IT security is a hot topic. The news is bursting with stories of security breaches, data theft or ransomware. Some will argue that all of these are simply a sign of our times but it doesn’t change the fact that when you’re tasked with maintaining any kind of IT environment, protecting against such threats is an important part of the job.
For that reason, File Integrity Monitoring (FIM) software has almost become an indispensable tool for any organization. Its primary purpose is to ensure that any unauthorized or unexpected file change is quickly identified. It can help improve overall data security, which is important for any company and shouldn’t be ignored.
Today, we’ll start off by having a brief look at File Integrity Monitoring. We’ll do our best to explain in simple terms what it is and how it works. We’ll also have a look at who should be using it. It will most likely not come as a big surprise to find out that anyone can benefit from it and we’ll see how and why. And once we’re all on the same page about File Integrity Monitoring, we’ll be ready to jump into the core of this post and briefly review some of the best tools the market has to offer.
What Is File Integrity Monitoring?
At its core, file integrity monitoring is a key element of an IT security management process. The main concept behind it is to ensure that any modification to a file system is accounted for and that any unexpected modification is quickly identified.
While some systems offer file integrity monitoring in real-time, it tends to have a higher impact on performance, For that reason, a snapshot-based system is often preferred. It works by taking a snapshot of a file system at regular intervals and comparing it to the previous one or to a previously established baseline. No matter how the detection functions (real-time or not), any detected change that suggests some sort of unauthorized access or malicious activity (such as a sudden change in file size or access by a specific user or group of users) and alert is raised and/or some form or remediation process is launched. It could range from popping an alert window to restoring the original file from a backup or blocking the access to the endangered file.
Who Is File Integrity Monitoring For?
The quick answer to this question is anyone. Really, any organization can benefit from using File Integrity Monitoring software. However, many will choose to use it because they are in a situation where it is mandated. For instance, File Integrity Monitoring software is either required or strongly indicated by certain regulatory frameworks such as PCI DSS, Sarbanes-Oxley, or HIPAA. Concretely, if you’re in the financial or health care sectors, or if you process payment cards, File Integrity Monitoring is more of a requirement than an option.
Likewise, although it might not be mandatory, any organization dealing with sensitive information should strongly consider File Integrity Monitoring software. Whether you are storing client data or trade secrets, there is an obvious advantage in using these types of tools. It could save you from all sorts of mishaps.
But File Integrity Monitoring is not only for large organizations. Although large enterprises and medium-sized businesses alike tend to be aware of the importance of File Integrity Monitoring software, small businesses should certainly consider it as well. This is particularly true when you take into account that there are File Integrity Monitoring tools that will fit every need and budget. In fact, several tools on our list are free and open-source.
The best File Integrity Monitoring Software
There are countless tools that offer File Integrity Monitoring functionality. Some of them are dedicated tools that basically do nothing else. Some, on the other hand, are broad IT security solution that integrates File Integrity Monitoring along with other security-related functionality. We’ve tried to incorporate both kinds of tools on our list. After all, File Integrity Monitoring is often part of an IT security management effort that does include other functions. Why not go for an integrated tool, then.
Many network and system administrators are familiar with SolarWinds. After all, the company has been making some of the best tools for about twenty years. Its flagship product, called the SolarWinds Network Performance Monitor is considered one of the best such tool on the market. And to make things even better, SolarWinds also publishes free tools that address some specific network administrations tasks.
While SolarWinds does not make a dedicated file integrity monitoring tool, its Security Information and Event Management (SIEM) tool, the SolarWinds Security Event Manager, includes a very good file integrity monitoring module. This product is definitely one of the best entry-level SIEM systems on the market. The tool has almost everything one would expect from a SIEM tool. This includes excellent log management and correlation features as well as an impressive reporting engine and, of course, file integrity monitoring.
When it comes to file integrity monitoring, the SolarWinds Security Event Manager can show which users are responsible for which file changes. It can also track additional user activities, letting you create various alerts and reports. The tool’s homepage sidebar can display how many change events have occurred under the Change Management header. Whenever something looks suspicious and you want to dig deeper, you have the option of filtering events by keyword.
The tool also boasts excellent event response features which leave nothing to be desired. For instance, the detailed real-time response system will actively react to every threat. And since it’s based on behaviour rather than signature, you’re protected against unknown or future threats and zero-day attacks.
