored
file or directory is added, deleted, or modified.

In addition, some modern operating systems (e.g. Windows Server) provide built-in audit capabilities that can be easily
leveraged. In the past, IT professionals shunned such functionality because of the potential impact the feature could
have on the system. Newer versions of the operating system, however, perform better and leverage group policy
to ensure precision of the files and directories that need to be monitored. The data produced by the built-in audit
capabilities can be collected, analyzed, and alarms generated when suspicious or malicious activity is discovered.

Who Should Use File Integrity Monitoring?

No matter the size of your company, the increasing sophistication and diversity of modern threats makes file integrity
monitoring a very compelling and essential security requirement. Being able to identify when changes are made and
potentially who made the change, is a core part of understanding the nature and extent of any security incident.

In fact, file integrity monitoring security solutions have a broad appeal to almost every organization, from SMBs to the
enterprise, non-profits, and government agencies. Certain businesses will find file integrity monitoring both essential
and required, including:

›› Businesses that are subject to regulatory compliance. Several regulations (e.g. PCI DSS, NERC CIP 007), or
approaches commonly used to assure compliance with those regulations (e.g. ISO 17799), call out file integrity
monitoring as an internal control that should be deployed to assure protection of an organization’s assets and data.

1
https://www.scmagazine.com/scottrade-bank-data-breach-exposes-20000-customers-personal-information/article/649030/

© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 2
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
 W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G

›› Businesses with highly sensitive data. Most IT professionals – and hopefully business professionals too–consider
data the lifeblood of the business. It is the fundamental resource used to fulfill all transactions, execute all services,
carry out internal/external communications, and quantify the success or failure of business strategies. There’s no
room for error in securing sensitive data.

›› Businesses that have a substantial server infrastructure of any kind. This doesn’t just mean “enterprise,” usually
defined as “organization with a thousand employees or more,” but can mean a small enterprise, mid-market business,
or even a small business. What matters is not the headcount, but the server count and the criticality of those servers to
the business. Certainly, any organization that owns and operates a data center would fall under this heading; the more
servers, databases, configuration files, logs, etc., must be monitored, the stronger the case for file integrity monitoring.

Which Files Should be Monitored?

When in doubt, it’s better to monitor too many files rather than too few. That
said, striking the right balance is important as file monitoring can be expensive
on system resources, particularly when there are a lot of files to monitor, when
files are in a constant state of flux (e.g. log files, virtual memory swap files,
the Windows Registry), or when the file size is so big that analyzing it will take
extra time.

File integrity monitoring solutions often come preconfigured with

recommendations. In many cases, the authors of these packages are very
well-informed, and those recommendations may suffice for your needs.
However, there is no standard IT environment, so you may want to refer to
guidance from other entities like the Center for Internet Security (CIS) , whose
security benchmarks provide recommended settings for operating systems,
middleware, software applications, and network devices.

In essence, the following file types should be monitored across your

environment. Note that default installation directories can typically be modified
at installation, so administrators should document for later reference if non-
default locations are used:

›› Operating System directories and files. It’s important to assure that your base operating system is functioning
as expected, so monitoring the system binaries and libraries should be your first step. On Windows, the core OS
binaries and key configuration files are typically located under:
• C:\Windows\System32 directory
On Linux, the critical directories to monitor include:
• /bin
• /usr/bin
• /sbin
• /usr/sbin

2
https://www.cisecurity.org/

© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 3
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
 W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G

›› Applications directories and files. The system is the foundation on which the application sits, however, it is the
applications that your employees, partners, and customers interact with, and that store and manage your data. Thus,
you should monitor application binaries accordingly. On Windows systems, most applications (by default) store their
binaries and configuration files under:
• C:\Program Files
• C:\Program Files (x86)
Linux systems typically install applications into:
• /usr/bin
• /usr/sbin
• /opt
Depending on the type of server and applications being run, additional files and/or directories may also need to
be monitored. For example, if the server is a web server, the directory where the website files reside should be
monitored as well. This will vary by organization based on web server used and configuration of the web server.

