FAQ about file integrity monitoring The best File Integrity Monitoring (FIM) tools Conclusion Imagine that, as you are reading this article, an unspecified threat is slowly making its way through your IT infrastructure, changing and corrupting files, bit by bit. At first, you may notice an odd read error here, a missing file there. Puzzling, but not alarming. But when you finally realize the size of the issue, it is too late: many machines won't even boot, and 30% of the data on your network is gone. What would be your first reaction? Worry about the hardware? Of course not. You would worry about the data, stored in files on those computers: are backups available? Are they up-to-date? How soon can they be restored so that operation can be back to normal? This thought exercise illustrates the importance of the files: they contain user data, customer support records, business plans, product designs, configuration parameters, employee and financial information and so much more. They are essential and, as such, need to be monitored and protected. Changes must be tracked, unauthorized access must be detected. This need gave rise to File Integrity Monitoring (FIM) tools, which are a valuable asset in helping you prevent, diagnose and solve a wide variety of issues. In this article, we will present some of the many options available, and hope to help you chose the best one for your needs. Frequently Asked Questions about File Integrity Monitoring What is file integrity monitoring? Why it is important? Important aspects How to do it What are File Integrity Monitoring tools? In general, all File Integrity Monitoring tools work by establishing a "baseline" for a file (or group of files), and sounding the alarm whenever those characteristics, like file size, contents or access time/date, among others attributes, change. Some can do "content matching" and take special action (i.e. trigger a custom alert) if the file contents match a given pattern (like the word "Error" appearing in a log file), others may include user access privilege rules and only sound the alarm if the file was accessed of changes by an unauthorized user. Whatever their nature, FIM tools have become an essential part of every IT infrastructure, regardless of size. In some cases, they are even a requirement for obtaining compliance with many security standards. Why should you monitor the integrity of your files? We can think of 5 reasons to invest in File Integrity Monitoring tools: To detect problems that may impact business continuity before they even arise. Sudden file corruption may be a sign of hardware issues, like a failing hard disk. A monitoring tool can sound the alarm before this failure becomes critical or catastrophic. To help you solve problems. System, service and application logs are a crucial tool for diagnosing issues on your IT infrastructure. A FIM tool can tell you if those logs are being overwritten or infrequently updated, giving you a chance to fix the problem and be sure to have the latest data on hand when it is needed. To enhance your security. A flurry of disk activity may be a sign of malware, corrupting system files and encrypting documents to extract a ransom. Like before, a monitoring tool can sound the alarm and give you time to isolate or remediate the issue before it's too late. To protect your intellectual property. Many file monitoring tools can tell you when a file was last accessed, by whom, and alert of unusual access patterns. Uncommon activity, like an authorized user accessing a huge number of files in the dead of the night, may be an indication of someone trying to exfiltrate information from your network and avoid detection. For compliance. Some standards, like the Payment Card Industry–Data Security Standard (PCI DSS), for organizations that handle customer's credit card data, require the presence and use of a FIM tool. What to look for when choosing a File Integrity Monitoring Tool? In our opinion, there are five main characteristics you need to look out for when choosing a file integrity monitoring tool. They are: Granularity. This means the capability of monitoring a single file, a whole folder, or a folder and any subfolders. Remote monitoring, including the ability to display data about many file sources on an integrated dashboard or display. Customizable alerts and automated notifications when alerts are triggered. Native (and preferably automated) reporting features. A suitably long trial period, so you can attest how the tool works with your infrastructure. How to do File Integrity Monitoring? There are many kinds of File Integrity Monitoring tools, from as many different vendors. We present a few of them below, in no particular order. The best File Integrity Monitoring (FIM) tools Paessler PRTG Paessler PRTG is an all-in-one monitoring tool which can monitor everything from file integrity on your local machines to your whole cloud infrastructure. PRTG is based on basic monitoring elements called "sensors". One