File Integrity Monitoring

File-integrity monitoring or change-detection systems check for changes to critical files, and notify when such changes are noted. For file-integrity monitoring purposes, an entity usually monitors files that don’t regularly change, but when changed indicate a possible compromise.

Critical files (which rarely changes) of a system includes

• Operating System files, which changes only when there is patch upgrade
• Application files, such as the web application folder
• Configuration files

Any unauthorized changes to the above will result in a potential security breach. FIM (File Integrity Monitoring) is the solution to detect such unauthorized changes.

Let us take a look at the requirements from the PCI DSS Standard

10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

10.6.1 Review the following at least daily (Refer the guidance section of the requirement)

11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach.

12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.

In summary, the FIM solution should detect and notify any unauthorized changes to critical files, it should be monitored daily and the organization should have an incident response plan to address such security incidents.

Let review some of the File Integrity Monitoring tools

Windows File Integrity Monitoring Software

• OSSEC is an agent based File integrity Monitoring software  that can be installed in both Windows and Unix platforms
• SolarWinds have an agent based solution to address the requirement of FIM
• CIMTrack is a solution from CIMCOR which can work as both Agent based and/or agentless file integrity monitoring solution.
• Tripwire is another player, which can help you with file integrity management in Windows
• NNT Change tracker enterprise is another solution you can use as a FIM in Windows servers
• Verisys from IONYX is another windows based file integrity solutions for PCI compliance
• nCircle is another commercial alternative for the File Integrity software

PCI File Integrity Monitoring – Open Sources

• OSSEC is an open source file integrity monitoring software which has clients in both Linux and windows platforms.
• SAMHAIN is another open source file integrity manager.
• Open Source Tripwire is an early fork of the original Tripwire code and is still an opensource solution
• AFICK Replaces Tripwire, when it became commercial, to offer “another file integrity checker” solution as an opensource alternative
• AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker

PCI File Integrity Monitoring Compensating Controls

There are no standard set of compensating controls that suits to all the clients. Compensating controls will always depend on the specifics of your situation, so you should work with your QSA to determine whether an approach is viable or not. However, one of the methods we have found useful when looking for a compensating controls for requirement 11.5 is the effective use of end points. Configure the endpoint security software to go beyond the intent and achieve what is expected out of 11.5.

I would like to hear more about the compensating controls of 11.5. Do you have any such experience? Please share.