How to Improve Compliance with File Integrity Monitoring
File integrity monitoring (FIM) exists because change is inescapable for most organizations. From variations in a company’s hardware assets, software programs, configuration states, permissions, and personnel, it is the one constant within IT environments. Some of these modifications may be authorized, while others will cause concern by their unexpected nature. Because of this, FIM is considered a vital requirement for security compliance frameworks to help identify unexpected or malicious activity across critical system files and protect business assets.
Monitoring critical system files, configuration files, and content files for unusual or unauthorized activity is one of the core requirements of PCI-DSS, the payment card industry’s security standard. As such, file integrity monitoring is a necessary activity for companies that process or store credit card data. Security teams can choose from any number of endpoint security tools to handle FIM for PCI compliance, but some solutions do more than others.
The ubiquity of payment cards for personal electronic transactions has changed the security equation in a fundamental way. Especially now, when COVID-19 has exponentially increased online payment transactions and changed the workforce landscape to a remote one. Any compromise in system security is likely to have far-reaching consequences, both in terms of financial loss and the damage to an organization’s reputation. Protecting personal cardholder information is of paramount importance.
Threat actors often employ sophisticated malware to alter registry files and other critical data on enterprise servers for malicious purposes. Once they gain privileged access, they can compromise vital business data and personally identifiable information or disrupt mission-critical applications without being detected. This is the main reason security practitioners and IT teams in enterprises consider file integrity monitoring an important layer of defense against a range of malware and threat vectors.
To protect cardholder data, PCI-DSS outlines a set of 12 requirements that apply to all businesses which store, process, or transmit payment card data. While some of these requirements have to do with physical processes, two of them, requirements 10 and 11, provide specific guidelines on how to protect the data stored within computer networks:
- Requirement 10.5.5 requires businesses to “use file integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).”
- Requirement 11.5 requires businesses to “deploy a change detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”
To address these PCI requirements, security teams employ file integrity monitoring software or other security software with embedded FIM capability. FIM tools monitor all file modifications, including additions (creation of new files), changes, and deletions, and alert specified personnel when unauthorized changes to files and directories occur. Without FIM, unauthorized changes can result in other security controls becoming ineffective, leading to stolen cardholder data without any perceived impact.
FIM software is an important requirement of compliance standards like PCI DSS, GDPR, and HIPAA. This makes FIM non-negotiable for financial organizations, card payment processors, and the health care sector. Any organization working with sensitive information should consider FIM a priority, this is especially important for companies dealing with client data.
In this context, File Integrity Monitoring should be considered an essential security requirement, not just for PCI compliance, but to preserve the integrity of all NonStop systems.
Key File Integrity Monitoring Concerns:
- Detecting suspicious activity and malicious attacks
The key concern for monitoring files is to quickly discover any external threats that might cause damage to your critical systems and applications.
- Identifying inadvertent or unwanted changes
Let’s face it, human error is inevitable, accidents happen, and users can unintentionally make changes that will detrimentally affect files. This is another great reason to ensure that you are monitoring your files.
- Complying with regulations
Of course, you must also check your files to comply with regulations such as PCI DSS, SOX, and GDPR. You must also have the ability to provide any reports requested by regulators.
Advantages of Running a Successful File Integrity Monitoring Program
FIM solutions monitor file changes on servers, databases, network devices, directory servers, applications, cloud environments, virtual images, and alert you to unauthorized changes. A strong FIM solution uses change intelligence to only notify you when needed, along with business context and remediation steps. FIM helps you meet many regulatory compliance standards like PCI-DSS, GDPR, SOX, and HIPAA, as well as best practice frameworks like the CIS security benchmarks.
Steps for Successfully Implementing File Integrity Monitoring:
- Setting a policy
FIM begins when an organization defines a relevant policy. This step involves identifying which files the company needs to monitor on which computers.
- Establishing a baseline for files
Before they can actively monitor files for changes, organizations need a reference point against which they can detect alterations. Companies should document a baseline or a known “good state” for files that will fall under their FIM policy. This standard should take into account the version, creation date, modification date, and other data that can help IT professionals assure that the file is legitimate.
- Monitoring changes
With a detailed baseline, enterprises can proceed to monitor all designated files for changes. They can augment their monitoring processes by auto-promoting expected changes, thereby minimizing false positives.
- Sending an alert
If their file integrity monitoring solution detects an unauthorized change, those responsible for the process should send out an alert to the relevant person who can fix the issue.
- Reporting results
Organizations that use FIM to ensuring PCI DSS compliance need to generate reports for audits to validate the deployment of their file integrity monitoring evaluator.
Things to Look for When Assessing File Integrity Monitoring Tools
To complement the steps described above, organizations should look for additional features in their file integrity monitoring solution. That functionality should include, for example, a lightweight agent that can toggle “on” and “off” and can accommodate additional functions when necessary. The solution should also come with total control over a FIM policy. Such visibility should incorporate:
The Complete Solution for File Integrity Monitoring & Compliance
CSP has the perfect solution to help solve these issues and any others that you may encounter with regards to monitoring the integrity of your files.
Verify Elite® is the complete NonStop compliance and file integrity monitoring solution. It ensures that your NonStop System’s security (Guardian & OSS) meets industry standards and regulations such as PCI DSS, SOX, and GDPR, and is specifically designed to monitor changes to files and generate compliance reports.
Verify Elite’s recent enhancements include a simplified user interface, which makes it easier for you to address the critical file monitoring and compliance reporting requirements for PCI/GDPR. We’ve also added helpful tips across the product and made it even more intuitive to use.
Verify Elite’s Security Compliance Monitor can ensure your compliance with regulations and internal security policies by performing regularly scheduled compliance checks.
And by executing regularly scheduled file integrity checks, Verify Elite’s File Integrity Monitor ensures that any unauthorized changes are immediately identified and reported.
Guardian Result History Screens
What’s New in Verify Elite 2.40
Some key features included in the latest release of Verify Elite are the new “Binder Timestamp” flag for Guardian File Integrity Check and the EMS logging options.
- Pre-built customizable compliance rules
- Monitors both Guardian & OSS files
- Detailed compliance reporting
- Intuitive GUI makes compliance checking & audit reporting easy
- Meets PCI-DSS regulation 11.5
- Easily integrated with enterprise security tools
- Real time notifications with Alert-Plus
- Multi-Node Fileset Compare
The regular comparison of fileset across nodes should also be a part of the process to ensure the integrity of your files. Verify Elite’s Multi-Node Fileset Compare feature permits the comparison of filesets located either locally or across NonStop nodes. For example, files that are replicated to backup environments need to be regularly compared to production files to ensure their integrity.
Guardian Fileset Result Compare
For complimentary access to CSP-Wiki®, an extensive repository of NonStop security knowledge and best practices, please visit wiki.cspsecurity.com
We Built the Wiki for NonStop Security ®
The CSP Team