sensor usually monitors one measured value in your network, e.g. the traffic of a switch port, the CPU load of a server, the free space on a disk drive and so on. There are three main sensors for File Integrity Monitoring in PRTG. The first one is the File Sensor, which can monitor a single file, report if it exists or not, and alert if its contents or timestamp have been changed. The File Content Sensor can be used for content matching: for example, alert if the word "Error" has appeared in a logfile. Last, but not least, the Folder Sensor can monitor whole folders, and descend into subfolders if desired. PRTG file sensor The information gathered by the tool is provided on a centralized dashboard with all the relevant metrics. You can set customizable alerts based on threshold values, and there is an automatic reporting feature, so you can keep management and co-workers informed. Paessler PRTG runs on Windows machines (running Windows 11 or Windows Server 2012 R2, 2016, 2019 or 2022), but can remotely monitor machines running other OSes like Linux or macOS. There is a 30-day free trial, with all features available during this period, no credit card needed. OSSEC OSSEC is a scalable, multi-platform, Open Source Host-based Intrusion Detection System (HIDS). Its many features include Log based Intrusion Detection (LID), rootkit and malware detection, system inventory and compliance auditing tools and, of course, File Integrity Monitoring. The FIM module can monitor both files and Windows registry settings in real time. It not only detects changes to the system, it also maintains a forensic copy of the data as it changes over time, which can be useful for diagnosing the cause of said changes. There are three versions of OSSEC available. The "basic" one, called simply OSSEC, already includes a FIM tool and is free. Then there is OSSEC+, which is also free (with registration) and adds features like machine learning, PKI encryption, an ELK (Elasticsearch, Logstash and Kibana) stack, real-time Community Threat Sharing, "1000s" of new rules and more. Ossec rule compliance Last, but not least, there is "Atomic OSSEC", geared towards large enterprises, which adds a huge list of features including "clustering, agent management, reporting, security, vulnerability management, and integration with third parties and compliance features". Pricing is based on the number of agents. The OSSEC server runs on Linux (Fedora, CentOS, Red Hat Enterprise Linux, Amazon Linux, Ubuntu, Debian), but the agents can be deployed on machines running many Linux distributions, Open/Free/NetBSD, Solaris, AIX, HP-UX, macOS and Windows (XP, Vista and Server 2003, 2008 and 2012). Trustwave Endpoint Protection Trustwave Endpoint Protection includes a File Integrity Monitor module that "monitors a host’s local system for changes to specified files, directories, and registry settings to detect illicit modifications Any changes are reported to a server, while the signatures for the current scan are saved in a local cache for future use". The information collected by agents running on monitored machines can be grouped and displayed on a dashboard in a number of ways. For example, changes can be grouped by agent, with filters to hide agents that have not reported any changes or to show only critical or high severity events. It is also possible to show the event volume in the last 30 days, in the form of a vertical bar graph, with a breakdown by event type or narrowing down to a specific date range. Clicking on an event populates a "details" menu at the bottom of the page, which displays the Event ID, Type, origin IP address, OS, Time, Priority, Source, and Description. All data can be exported as an Excel sheet, PDF, CSV or HTML. Alerts are sent by email, with customizable frequency and severity. According to Trustwave, the File Integrity Monitor module can be provided to customers running Windows or Linux operating systems. There doesn't seem to be a trial version of this tool available, but customers can request a demo on Trustwave's website. CrowdStrike Falcon FileVantage Falcon FileVantage is part of a platform of cybersecurity solutions offered by CrowdStrike. According to the manufacturer, it "meets PCI, CIS Controls, Sarbanes-Oxley Act and other regulatory bodies to fulfill monitoring requirements". This tool enables your IT staff to see unauthorized modifications to all relevant system, configuration and content files, gain instant visibility on all critical folders and registry changes and maintain the integrity of hosts with continuous, active monitoring. Pre-defined and custom policies promise to help you reduce alert fatigue and gain efficiency. Falcon Filevantage File, folder and registry changes can be correlated to active detections, and there is integration with Falcon Intelligente, a threat intelligence system which tracks over 130+ threat profiles relating to nation-state, eCrime and hacktivist adversaries. This way, your team can not only learn