What is File Integrity Monitoring?
File Integrity Monitoring (FIM) is an internal control or process that validates the integrity of system files, application software, configuration parameters and log files by comparing current file contents to a known, desired baseline. This technique is used to provide interval and scope of attack information that is unavailable by other means. It can also be used for audit purposes in order to comply with recent standards such as PCI, HIPAA, FISMA, GDPR etc. FIM+ is the only product to fully implement this technique on mainframes.
What is FIM+?
MainTegrity’s FIM+ software product is a file integrity monitoring system for z/OS mainframes. It monitors system, configuration, application, and log files on your systems. FIM+ also alerts you to changes that may have occurred with a breach or other unwanted events. The “+” comes from some of the features unique to MainTegrity including.
- Auto Discovery – The biggest challenge for change detection on a mainframe is knowing what to monitor and understanding the impact of a detected change. FIM+ will automatically discover and monitor key system and configuration files. By discovering these key files, FIM+ can minimize setup time and eliminate ongoing admin as your environment changes.
- System Synchronization – FIM+ lets you verify common files across multiple Z/OS systems. If you run multiple production systems, FIM+ can ensure files that should be identical on each system remain that way, alerting you to any deviation.
- Application Awareness – Other tools can tell you a file has changed, FIM+ also tells you the application release that file is part of. Hash keys can be calculated for your application release after it has passed QA and is ready for deployment. After deployment to your production systems, FIM+ can immediately verify a successful deployment and begin regular scanning of the application release. This gives you the ability to provide ongoing audit of the current state of all your applications.
Why do I need File Integrity Monitoring?
Anything residing on any computer system is at risk of both accidental and malicious changes. While general perception is that mainframes are secure, breaches still happen with dire consequences.
Reports of data theft are more common and cyber criminals are more sophisticated in their attacks. Despite strict security policies and formal change control processes, stolen credentials and emergency changes are just two examples of how data can be modified while circumventing these procedures.
What happens when FIM+ detects a change?
When a change is detected, FIM+ identifies not only the file, but the system component or application it is part of. Different policy driven actions can be triggered, based on severity and sensitivity, reflecting the potential impact of the change to your business. FIM+ can then validate the change by query to your change management system and, if found malicious, open an incident report in tools like ServiceNow and Remedy. If appropriate, FIM+ can take further action including log updates, issuing an alert to your SIEM tool, sending emails or texts to admin staff, and even take other customer specific actions..
Wait, aren't some files "supposed" to be different on individual LPARs?
Yes, sometimes a file’s metadata and hash code are required to be unique to each system for a variety of reasons. However, once put on the system, many of these files should never change. FIM+ can ensure that certain system specific files are not included in LPAR synchronization but will continue to monitor them for modifications.
Can FIM+ go beyond change detection and help me with incident response?
Yes, FIM+ provides answers about who, what, when where and even why changes took place. You will need those answers before you can start to respond to an incident. Displayed in a single view within the FIM+ GUI or transmitted to your SIEM like Splunk or QRadar, these answers are crucial when an incident occurs. In addition, the scope of components affected and the interval of attack is also provided
What changed? FIM+ provides the scope of the changed components – one component or thousands. FIM+ knows which files that were modified, added or deleted and can invoke an automated content comparison using its stored baseline to reveal the specific changes.
Why did it change? By querying change management products like Remedy and ServiceNow FIM+ can determine whether the change was authorized. This can avoid many false alarms and insure only validated alerts are passed become an incident.
When did it change? FIM+ is records the last time each component was correct. It can, therefore, automatically determine the attack interval.
Who changed it? FIM+ searches access data in SMF to see what userid changed the files during the attack interval. It then displays the information in the FIM+ 3270 or FIM+ GUI interface so you can get all the information required in one place in seconds. Since FIM+ also sends FIM data to your SIEM you could also look there and get all of the information required to start your recovery.
What content was changed. FIM+ can be instructed to use a baseline copy of files and members. For config members, source and text files that can be read by humans FIM+ can then automatically invoke a file comparison tool to show you a side-by-side picture highlighting the actual lines that are different.
What kinds of files are monitored by FIM+?
FIM+ will monitor most types of mainframe files including PDS, PDSE and sequential datasets as well as USS files such as ZFS and HSF. Highly active files like databases are not good candidates as they are continuously being updated. FIM+ primarily targets system files, configuration files, application files, and log files. FIM+ can monitor executable programs, source programs, JCL, config members scripts, clists and other files for changes that bypass simple access control.
Can FIM+ monitor encrypted files?
Yes FIM+ can detect changes to encrypted files without a need to decrypt their contents
What changes does FIM+ detect?
FIM+ detects additions, modifications and deletions to files, even across multiple LPARs. This allows administrative staff to quickly determine whether a change was correct and whether all systems are kept in sync with one another.
Can FIM+ do a comparison of different versions?
When FIM+ reports a change to any text-based file (not binaries or load modules), you can invoke a compare utility to view the differences if the original version is available to FIM+. This includes files that FIM+ monitors and should remain identical across multiple systems i.e. application release files. FIM+ does not retain a version of files but will make use of original versions of files that it is aware of. Don’t worry, you can still detect that binaries and load modules have changed.
