The insight gained through File Integrity Monitoring (FIM) is best used when it is fed into the broader
event stream from log data collected from various parts of your network (workstations, servers, domain controllers, file servers, antivirus software, IDS/IPS systems, etc.). This data can be correlated to produce situational awareness between diverse events. In the past that called for Windows Security Event Log Management, Syslog Security Event Log Management and more recent known as Security Information and Event Management (SIEM).
SIEM systems already collect log data from across your IT infrastructure for correlation and analytics. When you combine FIM events with SIEM, you can achieve a more robust security system that offers defense in depth threat intelligence to detect advanced and sophisticated threats.
Some applications of combining FIM with SIEM include:
User-aware File Integrity Monitoring:
System, Active Directory (AD), and file audit events are correlated to obtain information on which user was responsible for accessing and changing a file. You can also identify other activities of the user before and after the file change for complete user activity monitoring.
Data Loss Prevention (DLP):
Correlating file audit events with other log data gathered by SIEM provides advanced threat intelligence, which is useful for pinpointing breach attempts. With the remediation capability of SIEM, you can automate responsive actions (shut down systems, detach USB devices, disconnect systems from the network, log off users, disable user accounts, etc.) to safeguard data and prevent breaches.
Zero-day malware detection:
Malware is one of the primary threat vectors on file integrity and safety. Therefore, having SIEM detect zero-day malware via AV and IDS/IPS logs and correlating them with file audit events, you can stop the malware in its tracks before it harms your secure files. You can use SIEM’s incident response actions to kill the malicious process or quarantine the systems for complete endpoint protection.
Continuous compliance support:
Where FIM is a key requirement for many compliance regulations, SIEM systems offer out-of-the-box templates that help with compliance audits. Including FIM results in your compliance reports shows auditors your complete network security information.