Introducing Hybrid File Integrity Monitoring

Enhance your security with Wiz’s new hybrid File Integrity Monitoring (FIM) solution, combining agentless and runtime capabilities for comprehensive file monitoring.

3 minutes read

We’re excited to introduce the addition of runtime File Integrity Monitoring (FIM) to our existing agentless solution, creating a powerful hybrid approach. This gives our customers comprehensive visibility and deep context, to enable accurate and effective monitoring of critical files across their environments.

What is FIM?  

File Integrity Monitoring is a critical security process that tracks and detects changes made to files and system configurations, ensuring they’re not altered without permission. FIM works by establishing a baseline for critical files and continuously monitoring them for any changes. This is necessary because malicious actors often tamper with key system files during an attack, compromising systems and potentially causing a breach.  

Why FIM is important  

FIM helps to drive several security and compliance impacts:  

  • Early Breach Detection: FIM continuously monitors essential system files (like password databases) and flags unauthorized changes, helping detect breaches early.  

  • Faster Threat Response: FIM provides actionable insights by showing exactly what files were changed and when, allowing teams to quickly respond and mitigate threats.  

  • Expose Security Gaps: Beyond catching attacks, FIM identifies unauthorized or unintentional changes in system configurations, revealing vulnerabilities that need to be addressed.  

  • Simplify Compliance: Regulations like PCI-DSS and HIPAA require strict file monitoring. FIM ensures file integrity and simplifies compliance by maintaining records for audits.

Runtime FIM: Enhancing visibility with context

Traditional FIM solutions offer essential monitoring but require that agents are deployed across the environment, complicating comprehensive coverage. Over a year ago, Wiz transformed FIM by introducing agentless file integrity monitoring, providing full coverage of the entire environment and helping organizations meet PCI compliance requirements in minutes. By removing the need for agents, Wiz simplified the process, making file integrity monitoring easier and eliminating the complexity of deployment.  

However, agent-based runtime FIM offers deeper visibility into file events, providing critical context like identifying the actor responsible for modifying files. For example, monitoring log files for tampering requires knowing whether the change was made by the regular system process or by a suspicious actor. In these cases, runtime monitoring with a sensor provides insights that agentless monitoring might miss. Additionally, runtime FIM is essential for monitoring ephemeral container file systems, which are temporary and may not be adequately covered with agentless monitoring.  

 At Wiz, we strive to enhance security outcomes for all our customers. Our hybrid approach enables users to create a single FIM policy that can be applied to both agentless and runtime monitoring, providing optimal coverage. When runtime agents are feasible, they offer enhanced visibility and control, while our agentless solution ensures comprehensive coverage. This dual-layered approach gives organizations the flexibility to balance efficiency with in-depth monitoring to meet their security needs. 

Custom FIM rules: Tailoring monitoring for sensitive files  

Another crucial aspect of meeting compliance standards like PCI DSS is the ability to monitor organization-specific sensitive files. These files might not be included in standard FIM policies but are critical to the operation and security of the business. By enabling the creation of custom FIM rules, security teams can extend their monitoring to cover any sensitive file. Custom rules allow for a tailored approach to file integrity monitoring, ensuring that specific files and directories—whether they contain customer data, intellectual property, or other critical information—are protected from unauthorized changes. This customization is essential for organizations to monitor critical files and maintain compliance with evolving regulatory requirements.

FIM detections and response policies  

Wiz supports custom response actions for  runtime FIM, users can create tailored response policies to take immediate action on detected threats. For example, with Runtime FIM Threat Detection Rules (TDR), you can configure a policy to automatically terminate unauthorized processes that modify critical files. Additionally, automation rules to send notifications via email, Slack, or other ticketing systems, can be applied to both agentless and runtime FIM detections. This proactive approach enables organizations to minimize risk by swiftly responding to FIM detections, enhancing overall security without manual intervention.

Conclusion  

FIM has become a foundational component of modern security and compliance strategies. Wiz’s hybrid approach gives organizations confidence in comprehensive coverage with the context needed to understand who is making the changes, unified under a single policy. Additionally, custom monitoring rules give teams the flexibility they need to monitor any critical files they deem important across their cloud environments. 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management