that an attack happened, but also who was likely behind it and quickly take steps towards remediation. Falcon FileVantage supports Windows, Linux and macOS operating systems. There is a 15-day free trial avaiable on CrowdStrike's website. SolarWinds Security Event Manager SolarWinds Security Event Manager (SEM), is a SIEM (Security Information and Event Management) solution that includes compliance reporting, cyberthreat intelligence analysis, automated incident response, forensic analysis and File Integrity Monitoring. The FIM module is designed to monitor for changes to files, folders, and registry settings. System, Active Directory, and file audit events can be easily correlated to obtain information on which user was responsible for accessing and changing a file and identify other users activities occurring before and after the file change.File audit events can also be correlated with logs from antivirus and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) tools to easily detect Advanced Persistent Threats (APTs) and run-of-the-mill malware. It is also possible to set triggers to kill malicious processes or even quarantine entire systems to protect the rest of the network. File Audit Activity report on SolarWindws Security Event Manager. SEM can also be used to generate out-of-the-box compliance reports for industry standards like PCI-DSS, SOX, HIPAA, NERC CIP, FISMA, and SANS Critical Security Controls, among others. The SolarWinds Security Event Manager (SEM) server runs on Linux and can be executed inside a VM, a Microsoft Azure or an Amazon AWS instance. The agent runs on Windows (8, 10 or 11), Windows Server (2008 R2, 2012, 2016, 2019 or 2022), Solaris 10 or later, macOS (Mojave, Sierra and High Sierra), HP-UX (on Itanium), IBM AIX (7.1 TL3, 7.2 TL1 and later) or Linux. There is a 30-day free trial available. ManageEngine EventLog Analyzer ManageEngine EventLog Analyzer is a log management tool that also offers File Integrity Monitoring. It "examines logs to find unauthorized modifications to both sensitive and critical system configuration files and folders. It gives detailed reports on which file was changed, who made the change, and when it was changed". Among its features are "total file integrity", scanning not only file contents but also attributes, permissions, ownership and size, among others, and "comprehensive file and folder monitoring", including the capability of monitoring files, folders, system configuration files, content files, zipped files and folders, and more. It offers integrated compliance management with the PCI-DSS, SOX, HIPAA, and FISMA standards, and allows your IT staff to create their own compliance reports or modify existing templates. The main dashboard for ManageEngine EventLog Analyzer There is a User and Entity Behavior Analysis (UEBA) module, that uses Machine Learning to detect suspicious behavior and stop it before damage is done. This includes "logons at an unusual hour, excessive logon failures, and file deletions from a host that is not generally used by a particular user". ManageEngine EventLog Analyzer can run on Windows (7 and above), Windows Server (2008 and above) and Linux (Red Hat 8.0 and above, all versions of Red Hat Enterprise Linux, Mandrake/Mandriva, SUSE, Fedora, CentOS, Ubuntu and Debian). There is a 30-day free trial available. Tripwire Enterprise Tripwire claims that File Integrity Monitoring technology was invented in part by its co-founder, Gene Kim, in the late 90s. This is a security configuration management (SCM) solution, which "helps reduce your attack surface and risk exposure with proper system hardening and continuous configuration monitoring". File Integrity Monitoring if part of this security approach. This tool is able to detect changes in real-time, tell exactly what was changed, and by whom, and distinguish between authorized and unauthorized changes. It can pinpoint which changes increase risk, and flag changes which will result in non-compliance with various standards. Tripwire invented File Monitoring technology way back in the 90's Those features reduce the signal-to-noise ratio, helping you concentrate on the real threats. Tripwire also automates the generation of compliance evidence, supporting "over 800 policy and platform combinations for regulations like PCI, SOX, FISMA, HIPAA, ISO and NERC". Tripwire runs on 64-Bit versions of Windows or Red Hat Enterprise Linux (RHEL). There is no trial, but interested customers can request a demo on the company's website. Samhain File Integrity Samhain is an Open Source host-based intrusion detection system (HIDS) which provides "file integrity monitoring and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes". When running on Linux, Samhain can use the inotify kernel subsystem to generate immediate notifications about changes to the file system, "eliminating the need for frequent file system scans which may cause a high I/O load". The tool can monitor file checksums (using the