In addition to an impressive feature set, the SolarWinds Security Event Manager’s dashboard is certainly worth discussing. With its simple design, you’ll have no trouble finding your way around the tool and quickly identifying anomalies. Starting at around $4 500, the tool is more than affordable. And if you want to try it and see how it works in your environment, a free fully functional 30-day trial version is available for download.
OSSEC, which stands for Open Source Security, one of the best known open-source host-based intrusion detection system. The product is owned by Trend Micro, one of the leading names in IT security and maker of one of the best virus protection suites. And if the product is on this list, rest assured that it also has a very decent file integrity monitoring functionality.
When installed on Linux or Mac OS operating systems, the software primarily focuses on log and configuration files. It creates checksums of important files and periodically validates them, alerting you whenever something odd happens. It will also monitor and alert on any abnormal attempt at getting root access. On Windows hosts, the system also keeps an eye for unauthorized registry modifications which could be a tell-tale sign of malicious activity.
When it comes to file integrity monitoring, OSSEC has a specific functionality called Syscheck. The tool runs every six hours by default and it checks for changes to the checksums of key files. The module is designed to reduce CPU usage, making it a potentially good option for organizations requiring a file integrity management solution with a small footprint.
By virtue of being a host-based intrusion detection system, OSSEC needs to be installed on each computer (or server) you want to protect. This is the main drawback of such systems. However, a centralized console is available which does consolidate information from each protected computer for easier management. That OSSEC console only runs on Linux or Mac OS operating systems. However, an agent is available to protect Windows hosts. Any detection will trigger an alert which will be displayed on the centralized console while notifications will also be sent by email.
3. Samhain File Integrity
Samhain is a free host intrusion detection system which provides file integrity checking and log file monitoring/analysis. In addition, the product also performs rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. This tool has been designed to monitor multiple systems with various operating systems with centralized logging and maintenance. However, Samhain can also be used as a stand-alone application on a single computer. The tool can run on POSIX systems like Unix, Linux or Mac OS. It can also run on Windows under Cygwin although only the monitoring agent and not the server has been tested in that configuration.
On Linux hosts, Samhain can leverage the inotify mechanism to monitor file system events. In real-time This lets you receive immediate notifications about changes, and eliminates the need for frequent file system scans which may cause a high I/O load. In addition, various checksums can be checked such as TIGER192, SHA-256, SHA-1 or MD5. File size, mode/permission, owner, group, timestamp (creation/modification/access), inode, number of hard links and linked path of symbolic links can also be checked. The tool can even check more “exotic” properties such as SELinux attributes, POSIX ACLs (on systems supporting them), Linux ext2 file attributes (as set by chattr such as the immutable flag), and the BSD file flags.
One of Samhain’s unique feature is its stealth mode which allows it to run without being detected by eventual attackers. Too often intruders kill detection processes they recognize, allowing them to go unnoticed. This tool uses steganography techniques to hide its processes from others. It also protects its central log files and configuration backups with a PGP key to prevent tampering. Overall, this is a very complete tool offering much more than just file integrity monitoring.
4. Tripwire File Integrity Manager
Next is a solution from Tripwire, a company that enjoys a solid reputation in IT security. And when it comes to file integrity monitoring, Tripwire File Integrity Manager (FIM) has a unique capability to reduce noise by providing multiple ways of weeding out low-risk changes from high-risk ones while assessing, prioritizing and reconciling detected changes. By automatically promoting numerous business-as-usual changes the tool reduces the noise so you have more time to investigate changes that may truly impact security and introduce risk. Tripwire FIM uses agents to continuously capture complete who, what, and when details in real-time. This helps ensure that you detect all change, capture details about each one, and use those details to determine the security risk or non-compliance.
Tripwire gives you the ability to integrate File Integrity Manager with many of your security controls: security configuration management (SCM), log management and SIEM tools. Tripwire FIM adds components that tag and manage the data from these controls more intuitively and in ways that better protect data. For example, the Event Integration Framework (EIF) adds valuable change data from File Integrity Manager to Tripwire Log Center or almost any other SIEM. With EIF and other foundational Tripwire security controls, you can easily and effectively manage the security of your IT infrastructure.
