File Integrity Monitoring

An internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and the known, good baseline. This comparison method often involves calculating a known cryptographic checksum of the file's original baseline and comparing with the calculated checksum of the current state of the file.

Changes to configurations, files and file attributes across the IT infrastructure are common, but hidden within a large volume of daily changes can be the few that impact file or configuration integrity. These changes can also reduce security posture and in some cases may be leading indicators of a breach in progress. Values monitored for unexpected changes to files or configuration items include:

  • Credentials
  • Privileges and Security Settings
  • Content
  • Core attributes and size
  • Hash values
  • Configuration values

Multiple compliance objectives indicate file integrity monitoring as a requirement. Several examples of compliance objectives with the requirement for file integrity monitoring include:

  • PCI-DSS - Payment Card Industry Data Security Standard (Requirement 11.5)
  • SOX - Sarbanes-Oxley Act (Section 404)
  • NERC SIP - Nerc Standard SIP (System Security R15-R19)
  • FISMA - Federal Information Security Management Act (NIST SP800-53 Rev3)
  • HIPAA - Health Insurance Portability and Accountability Act of 1996 (NIST Publication 800-66)
  • SANS Critical Security Controls (Control 3)

Benefits

Detects and reports malicious and unexpected changes to files and systems registry in real time.

  • Monitors critical operating system and application files, such as directories, registry keys, and values, to detect and report malicious and unexpected changes in real time.
  • Protects the hypervisor from exploits with innovative hypervisor integrity monitoring technology.
  • Reduces administrative overhead with trusted event tagging that automatically replicates actions for similar events across the entire data center.