TIGER192, SHA-256, SHA-1, or MD5 algorithms) and attributes like file size, mode/permissions, owner, group, timestamp (creation/modification/access), inode and number of hard links, among others, including SELinux attributes, POSIX ACLs and BSD file flags. The web interface for Samhain, called Beltane II, is a separately licensed product It can also use the Linux kernel audit system to determine which user modified a file. And according to the developers, Samhain is the only Open Source file integrity checker that can perform incremental checks on growing log files, as required for compliance by Sect. 10.5.5 of the PCI DSS. It is worth nothing that Samhain's management console, called Beltane, is a separate product. There are two versions: Beltane I is a "free prototype" with basic functionality, while Beltane II is "targeted at users with large Samhain client/server installations, and offers features for significantly improved scalability and usability in such environments", and is commercially licensed. Samhain is available for POSIX platforms (Linux, *BSD, Solaris 2.x, AIX 5.x, HP-UX 11, and macOS). The monitoring agent can also run on WIndows (2000/XP) using a POSIX emulation layer like Cygwin. Qualys FIM Qualys FIM is part of the Qualys Cloud Platform, a "cloud solution for detecting and alerting on integrity violations of critical system files and registry objects", which "enables a simple way to monitor files, directories, and registry paths for changes in real time, and helps adhere to compliance mandates such as PCI-DSS, FedRAMP, HIPAA, GDPR and others". Besides real-time monitoring capability, this tool provides visibility into who made the changes (user and process) to a file, full file paths and registry paths, the exact time of the change, and the actual change. Features like "trust status" and "file reputation service", allow Qualys FIM to automatically whitelist approved changes, sounding the alarm only for malicious or suspicious ones, reducing the amount of noise for your security team. File details on Qualys FIM Also included are out-of-the-box profiles to monitor highly critical files, registry objects, and actions, which can help your team kick-start their monitoring efforts and achieve compliance with various security standards. Qualys FIM is part of the Qualys Cloud Platform, which is provided on a SaaS (Software as a Service) basis, without the need to download or install any software. The agents can monitor Linux and Windows hosts. There is a 30-day free trial available. Netwrix Change Tracker Netwrix Change Tracker can monitor system directory and file changes across Windows servers, monitoring "the integrity of system files and configurations by comparing file hashes, registry values, permission changes, software versions and configuration file contents". It can exclude planned changes, reducing false alarms and noise, and incorporates additional context into threat and change detection provided by a cloud security database with "over 10 billion file reputations submitted by original software vendors like Microsoft, Oracle and Adobe". The tool includes pre-defined compliance reports (including PCI DSS, HIPAA, and FISMA), benchmarks and tracking templates, and can provide compliance scores for multiple Windows Servers at once. File change details on the Netwrix Change Tracker Current scores can be compared with previous ones to help you understand if your compliance situation is improving or worsening. All this information is presented in a dashboard, which includes compliance trends and potential problems with individual devices. Netwrix Change Tracker supports Windows Operating Systems such as Windows Server 2008/R2, 2012/R2, 2016 and 2019, as well as Windows CE, XP, 7, 8.0, 8.1, 10 and 11. Non-Linux operating systems supported are Ubuntu, SUSE, CentOS, Red Hat Enterprise Linux, Oracle, Solaris, HP/UX, AIX, Tandem Non-Stop, FreeBSD and macOS. There is a free 20-day trial available. Conclusion Among all the File Integrity Monitoring solutions presented, our favorite is Paessler PRTG, for a few reasons. For starters, it "ticks all the boxes" in our list of desired characteristics. It also streamlines your workflow by enabling you to monitor all of your infrastructure with a single tool. And this one can monitor file integrity, but also your network performance, running services, server status, cloud infrastructure and much more. It really is a "Swiss army knife". That means you can do away with having to rely on a variety of individualized solutions, which can carry potential risks such as incompatibility with your current workflow and even security issues. More important, it comes with built-in sensors that cover many of the main use cases, without the need to purchase extras. This allows you to "get started" quickly, reducing setup time. And last, but not least, it is extensible. If you outgrow the built-in features, you can deploy third-party sensors, or even develop your own, to cover specific needs.