Skip Navigation
Scroll Up

Trustwave File Integrity Monitoring: A Technical Review

If you’ve been paying attention to recent news, all eyes will be on Marriott and what appears to be the largest data breach in history. At this point, it’s too early to tell the root cause, but it appears to be a mix of quick acquisitions and numerous security controls not being put in place. This makes me wonder, what will be the tipping point? I think the answer is some impending regulation like the California Consumer Privacy Act (CCPA).

Let me share an interesting quote from a recent Forbes article about the breach.

“Currently many companies opt for inadequate data security because it’s cheaper than the consequences of a data breach.” – John M. Simpson, Project Director for Privacy and Technology at Consumer Watchdog

I think we will be seeing a shift to executive accountability for data security and organizations should start preparing now.

The good news is Wind River is helping organizations start today with the Advanced Security Package. One of the great tools you’ll have access to is File Integrity Monitoring (FIM), which I wanted to showcase for you today. FIM is used for early detection of security intrusions, and I’ve written before why a file integrity monitoring tool is vital.

Now, at this point, I’ll assume you have the Trustwave Endpoint Protection Suite that comes with the Advanced Security Package installed and running on the system you want to protect. If you need a refresher on how to do so, we have instructions here. Once installed, go ahead and navigate to the FIM icon in the navigation from your Trustwave account.

FIM Dashboard

FIM Dashboard – The FIM dashboard is the central location to see all device activity and issues corresponding to those devices. At a glance, you can get an idea of the issues you’re seeing currently as well as historically. The good news is I have no critical or high events on my reporting systems in this example, but as you’ll in just a moment, I have a lot of medium events* that may warrant investigation.

*I should note that these events came from a lot of install and uninstall activity that was intentional on my part, so no surprises.

FIM Events

FIM Events – If you see something that warrants investigation, All Events is the area you would want to go. As you can see, there are a lot of different filtering capabilities to narrow down your investigation. Here, we’re looking at some activity of my install/uninstall where registry keys are being changed and, in some cases, deleted. This is all expecting behavior as I initiated the activity.

FIM Settings

FIM Settings – FIM lets you fine tune the settings and level of information you receive. It allows you to turn it up or down depending on your organization’s needs. Some organizations may prefer to not receive any email and instead login on a periodic basis. No matter your preferences, scroll down to the next section for my recommendations.

Recommendations – First, make sure you get FIM installed on all your critical servers and systems, especially if you currently don’t have any monitoring on them. Then, for most businesses, I suggest you enable emails on a weekly basis and set alerts for only critical and high security events. However, depending on your organizations risk tolerance and security requirements, you may need to adjust these settings to meet your specific needs.

Pretty cool, right? I hope this gives you enough information to get FIM running at your organization and providing another layer of protection. This is definitely one of the most popular tools in the Advanced Security Package and one that will help keep you from being another security breach headline.

Are you struggling with your organization’s security and compliance? If so, please let us know and we’d be happy to help you through the process.

[su_button url=”/contact” background=”#5a6e16″ size=”10″ center=”yes”]CONTACT US[/su_button]


Steve Staden

Share This Article
Share on Facebook
Share on Twitter
Share on Linked In