Tripwire File Integrity Manager uses automation to detect all changes and to remediate those that take a configuration out of policy. It can integrate with existing change ticketing systems like BMC Remedy, HP Service Center or Service Now, allowing for quick audit. This also ensures traceability. Furthermore, automated alerts trigger user-customized responses when one or more specific changes reach a severity threshold that one change alone wouldn’t cause. For instance, a minor content change accompanied by a permission change that was done outside of a planned change window.
5. AFICK (Another File Integrity Checker)
Next is an open-source tool from developer Eric Gerbier called AFICK (Another File Integrity Checker). Although the tool claims to offer similar functionality to Tripwire, it is a much cruder product, much in the line of traditional open-source software. The tool can monitor any changes in the files systems it watches. It supports multiple platforms such as Linux (SUSE, Redhat, Debian and more), Windows, HP Tru64 Unix, HP-UX, and AIX. The software is designed to be quick and portable and it can work any on any computer supporting Perl and its standard modules.
As for the AFICK’s functionality, here’s an overview of its main features. The tool is easy to install and doesn’t require any compilation or the installation of many dependencies. It is also a fast tool, due in part to its small size. Despite its small size, it will display new, deleted, and modified files as well as any dangling links. It uses a simple text-based configuration file which supports exceptions and jokers and uses a syntax that is very similar to Tripwire’s or Aide’s. Both a Tk-based graphical user interface and a webmin-based web interface are available if you’d rather stay away from a command-line tool.
AFICK (Another File Integrity Checker) is entirely written in Perl for portability, and source access. And since it is open-source (released under GNU General Public License), you are free to add functionality to it as you see fit. The tool uses MD5 for its checksum needs as it is quick and it is built into all Perl distributions and instead of using a clear text database, dbm is used.
6. AIDE (Advanced Intrusion Detection Environment)
Despite a rather misleading name, AIDE (Advanced Intrusion Detection Environment) is actually a file and directory integrity checker. It works by creating a database from the regular expression rules that it finds from its configuration file. Once the database is initialized it uses it to verify the integrity of files. The tool uses several message digest algorithms which can be used to check the integrity of the files. Furthermore, all of the usual file attributes can be checked for inconsistencies. It can also read databases from older or newer versions.
Feature-wise, AIDE is rater complete. It supports multiple message digest algorithms such as md5, sha1, rmd160, tiger, crc32, sha256, sha512, and whirlpool. The tool can check several file attributes including File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime. It can also support Posix ACL, SELinux, XAttrs and Extended file system attributes. For the sake of simplicity, the tool uses plain text configuration files as well as a plain text database. One of its most interesting features is its support of powerful regular expression allowing you to selectively include or exclude files and directories to be monitored. This feature alone makes it a very versatile and flexible tool.
The product, which has been around since 1999 is still actively developed and the latest version (0.16.2) is only a few months old. It is available under the GNU general public license and it will run on most modern variants of Linux.
7. Qualys File Integrity Monitoring
Qualys File Integrity Monitoring from security giant Qualys is a “cloud solution for detecting and identifying critical changes, incidents, and risks resulting from normal and malicious events.” It comes with out-of-the-box profiles which are based on the industry’s best practices and on vendor-recommended guidelines for common compliance and audit requirements, including PCI DSS.
Qualys File Integrity Monitoring detects changes efficiently in real-time, using similar approaches used in anti-virus technologies. Change notifications can be created for entire directory structures or at the file level. The tool uses existing OS kernel signals to identify accessed files, instead of relying on compute-intensive approaches. The product can detect the creation or removal of files or directories, the renaming of files or directories, changes to file attributes, changes to file or directory security settings such as permissions, ownership, inheritance, and auditing or changes to file data stored on the disk.
It is a multi-tiered product. The Qualys Cloud Agent continuously monitors the files and directories specified in your monitoring profile and it captures critical data to help identify what changed along with environment details such as which user and which process was involved in the change. It then sends the data to the Qualys Cloud Platform for analysis and reporting. One of the advantages of this approach is that it works the same whether the systems are on-premises, in the cloud, or remote.
File Integrity Monitoring can be easily activated on your existing Qualys Agents, and start monitoring for changes locally with minimal impact to the endpoint. The Qualys Cloud Platform allows you to easily scale to the largest environments. Performance impact on the monitored endpoints is minimized by efficiently monitoring for file changes locally and sending the data to the Qualys Cloud Platform where all the heavy work of analysis and correlation occur. As for the Qualys Cloud Agent, it is self-updating and self-healing, keeping itself up to date with no need to reboot.