member sign-in
Forgot password? Create new account Close

File Integrity / Activity Monitoring (FIM)

Definition:  File Integrity/Activity Monitoring is the technology that monitors files of all types and detects changes in these files that can lead to increased risk of data compromise and is a critical tool in the fight against sensitive data compromise. Intelligence of the solution would allow it to only alert security teams to changes that pose increased threat to sensitive data, and not to the hundreds of thou­sands or even millions of changes that occur daily on large, enterprise-level IT infrastructure

User Benefits:

The capabilities of true File Integrity/Activity Monitoring:

  • Detects changes and determines which changes introduce risk
  • Determines which changes cause non-compliance
  • Distinguishes between high- and low-risk changes
  • Integrates with other security point solutions

File Integrity/Activity Monitoring technology helps enterprises to gain visibility and access reports that enable them to know what they did not know before. The capability to detect changes gives IT the possibility to identify authorized changes versus unauthorized changes or possible malicious activities.

FIM provides insight about actual activities and changes being made to the critical infrastructure, and it ensures that operational integrity has not been compromised. It’s also important to understand that while FIM is valuable to PCI, it can and is used to reduce risk of compromise to any IT asset.

Business Impact:

File Integrity/Activity Monitoring is a critical capability IT security and compliance need to protect the IT infrastruc­ture and its sensitive data. To be relevant, it must do a lot more than just detect changes. A complete solution must use change detection to help determine whether the changes are good or bad. It must also provide multiple ways to distinguish low-risk change from high-risk change. And it must do this at the speed of change.

In addition, FIM should also work with other security point solutions, like those for log and security event man­agement. Correlating change data with log and event data allows security professionals to better protect their environ­ment, including cardholder data environments. Doing so, allows security professionals to quickly see, trace and relate problem-causing activities with each other. Such visibility and intelligence provides the key for quickly remediating issues before they cause real damage.

Products supporting this technology

Imperva McAfee

File Data is Business Critical

While critical business data is concentrated in databases and applications, it doesn’t only exist there. Just think of all the Excel files you’ve seen with financial details, or Word documents containing business plans. Those business documents and digital recordings – along with software source code, surveillance videos, medical images, and many other types of data stored in files – are examples of unstructured data. Unstructured data is the most common type of data in organizations and it is constantly growing and changing. To help businesses store, protect and share unstructured data, IT departments set up file servers and file server appliances (i.e., network attached storage (NAS) devices) in the data center. SharePoint and other content management systems are also used to store unstructured data, but the majority of this data exists on file servers and NAS devices today.

Customers Care about File Data
Three drivers compel organizations to care about file-based data:
(1) Insider threats. While data centers are protected from hackers by firewalls and other perimeter security, most file data is intentionally accessible by many users within the organization. That openness leaves it vulnerable to those with bad intentions.
(2) Compliance. Regulations that mandate data protections typically don’t care where the data is stored – application, database, or file – only that it must be safeguarded.
(3) Administrative complexity. System administrators, storage managers and other IT professionals have a hard time keeping pace with the volume and explosive growth of file data. The built-in operating system and file system tools they use to manage this data are missing key capabilities, and most third-party software doesn’t fill those gaps.

File Data is challenging to control
The biggest gap in managing and protecting file data is a lack of control at the source: on file servers and NAS devices in the data center. To gain control, organizations face a common set of challenges across security, compliance and IT operations.

The ultimate challenge and objective is to ensure access to data is based on a business need-to-know. File and folder access needs change regularly as users join and leave the company, begin and end projects, and change job roles. However, there is no built-in system that keeps file access rights aligned with company requirements.
a. Current approaches:  The most common is a combination of directory services, Access Control Lists (ACLs) and manual processes. Identity and Access Management (IAM) systems are a good approach in theory, but a challenge to implement in practice.
b. Why it’s a challenge: The primary tools business use to enforce business need-to-know access (i.e., users and groups from directory services and ACLs from the file systems) function as separate silos, not a holistic system.
c. Solution requirements: Must overcome the three challenges outlined below. Doing so allows you to work with data owners, provide them a view of who can access their data, and who is using it, and even correlate rights information with access activity. That correlation allows you to identify excessive access and even dormant users.

