Those of you in IT administration (particularly IT security) know the challenges involved with protecting corporate data stored in your network. You also know that you regularly face an onslaught of new and sophisticated hacking methods, malware, and other threats. It is an uphill task to safeguard data—especially the files stored in workstations and servers.
We are seeing a surge of data breaches across all industries that incur both financial and reputational losses for companies. Whether an intrusion is external or initiated by an internal source, the ramifications are equally detrimental. This is why we have compliance standards (PCI DSS, HIPAA, NERC, SOX, etc.) that make it mandatory to monitor, detect, and prevent threats to sensitive information such as intellectual property assets, software code and programs, financial and earnings data, and sensitive customer information including account credentials and passwords. Aside from costs of security breaches, the penalty costs for compliance violations are also colossal.
This is where File Integrity Monitoring (FIM) will help. FIM monitors your files, alerts you about file accesses and changes, and protects files and data from attacks. FIM applies to all types of system files including key content/data files, database files, Web files, audio/video files, system binaries, configuration files, and system registries.
As part of your FIM efforts, you need real-time information about:
- When files were accessed/created/modified/moved/deleted
- Changes in file sizes and versions
- User login information for file access and file modifications
- Changes to attributes such as Read-Only, Hidden, etc.
- Changes to security access permissions
- Changes to directories and registry keys
- Changes to the file’s group ownership
To obtain this information, you can listen to operating system events that are generated due to file activity and user access to files. However, it is a formidable task to sift through all the hundreds and thousands of file events to identify specific violations.
Real-Time File Integrity Monitoring Embedded with SIEM
Security Information and Event Management (SIEM) systems already gather log data for real-time security analytics. By integrating FIM with SIEM, you gain a view of your IT infrastructure making it possible to identify root causes of file access events and stop advanced threats which are difficult to detect without SIEM.
Some benefits of combining FIM with SIEM include:
- User-aware File Integrity Monitoring: Complete user-activity monitoring. System, Active Directory®, and file audit events are correlated to obtain information about which user login accessed and changed a file. You can also identify other user activities before and after the files were accessed and modified.
- Data loss prevention: Correlating file audit events with other log data gathered by SIEM, you gain advanced threat intelligence to help pinpoint breach attempts. With SIEM’s remediation capabilities, you can automate responsive actions (shut down systems, detach USB devices, disconnect the system from the network, log off users, delete user accounts, etc.) to prevent breaches and safeguard data.
- Zero-day malware detection: Malware is one of the primary threats against file integrity and safety. SIEM detects zero-day malware via AV and IDS/IPS logs and correlate them with file audit events. This enables you to stop the malware in its tracks before it harms your secure files. You can use SIEM’s incident-response actions to kill malicious processes or quarantine systems for complete endpoint protection.
- Continuous compliance support: FIM is a key requirement for many compliance regulations. SIEM systems offer out-of-the-box compliance templates to help you with compliance audits. Given that FIM results are included in your compliance reports, you can demonstrate to auditors that you have complete network information security and adhere to compliance regulations.
A significant benefit of combining file audit events with SIEM is that SIEM systems enable you to reduce the noise of unnecessary events. You can set up custom rules to alert you only when predefined correlation conditions are met. This eliminates the complexity of manually sifting through a barrage of file audit events.
Learn more about the new real-time file integrity monitoring feature in SolarWinds® Log & Event Manager version 6.0.