›› Configuration files. Modifying system and application binaries can be challenging since they are often locked when
the system starts up or when the services/daemons are running. That said, configuration files define how the system
and applications on the system will function, and are typically only read when the system service or application
starts up. Configuration settings can be stored in many ways. On Windows platforms, the Windows Registry is
typically used for configuration purposes. Text-based configuration files can be found across Windows, Unix/Linux
and OS X. Attackers may target any of these configuration locations for a planned attack, or an administrator may
inadvertently misconfigure a system, causing that system to be exposed and putting the data on that system and
the rest of your infrastructure at risk.

›› Log files. Log files contain the transaction and activity history for the core operating system, its subsystems, and
applications that reside on the system. They are often the first place an attacker will look to hide their tracks.
While actively written log files will continually change, only the system or application should be writing to them.
To ensure that log files are not tampered with, you should establish an active log management collection method
to pull (or push) the logs from the system to a separate log management solution for centralized monitoring and
tamper-proof storage. Archived log files are static in nature, so you can also monitor for any changes or deletions
of those files.

›› Digital keys and credentials. Even with the availability of directory systems and hardware security modules, many
systems and applications will store their keys and credentials for authentication and encryption on a system.
Monitoring those credential / key stores is also important to ensure your system is protected. For example, Unix
systems store their password file under /etc., and Windows under C:\Windows\System32\config. You may be using
other popular authentication applications such as Secure Shell (SSH) application.

›› Content files. Corporate and customer data is the lifeblood of most organizations, and data leakage remains one
of the top security concerns of many organizations. Even content as simple as your website is mission-critical. The
effects on your brand and reputation can be significant should an attacker deface your public presence. Monitoring
content files for unauthorized changes within the web server is critical to ensure the integrity and confidentiality of
that data.

© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 4
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
 W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G

Selecting a File Integrity

Monitoring Solution
With so many options available on the market, identifying the right
solution for your environment can be challenging. The following
provide some things to look for in your final solution:

›› Agent vs. agentless. Agent-based file integrity monitoring

solutions leverage software agents installed on target systems,
and typically yield the most powerful analyses and are able
to detect changes at or near real-time. Agentless file integrity
monitoring tools, on the other hand, get up and running very
quickly because no agent is required, though the feature set and
depth of functions is generally reduced, and the analysis isn’t
real-time. If you require the depth of an agent-based system, consider a unified approach that integrates multiple
security functions into a single agent for a smaller footprint and less management effort.

›› Standalone vs. HIDS. Some file integrity monitoring solutions integrate with, or are a part of, a host-based intrusion
detection system (HIDS). HIDS capabilities are a superset of file integrity monitoring capabilities and can detect
threats in areas other than files, such as system memory (RAM) or I/O. Standalone file integrity monitoring generally
means file analysis only.

›› Performance. The more people in the organization you talk to, the more files you will find that need monitoring. With
that in mind, look for proven file integrity monitoring solutions that don’t consume too many system resources and,
when running, exhibit minimal impact on system performance.

›› Scalability. It will come as no surprise that your IT infrastructure will differ from that of other organizations. You may
be running systems that are just Linux, Windows, or OS X, or have a mix of operating systems. Maybe you have
some older Unix technologies in house. Whatever the environment, you should assess whether the file integrity
monitoring solution you select can cover all, or just some of your IT environment and whether that is sufficient for
your requirements.

›› Integration with Security Integration and Event Management (SIEM) solutions. Sending alerts to a SIEM solution
can enhance your security defense by enabling cross-correlation of an incident with other security alerts, helping
to reduce false positives and to identify and prioritize real threats to your organization. In addition, some SIEM
solutions offer log retention, enabling alert and event information to be stored for later forensics analysis of an
incident or suspicious activity.