The second major challenge is trying to determine who owns the data. In most organizations, data owners are known for only a small fraction of file data. For the rest, “go-to” individuals have to be identified who understand the business relevance of the data so they can provide input on how their data should be managed and protected.
a. Current approaches: Create a list (on paper, in Excel, etc.) of the owners of key data. For other data, use clues such as who has access to the data, where it is stored, file and folder names, etc., to guide the hunt for owners. This hunt usually leads to mass emails or phone calls looking for someone to claim ownership.
b. Why it ’ s  a challenge: Many of the clues about who owns data – such as the name of the file or folder, what folder it’s in, or even details about who created the file – do not reliably indicate the owner.
c. Solution requirements: Have to be able to audit all data access (see challenge #4 below). This allows you to find the top users of any given file or folder who are either the data owners, or are able to identify an owner.

The third challenge is trying to create a baseline and audit record of user rights. A baseline snapshot shows what the de-facto access policy is today: it may not be what you want access to be, but it’s what you’ve got. From there, organizations can work to correct acute problems and even establish a regular review process. The audit trail provides a way to monitor changes and ensure continued alignment with corporate policy. These capabilities are baseline requirements for the security, compliance and IT teams working with data and data owners.
a. Current approaches: Built-in Windows tools, in-house scripts, or third-party point products.
b. Why it’s a challenge: Built-in Windows tools work a file or folder at a time, and are therefore tedious to use with a large volume of data and users. In-house scripts don’t scale well and neither do third-party point products. Point products also tend to be very narrowly focused and lack robust reporting.
c. Solution requirements: A system that that gathers rights across an entire file system (i.e., many folders and subfolders) as well as across different file servers and NAS devices. An enterprise-class solution can consolidate and store the rights information for analysis and reporting, making it easy to establish a baseline and audit changes.

The fourth challenge is to audit all user data access activity. A comprehensive audit trail is very hard to get using built-in file system auditing. Built-in auditing generates a huge, un-ending flood of details that are nearly impossible to use raw, and equally complicated to interpret. This auditing also imposes a major performance penalty on file servers, so most organizations turn on native auditing only temporarily, and as a last resort, resulting in an incomplete audit record at best.
a. Current approaches: Temporarily turn on built-in OS auditing as a last resort. Audit only certain folders.
b. Why it ’s a challenge: Built-in OS auditing impacts performance and generates new work: managing and interpreting a mountain of cryptic data (e.g., simply opening a file generates dozens of OS log entries).
c. Solution requirements: A file activity monitoring and auditing solution using network monitoring or low- impact agents can create a detailed audit log of who is accessing data and how (e.g., open, read, write, delete, rename, change permissions, etc.), without impacting performance or necessitating changes to end-user computers or applications.

In the market also exist DLP technology, that address to the data loss prevention and a lot of companies implemented or are in the process ff implementation of DLP products.  The synergy between the two technologies is this: DLP solutions try to stop the spread of data once it is already in the possession of a user and File Security solutions try to ensure that only the right users have access to begin with. In that sense, File Security can be seen as a logical first step in preventing data breaches, because File Security products work to limit access to just those who have a business need. File Security solutions also provide a powerful remediation option to organizations with DLP solutions. When a DLP solution prevents a data breach, File Security forensics can be used to trace the problem and reduce any access rights that should have been more restrictive.

Also a File Integrity/Activity Monitoring  solution complements IRM , ERM and E-DRM solutions by providing:
•    A first line of defense for sensitive business doc uments at the data sourc e – on file servers and NAS devic es
•    Protec tion for all files, whether they are protected by a file rights management solution or not
•    A way to establish and ensure business need -to-know acc ess for sensitive business data
•    An audit trail to support forensic investigations

In order to achieve a complete data security infrastructure, addressing all layer of security, companies have to add a complete File Integrity/Activity Monitoring, able to:

  • Block and alert on file access requests that violate corporate policies,
  • Identify excessive user access rights and enable a complete rights review,
  • Audit all access to files and folders by users and applications,
  • Investigate and respond to incidents and document compliance with advanced analytics and reporting,
  • Identify data owners.


  • manufacturer
  • Supported SecureSphere Products
  • Type