Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: File Integrity Monitoring (FIM) - SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
File Integrity Monitoring (FIM) -
What do you consider critical files that should be monitored?

We are monitoring specific folders and the file structure underneath, but were told that we had to identify specific files instead. So wondering what you would identify as critical.

1 Posts
We have FIM as a service, instead of running it ourselves. It has pre-configured settings

From what I can tell of recent events I've had to confirm, the Windows Registry is part of the changes to be monitored, obviously for traces of compromise. But it is monitoring specific keys, not the file(s)

HKEY Software / System / Etc. Each of the keys have their risk score and on every MS patch day, I see a lot of changes occuring. "Autorun's" are a big one

Mind you, the changes are scored individually and it is the sequence that may raise an alarm. FIM is like an IDS/IPS, and that's why we've outsourced it. It is too complex to maintain on a part time basis, and the FIM/AV/Compliance package that we run costs less than $100 per unit per year.

14 Posts
You could have a look at the OSSEC HIDS which has a FIM feature. It's a good starting point (for UNIX & Windows hosts)…

Now, like log management, it's up to you to know your business / environment and where are your important data!

651 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!