File Integrity Monitoring

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Hi and welcome to Module 2, Lesson 6.5.
00:00
In this lesson we're going to talk
00:00
about file integrity monitoring.
00:00
File integrity monitoring is
00:00
simply just a mechanism that you can
00:00
use to determine what's going on on a file itself.
00:00
This is going to be a really quick lesson.
00:00
It's not widely used in the industry
00:00
outside of some regulatory concerns.
00:00
I'll tell you why that it's not
00:00
used very widely here as we go along.
00:00
File integrity monitoring is usually agent-based and that
00:00
agent can detect things like changes in files.
00:00
When did that change occur?
00:00
How was the file actually changed?
00:00
What about that file actually changed?
00:00
Who or what made that change?
00:00
It's a really good tool when you're
00:00
trying to monitor changes to highly critical files.
00:00
You don't want to turn it on across all the files
00:00
because it gets really noisy.
00:00
You can imagine there is
00:00
tens of thousands of files just on one Windows system.
00:00
So if you turn on file integrity monitoring
00:00
on every file on the whole system,
00:00
you can imagine how much noise it would create.
00:00
You really only want to use file integrity monitoring
00:00
sparingly and only on those highly critical files that
00:00
you need some absolute restricted granular control
00:00
over how changes are made to those files.
00:00
In PCI-DSS environment, which is
00:00
the Payment Card Industry
00:00
Digital Security Standard Environment,
00:00
FIM monitoring is required on certain file types.
00:00
Basic workflow for FIM would be
00:00
the first thing you want to do is you want
00:00
to set up a policy.
00:00
You want to determine what exactly should be monitored.
00:00
As I said, you don't want to monitor everything.
00:00
You want to really restrict it down to
00:00
only the things that need to be monitored.
00:00
You want to establish a baseline.
00:00
Once you determine what needs to be monitored,
00:00
you need to let the agent watch
00:00
that file for a little while because there is lots of
00:00
different processes that are going to
00:00
interact with that file that you may
00:00
not be aware of right when you turn this on.
00:00
So just let it establish a baseline.
00:00
It will run for a little while to
00:00
determine what normal looks like.
00:00
Then once you know what normal looks like,
00:00
you can set that normal baseline and you can
00:00
monitor for any changes to that baseline.
00:00
If you see any changes, alerts can be sent and
00:00
then you can also start collecting reports.
00:00
A lot of times these reports are used
00:00
periodically for compliance audits,
00:00
specifically, as I said,
00:00
in the PCI-DSS environment.
00:00
As I promised,
00:00
this is a very quick lesson on FIM monitoring.
00:00
Next up we're going to talk about data disposal.
Up Next