The Cybersecurity Industry is in Trouble
In recent years, several vendors with prominent brands have added "FIM" to their feature sets. The problem is that it's not real FIM. It's merely change monitoring, which produces little more than noise. It's painful to watch this unfold in our industry. It feels as if I am watching a train wreck about to occur in slow motion. The concept of FIM should be well-understood within the cybersecurity community, and I always thought that industry professionals would realize that these tools labeled as "FIM solutions" are not true FIM.
Unfortunately, large enterprises are adopting these half-baked FIM solutions without realizing that these solutions in EDRs, XDRs, and SIEMs do not meet the intent or objective of true FIM. My hope is that this acceptance stems from a lack of awareness rather than a desire to simply adopt a 'checkbox FIM' mentality, so my goal of this post is to educate and highlight the differences.
Understanding the Concepts
File Change Monitoring:
- Monitors files for any changes, whether good or bad.
- Notifies you of every change to a file, but you don't know what the file should be; just that it has changed.
- Generates high volumes of alerts, contributing to alert fatigue and noise.
- Lacks context about whether a change is authorized or expected.
- Does not establish or use a baseline for comparison.
- Offers no differentiation between routine, authorized, and potentially malicious changes.
- Provides no mechanism to restore files to their known good state.
- Often results in alert fatigue due to excessive noise.
- Limited scope, often only monitoring file changes without a broader context.
- Incapable of identifying and addressing the root cause of changes.
File Integrity Monitoring (FIM):
- Monitors files for unexpected or unauthorized changes against an authoritative baseline.
- Defines what your system should be (the authoritative baseline).
- Allows promoting and demoting of files from this authoritative baseline.
- Reduces noise by filtering out known and authorized changes.
- Provides context for changes, distinguishing between legitimate and suspicious modifications.
- Can extend beyond files to monitor registry, services, ports, firewall and router configurations, Active Directory users, database schemas, and much more.
- Helps in restoring files to their known and trusted state.
- Enhances security posture by reducing the volume of irrelevant alerts.
- Offers comprehensive monitoring across various system components.
- Assists in root cause analysis by providing detailed context for change.
Non-repudiation of Data
Non-repudiation of data is an essential concept in cybersecurity, ensuring that data cannot be denied or altered. It provides proof of the integrity and origin of data, making it impossible for an entity to deny having created or modified the data. True FIM plays a critical role in maintaining non-repudiation by ensuring the tracking of any changes to files against an authoritative baseline. Without true FIM, you lack the assurance that data remains unchanged and trustworthy. Change monitoring alone does not provide this level of assurance, as it merely indicates that a change occurred without verifying whether the change was authorized or expected. This integrity is vital for compliance, forensic analysis, and maintaining trust in your IT systems.
Key Differences Between Change Tracking and True Integrity Monitoring
Feature | Change Tracking | True Integrity Monitoring |
Monitors for any changes | Yes | Yes |
Baseline comparison | No | Yes |
Identifies good vs. bad changes | No | Yes |
Authoritative baseline | No | Yes |
Monitors more than just files | No | Yes |
Reduces noise | No | Yes |
Provides context for changes | No | Yes |
Helps restore a known good state | No | Yes |
Comprehensive system monitoring | No | Yes |
Aids in root cause analysis | No | Yes |
NIST SP 800-53: A Benchmark for Integrity Monitoring
NIST Special Publication 800-53 is one of the industry's most comprehensive and well-respected documents, providing guidelines for securing information systems. Here are some key points regarding FIM and baselines from SP 800-53:
- Establishing Baselines: Baselines are crucial for integrity monitoring. They serve as a known-good state against which current file and system states are compared to detect unauthorized changes. This helps identify potential security breaches or data integrity issues.
- Continuous Monitoring: The control CM-3 (Configuration Change Control) and CM-5 (Access Restrictions for Change) emphasize the importance of establishing baselines and continuously monitoring them to ensure that any unauthorized modifications are detected and addressed promptly.
- Security and Privacy Controls: SP 800-53 integrates security and privacy controls, including mechanisms for maintaining and monitoring baselines. For example, the control SI07 (Software, Firmware, and Information Integrity) discusses the use of integrity checks and verification to ensure the integrity of software and data against the established baselines.