›› Integration with change management solutions. Since the purpose of file integrity monitoring is to detect change
and the purpose of change management is to manage change, it’s beneficial to coordinate these solution classes
carefully to minimize the false positives that might otherwise come up. In addition, such integration can also help
identify what change was made should any rollback be required.

›› Cost. With today’s IT security budgets, understanding the costs associated with any solution is very important.
Unfortunately, many commercial off-the-shelf (COTS) file integrity monitoring solutions can be very expensive and
require a significant amount of time to roll out and manage. Alternatives include open source software solutions,
or investigation of all-in-one solutions where you can obtain file intrusion monitoring along with additional, critical
security monitoring tools within the same package.

© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 5
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
 W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G

Determining the Right Plan for Your IT Security Program

No security solution is perfect, and file integrity monitoring solutions can be circumvented. For instance, if a file
integrity monitoring solution only generates checksums at predictable intervals, files can be changed — and then
changed back — in between those intervals, thus evading detection. Some file integrity monitoring solutions, even
when flagging a change, may lack detail about the timing or specific nature of the change. It’s also possible for
malware to fool file integrity monitoring solutions by generating false replacement files that still have the correct
checksum — a particularly tricky problem to recognize.

The lesson from this is that you should never rely on a single technology to protect your IT infrastructure. Rather, you
should consider deploying multiple security layers across your IT infrastructure to increase the chances that you will
either block, or detect any attacks in progress.

One such solution that provides a multi-layered security protection is AlienVault Unified Security Management (USM),
which incorporates five essential security capabilities – asset discovery, vulnerability assessment, intrusion detection,
behavioral monitoring, and SIEM log management – in a single, unified solution. Its intrusion detection capabilities
include comprehensive file integrity monitoring and host intrusion detection, providing assurance that applications
and application data remain protected from malicious actors – both internal and external.

AlienVault Unified Security Management

(USM) – An All-In-One Approach to Threat
Detection and Response
With the AlienVault Unified Security Management (USM) platform,
you get a single platform for simplified, accelerated threat detection,
incident response, and policy compliance that delivers three core
value propositions:

1. Unified Security Management, providing simplified security with the

following five essential security capabilities that provide resource-
constrained organizations with all the security essentials needed within
a single pane of glass:
a. Asset Discovery: Know who and what is connected to your IT environments at all times
b. Vulnerability Assessment: Know where the vulnerabilities are on your assets to avoid easy exploitation
and compromise.
c. Intrusion Detection: Monitor the traffic on physical, virtual, and cloud networks to identify suspicious or
malicious activities in your environment.
d. Behavioral Monitoring: Identify suspicious behavior and potentially compromised systems.
e. SIEM and Log Management: Correlate and analyze security event data from across your network.

2. Scaling Your Threat Detection and Response with Real-time Security Intelligence, ensuring that:
a. The AlienVault USM platform has the latest intrusion detection rules, malware signatures, and more from
the AlienVault Labs Security Research Team to identify the latest threats.
b. Security teams have the latest information on threats and available fixes and workarounds, virtually
eliminating the time and resources that those teams would typically spend in researching that information.

3. Deployment to Detection in Minutes. The AlienVault USM family of solutions provide deployment options that are
easy to deploy and start using, protecting your IT infrastructure in minutes.

© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 6
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
 W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G

File Integrity Monitoring with Host Intrusion Detection

With AlienVault USM, you can deploy a lightweight agent to perform file integrity monitoring as well as host-based
intrusion detection of your Windows, Linux, and Unix systems and the applications and data that reside on them. This
approach simplifies the implementation of file integrity monitoring by using a single, multi-functional agent, rather
than requiring you to install multiple single-purpose agents. In addition, all events and alerts are aggregated to one
location, enabling you to monitor all your servers and assets via a single web-based console.

