File Integrity Monitoring
Overview
Implementing file integrity monitoring to detect unauthorized changes to critical system files and directories, helping to ensure data integrity and security.
Sample products
- Tripwire Enterprise
- McAfee File Integrity Monitor
- Netwrix Auditor ?
Use Case Categories
| Category | Description |
|---|---|
| Configuration Auditing | Perform regular file integrity audits and assessments to verify the integrity and security of file systems, directories, and critical files. Conduct periodic scans, integrity checks, and vulnerability assessments to identify security weaknesses and vulnerabilities. |
| Change Management | Monitor changes to software installations, application updates, and system patches to ensure compliance with change management policies and procedures. Detect unauthorized software installations, system modifications, or configuration changes that could impact system stability or security. |
| Insider Threat Detection | Identify anomalies in user behavior to prevent insider threats |
Core Use Cases
| Alert Name | Description |
|---|---|
| Unauthorized File System Changes Detection | Monitor File Integrity Monitoring (FIM) logs for unauthorized modifications to critical system files or configurations. |
| Abnormal File Access Patterns | Analyze File Integrity Monitoring (FIM) logs for abnormal access patterns to sensitive files or directories. |
| Suspicious File Permission Changes | Monitor File Integrity Monitoring (FIM) logs for suspicious changes to file permissions or access control lists (ACLs). |
| Policy Violation Detection | Monitor File Integrity Monitoring (FIM) logs for violations of security policies or compliance requirements. |
| Change Request Verification | Monitor File Integrity Monitoring (FIM) logs for changes that match approved change requests or tickets. |
| Configuration Policy Enforcement | Enforce and monitor compliance with configuration policies and standards using File Integrity Monitoring (FIM) logs. |
| Change Rollback and Remediation | Roll back unauthorized or malicious changes identified in File Integrity Monitoring (FIM) logs and restore system integrity. |
| Insider File Modification Detection | Monitor File Integrity Monitoring (FIM) logs for unauthorized or suspicious modifications to critical files by insiders. |
| Unauthorized Data Exfiltration Detection | Detect attempts by insiders to exfiltrate sensitive data through unauthorized file access or transfer. |
| External Sharing Detection | Monitors endpoint logs for indications of external data sharing. Alerts triggered for unexpected data transfers outside the organization, unauthorized sharing of sensitive information, or patterns indicative of data leakage. |
| Anomalous User File Access | Monitor File Integrity Monitoring (FIM) logs for unusual or unauthorized file access by insiders. |
MITRE ATT&CK
T1003, T1057, T1070, T1102, T1560, T1059, T1546, T1082, T1134, T1025, T1489, T1003, T1114, T1078, T1048, T1565, T1053