- Control Baselines: The publication also includes guidance on tailoring and applying control baselines for different types of information systems. This involves selecting and customizing security controls based on the organization's specific risk profile and operational requirements.
Fake FIM (aka change monitoring), as seen in EDRs, XDRs, and SIEMs, does not perform or have the capabilities listed above.
The Truth About Vendors
Only three vendors provide genuine FIM solutions: Cimcor's CimTrak Integrity Suite, Fortra's Tripwire Enterprise, and Netwrix's Change Tracker. Other vendors claiming to offer "FIM" likely do not provide actual FIM capabilities.
Ask them:
- Can they provide a report of what a system should have looked like yesterday or a week ago?
- Do they have an authoritative baseline?
- How do they know if a change is good and filter it out?
- Can they differentiate between authorized and unauthorized changes?
- How do they handle alert fatigue from excessive noise?
- Can they provide context for each change to help in root cause analysis?
- Can they monitor more than just file changes, such as registry, services, ports, firewall and router configurations, cloud configurations, Active Directory users, database schemas, and more?
- Do they have mechanisms to restore files to their known good state?
- How comprehensive is their system monitoring?
- Can they ensure non-repudiation of data?
- There are three changes to this file. Which is the correct one?
The Awakening
I fear that there will be an awakening in the industry driven by one of two catalysts:
- Major Cybersecurity Events: Significant cybersecurity incidents will occur and go unidentified because of the reliance on fake FIM. These events will expose the inadequacies of change monitoring masquerading as FIM, highlighting the need for genuine integrity monitoring to detect and prevent unauthorized changes.
- Audits and Compliance Realizations: At present, even some auditors might be fooled by fake FIM. However, at some point, auditors will begin to realize that just because it says "FIM" from a big vendor, it isn't truly FIM. As this understanding spreads, audit findings will increase due to the lack of true integrity monitoring. This will reveal that fake FIM does not meet the intent and objectives of key standards and regulations such as PCI, HIPAA, NIST 800-53, CMMC, NERC-CIP, and many others.
The Path Forward
FIM was on a trajectory to mean much more. CimTrak, Tripwire, and Change Tracker have all evolved to monitor more than just files—they monitor registry, services, ports, firewall and router configurations, cloud configurations, Active Directory users, database schemas, and much more. The industry was on a path to truly understand and measure the integrity of its entire enterprise.
However, a few major brands have set this trajectory back 15 years by redefining FIM just to mean files and change monitoring. It's safe because the industry is letting them do it.
With software supply chain attacks and the significant impact of human error, it's more important than ever to understand what's on your servers, network devices, cloud infrastructures, databases, and more. Don't settle for less. Don't allow EDR, XDR, and SIEM vendors to redefine a vital cybersecurity concept to mean less.
In July 2024, the most significant IT outage in history occurred due to human error. This incident underscored the critical need for change management and true integrity monitoring. Unauthorized or unexpected changes to systems can have catastrophic consequences. True FIM provides complete visibility into what's happening on all your IT assets, ensuring you can detect and address issues before they escalate into major incidents.
The Real Question
If you're using checkbox FIM, that likely means you're getting a ton of noise. Are you actually looking at it? Change monitoring generates an overwhelming amount of alerts, leading to alert fatigue and making it easy to miss critical incidents. True FIM, by contrast, reduces noise and provides meaningful insights, ensuring that you focus on what truly matters.
In Conclusion
In Romeo and Juliet, Shakespeare wrote, "A rose by any other name would smell as sweet." Well, by another definition (i.e., change monitoring), would not be as effective. The industry needs to wake up and recognize the importance of true FIM, as defined by standards like NIST SP 800-53, to ensure we are genuinely protecting our systems and data integrity.
Don't be fooled by fake FIM. Demand true integrity monitoring and safeguard your enterprise against unauthorized changes.
CimTrak is the absolute best, most advanced, and most modern Continuous Integrity Monitoring product on the market. We would love to talk with you to help get your organization back on the right track.
August 8, 2024