As soon as a change to a monitored file is detected, the USM platform triggers an alarm on the AlienVault USM
console, ready for triage and response by the security team. Even though these changes might not require a
response, it’s important to monitor all activity to first determine a baseline and then detect any abnormalities like
policy violations or potential system compromise.

AlienVault USM’s implementation of host-based IDS and file integrity monitoring enables you to monitor all user
activity on your critical systems. These events are forensically captured, processed, and correlated with other data to
provide the necessary context you need for effective incident response.

Delivering a Complete Security Management Platform

As mentioned, file integrity monitoring and host intrusion detection are just a few of the capabilities that AlienVault
USM uses to protect your environment. With the ability to perform vulnerability scanning, behavioral monitoring, and
aggregate and correlate data from nearly every system and network device, it contains the critical elements to secure
your environment.

Helping you to identify, triage, and prioritize threats, AlienVault USM delivers rich graphical dashboards to quickly
identify deviations from operational baselines that require additional investigation.

Multiple Deployment Options to Meet Your Needs

Whether your IT infrastructure resides in your data center, a public cloud, a virtualized private cloud, or any
combination of those, AlienVault offers two products to meet your needs:

›› AlienVault USM Anywhere™, our cloud-based, SaaS-delivered solution designed to monitor your on-premises,
cloud, and hybrid cloud environments from the AlienVault Secure Cloud. Software-based sensors are deployed into
your infrastructure to find assets, discover vulnerabilities, detect intrusions, and collect data from your applications,
systems, and devices to perform threat detection and provide you the tools to respond to discovered incidents.

›› AlienVault USM Appliance™, our appliance-based solution designed for organizations that require dedicated on-
premises monitoring from their own data centers. A virtual or hardware-based USM Appliance server is deployed
into your data center and hardware or software-based sensors are deployed into the rest of your infrastructure to
provide the monitoring and data collection capabilities.

Include File Integrity Monitoring as part of your Comprehensive IT

Security Management Program
File integrity monitoring is a powerful security monitoring capability that should be part of the IT defense portfolio
of any organization. That said, with the continually changing threat landscape and speed, and many ways in which
attacks can happen, file integrity monitoring should not be your only defense mechanism, but should be included as a
security control that is part of your unified approach to provide your organization optimal protection.

© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 7
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
 W H I T E PA P E R : B E S T P R AC T I C E S I N F I LE I N T E G R I T Y M O N I TO R I N G

With AlienVault USM Anywhere or AlienVault USM Appliance, organizations are able to gain the benefits of file
integrity monitoring in a unified platform that also delivers asset discovery, vulnerability assessment, intrusion
detection, behavioral monitoring, SIEM and Log Management – all through a single, unified solution. Only with these
five security essentials can organizations truly mitigate the IT security risk from today’s threats. With the AlienVault
USM approach, along with the integrated real-time security intelligence, the effectiveness of the final solution is
multiplied compared to deploying multiple point solutions to try to achieve the same effect – all at reasonable cost.

AlienVault USM TM

SIEM ASSET DISCOVERY

• Log Management • Active & Passive Network Scanning
• OTX threat data • Asset Inventory
• SIEM Event Correlation • Software Inventory
• Incident Response

BEHAVIORAL
MONITORING AlienVault Labs
• NetFlow Analysis
Threat Intelligence
• Service Availability
Monitoring

VULNERABILITY ASSESSMENT
• Continuous Vulnerability Monitoring
• Authenticated / Unauthenticated
INTRUSION DETECTION Active Scanning
• Network IDS • Remediation Verification
• Host IDS
• File Integrity Monitoring (FIM)

Next Steps: Play, share enjoy!

• Learn more about file integrity monitoring with AlienVault USM
• Explore our online demo
• Start detecting threats to day with a free trial
• Join the Open Threat Exchange

© 2017 AlienVault. All rights reserved. AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM, AlienApp, AlienApps, USM Appliance, 8
and USM Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.