I already have RACF, ACF/2 or TopSecret - Isn't that enough?
Mainframe security products like RACF, ACF2, and Top Secret can report access to files. Unfortunately, processing this data into useful information about whether a change to critical system or application files was approved or expected is difficult to say the least. Additionally, SAF products do not detect if a scheduled change was implemented correctly. This, and the use of stolen credentials make it easy for potentially harmful changes to go undetected.
I already have an Intrusion Detection/Protection System and monitor my logs.
Great! However, these systems are not entirely foolproof. If a change was made accidentally or using stolen credentials it will look like normal business use and therefore not be picked up by the IDS or IPS. Going through log data will only tell you who changed what, not whether it was meant to be changed or not.
Isn't this just more software to manage?
Features such as Automatic Discovery and Application Awareness enable FIM+ to be a “set it and forget it” product that works in the background and alerts you to any changes that may harm your environment.
After the initial installation zero-admin becomes possible
My z/OS workforce is aging and finding young mainframers is difficult, how can FIM+ help with that?
Bringing tools and concepts in from open systems didn’t just stop at file integrity monitoring. FIM+ also has two features which enable even non-mainframers to do an integrity check-up on your mainframe.
First, a web-based graphical user interface has been provided which allows anyone to control FIM+ in a way they are already familiar with.
Second, using MainTegrity’s custom action definitions and REST API, it is easy offload control and reporting to an existing SIEM product that security staff from the distributed world already use.
How long does it take to install and get results from FIM+?
FIM+ is designed to install in one hour and produce useful results in the second hour of use. Using the auto-discovery facility, you can quickly begin monitoring key system and configuration files. The system synchronization facility can immediately point out differences between multiple production systems.
Is there a performance impact by installing this software?
All software products create workload. FIM+ uses two techniques to significantly reduce the overhead on your systems.
- FIM+ uses the hardware HASH instruction to create is hash keys. This offloads the bulk of the CPU time needed to create the Hash codes to an ancillary processor. Using this technique, quick scan resource usage is negligible while full scans use a little more resource, most sites will be pleasantly surprised by the size of the products resource usage footprint.
- You can use a combination of quick and full scans. A full scan will create a hash key from all the data in the file. The quick scan uses just the metadata for the file. Files that are changed though normal update functions like editors, utilities, and linkers will cause the metadata to change.
Quick scans can be used to detect normal changes. Full scans are required to detect some types of malicious changes such as zapping a module. By running a combination of quick scans during peak periods and full scans in low utilization periods, you can minimize any impact to your system performance.
Security and compliance
Can FIM+ be used to help me improve my next PCI-DSS (or other standard) audit score?
Yes, in addition to directly addressing sections 10.5 and 11.5 in the PCI-DSS v3.2, FIM+ can also be used to show your auditor that enterprise software and configurations haven’t been tampered with. This can be done on demand, while the auditor is on site, giving them an immediate, accurate answer to the question “How do you know you haven’t been compromised?”
Does FIM+ work with my existing security products?
Yes! As always, the best security is built in layers and FIM+ was built with this in mind. Perimeter defenses like firewalls and external security managers can help prevent the wrong people from getting in, but some still do.
Event monitoring can determine who did what and when but lacks a time frame and other vital contextual information. FIM+ data, in addition to determining exactly what went wrong can also provide a timeframe and other context, vastly reducing the amount of data an analyst must sift through.
Are there any exposures only detectable by File Integrity Monitoring?
Unfortunately, yes. Things like SMP/E injection and other types of man in the middle or supply chain attacks are very difficult to detect using current practices. This is largely because the payload is put onto the system by what appears to be a trusted source. In the case of SMP/E injection, some PTFs or other software is put on the mainframe and resides there for months or even years before it is received. This provides a very long window for an analyst to determine when a change was made to the package. A simple FIM scan when the files are downloaded and a separate validation scan prior to installing the package ensures that no modifications were made during this period.
What about false positives?
Many change detection products have an issue with reporting changes to files that are part of the normal change process. By using a combination of auto-detection for system and configuration files, and the application awareness, FIM+ can minimize false positives.
FIM+ is also working to use the information in change management products like ServiceNow to know when a change is planned and approved. By tying that into the change detection policy, the appropriated level of action for detected changes can be taken.
Will FIM+ integrate with my DevOps toolchain?
FIM+ includes a generic web client (REST) interface that is used to communicate with other web based management tools such as Service Now and Remedy. You only configure what data you want to send and where you want to send it. This will allow you to access scan results, initiate scans, and update FIM+ configuration from your existing management and automation Tools.
FIM+ is designed to integrate into your Application Development, QA, and Deploy processes. Using FIM+ batch utilities, you can allow FIM+ to automatically generate hash keys for each application release while it is being deployed. Additionally, after an application release has been deployed, a post-deploy verification scan can also be kicked off in order to prove that the most up-to-date code is running in production.