File Integrity Monitoring (FIM) Solution

Learn why File Integrity Monitoring is important: address compliance auditing needs and take charge of your IT environment

What is File Integrity Monitoring?

File Integrity Monitoring (FIM) is a security practice which consists of verifying the integrity of operating systems and application software files to determine if tampering or fraud has occurred by comparing them to a trusted "baseline."

Want a quick rundown of File Integrity Monitoring? Our dedicated Whiteboard Wednesday video illustrates the basic framework of FIM in under five minutes. 

Why is File Integrity Monitoring important?

Remember that pesky sibling or cousin who was always messing with your belongings, whether it was drawing on your wall, cutting up your homework, or stealing your toys? Anything they could get their hands on—whether just to annoy you or because they truly wanted to wreak havoc, they would, meaning you constantly had to be on the lookout. Today, malicious actors or insiders can cause the same mayhem inside your networks, changing configuration files, critical system or application files, or data—and then delete event logs to hide their tracks.

Knowing who’s accessing critical files and when changes occur to them is required by regulatory standards and laws, like PCI DSS, HIPAA, and GDPR, and is necessary to protect your organization's critical assets and data and detect a breach. Fortunately, meeting these regulatory requirements with a SIEM solution is easy. File integrity monitoring (FIM) automatically identifies anomalous file changes across your environment and notifies you when suspicious activity takes place on critical files, so you can take action and prove compliance.

New to threat hunting and detection?

Learn about the defense methods available to help you detect and mitigate threats in your environment quickly.

Learn More

Meeting compliance requirements just got a whole lot easier

Changes to configurations, files, and file attributes across your IT infrastructure can be common, but hidden within this deluge of daily changes can be the few that impact file or configuration integrity. These changes can put your compliance stature and security posture at risk, as it can indicate an attacker tampering with critical files to gain persistence or access confidential data.

File integrity monitoring from Rapid7 is a modern file event tracking system delivered by our cloud SIEM, InsightIDR. Our Insight Agent watches for file modification events on assets of your choosing (e.g. PII, PHI) and directly attributes users to this activity through our industry-leading User Behavior Analytics (UBA). InsightIDR alerts you when users edit, move, or delete a critical file or folder, and shows you real-time metrics so you can catch issues before they escalate. Whether you have a large or small environment and an audit policy or not, Rapid7’s FIM capabilities can help centralize monitoring and alerting for you and your team.

Rapid7 leverages User Behavior Analytics (UBA) for superior file integrity monitoring

While InsightIDR will help you solve multiple compliance regulations, including audit logging & log management, user monitoring, and FIM, its primary value comes from helping your team reliably detect and respond to attacks. You won’t just see when an attacker modifies critical files—you’ll be able to see the lateral movement, privilege escalations, and other key behaviors behind the breach—across your users, assets, and cloud services.

Because InsightIDR fully integrates with your existing network and security tools, you can detect malicious activity starting with initial compromise, whether it stems from phishing, malware, or the use of stolen credentials. With File Integrity Monitoring, file modification events can be looped into an investigation to understand how the actions relate to normal user activity across your environment. You can visualize file modification activity as fully customizable, exportable dashboard charts for easy visibility and to proactively meet audit requirements.

File integrity monitoring is a 20-year-old technology, initially focused on guaranteeing that executables hadn’t been tampered with in an attempt to subtly backdoor a system, although the use cases have evolved to detecting modification of any critical files. The majority of organizations deploying FIM do so because of regulatory requirements, but long term, EDR solutions will offer similar functionality, which will call into question the long-term viability of FIM as a standalone offering…
Forrester Tech Tide, Zero Trust Threat Detection & Response, Q1 2019
Read the report
Let our Insight Agent watch over your critical assets 24/7/365

File integrity monitoring is an important security defense layer for any organization monitoring sensitive assets. With the Rapid7 cross-product Insight Agent, you get the benefit of FIM along with proactive threat detection and containment capabilities. Other use cases you can solve with the endpoint detection and response (EDR) capabilities in InsightIDR include:

Detect

  • Malware detection (both commodity and targeted attacks)
  • User monitoring (anomalous authentications and credential theft)
  • Threat intelligence (add, manage, and subscribe to customer-shared intel)
  • Visibility into remote workers

Investigate

  • Endpoint artifact acquisition (find anomalous persistence, tampering, or malicious activity)
  • Manage and visualize important activity logs (e.g. Powershell activity)

Respond

  • Find unique and rare processes across your endpoint fleet
  • Remotely kill processes as part of threat containment
  • Quarantine an asset to block off all external communications, except to the Insight cloud

See InsightIDR in Action