File Integrity Monitoring Guide

.trustwave.
com Updated October 9, 2007
File Integrity Monitoring

User Guide
File Integrity Monitoring User Guide - August 2013
Legal Notice
Copyright 2013 Trustwave Holdings, Inc.
All rights reserved. This document is protected by copyright and any distribution, reproduction, copying,
or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this
document may be reproduced in any form or by any means without the prior written authorization of
Trustwave. While every precaution has been taken in the preparation of this document, Trustwave
assumes no responsibility for errors or omissions. This publication and features described herein are
subject to change without notice.
While the authors have used their best efforts in preparing this document, they make no representation
or warranties with respect to the accuracy or completeness of the contents of this document and
specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No
warranty may be created or extended by sales representatives or written sales materials. The advice and
strategies contained herein may not be suitable for your situation. You should consult with a professional
where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any
commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or
other damages.
The most current version of this document may be obtained by contacting:
Trustwave FIM Support:

Phone: +1.800.363.1621 Option 2 and Option 2
Email: FIM@trustwave.com
Trademarks
Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used,
copied, or disseminated in any manner without the prior written permission of Trustwave.
Revision History
Table 1: Revision History
Version Date Changes
1.0 June 2012 Initial release
2.0 July 2013 FIM Dashboard Update
Copyright 2012 Trustwave Holdings, Inc. All rights reserved. i

About This Document

The FIM User Guide describes how to use the Trustwave FIM application.
Copyright 2012 Trustwave Holdings, Inc. All rights reserved. ii

Table of Contents
Legal Notice i
Trademarks ................................................................................................................................i
Revision History ..........................................................................................................................i
About This Document ii
List of Tables iv
1 Overview 5
2 Logging on to the Portal 6
3 Dashboard 7
3.1 Changes by Agent ................................................................................................................7
3.2 Filters ................................................................................................................................ 11
3.2.1 Critical or High Events ............................................................................................ 11
3.2.2 No FIM Report ....................................................................................................... 12
3.2.3 Reset .................................................................................................................... 13
3.2.4 Refresh ................................................................................................................. 13
3.3 Event Volume .................................................................................................................... 13
Table 4: Event Priority Breakdown ............................................................................... 14
4 Email Preferences 15
5 All Events Page 18
6 Exporting Data 19
7 Recommendations 20
7.1 Monitoring with Care .......................................................................................................... 20
7.2 Reacting to Findings ........................................................................................................... 20
8 Other Agent Services 22

8.1 PCI Bundle ........................................................................................................................ 22
8.2 Managed Security Services ................................................................................................. 23
Appendix A: Glossary 24
About Trustwave 30
Copyright 2013 Trustwave Holdings, Inc. All rights reserved. iii

List of Tables
Table 1: Revision History...................................................................................................................i
Table 2: Color Key for Event Groupings .............................................................................................8
Table 3: Data in Changes by Agent ................................................................................................. 10
Table 4: Event Priority Breakdown .................................................................................................. 14
Table 5: FIM Email Settings ............................................................................................................ 15
Table 6: All Events Table ................................................................................................................ 18
Table 7: Glossary ........................................................................................................................... 24
iv Copyright 2013 Trustwave Holdings, Inc. All rights reserved.

1 Overview
File Integrity Monitoring (FIM) is an essential part of any data security program. It detects changes to
your critical system files and directories. Early detection of malicious events limits (or prevents) the
damage that results from costly data incidents; ensures that your sensitive information is not altered
without permission; and ensures that no files are deleted from secure systems without your knowledge.
The Trustwave FIM service is delivered through the TrustKeeper Agent and helps users comply with PCI
requirements by monitoring critical system files, directories, and registry objects. FIM generates alerts
when these objects are modified in any way, and also delivers alerts through the TrustKeeper Portal.
Trustwaves FIM product also features:
Email digests delivered daily and/or weekly to inform users of changes to their files
Granular change descriptions that are easy to understand
Event priorities that help you focus on the most risky events
A simple heatmap data visualization which helps users quickly assess the state of their network
By leveraging our ample security and payment industry experience to craft our FIM solution while
focusing on a simple user experience, Trustwaves FIM will be a key component of your data security
program and ease management of your data management.
Overview
5 Copyright 2012 Trustwave Holdings, Inc. All rights reserved.
2 Logging on to the Portal

To log on to the TrustKeeper portal, go to https://login.trustwave.com. Login credentials will be provided
to you by Trustwaves support team. After logging on to FIM, the FIM Dashboard is displayed.
Logging on to the Portal

3 Dashboard
The FIM Dashboard
The FIM Dashboard provides a high-level overview of FIM activity captured by the TrustKeeper Agent.
Given the number of changes that any FIM tool will track, it is difficult to focus on the most important
events throughout an environment, but with Trustwaves new, highly interactive, heatmap visualization
driving the data presented in the Dashboard, Trustwave delivers an intuitive and holistic representation of
critical file changes in your network. By doing this, the user spends less time sifting through data and
more time investigating suspicious or unauthorized changes.
The Dashboard is comprised of the following components:
Changes by Agent
Filters
Event Volume
3.1 Changes by Agent

The Changes by Agent section of the dashboard represents several pieces of data in one, color-coded
heatmap. The heatmap will display a shade of white or blue that corresponds to the number of total
events reported for each Agent on each day, allowing you to determine which Agents reported more or
fewer changes relative to your Agent population. For example, your Agents may, on average, detect 25
changes per day, which would result in a light blue shade on the Changes by Agent heatmap for the
majority of your Agents. But if one Agent detected 200 changes, the relevant cell in the heatmap for that
Copyright 2013 Trustwave Holdings, Inc. All rights reserved. 7

Agent and day would be our darkest blue, a stark contrast to the other cells to highlight how radically
different the counts are.
Seeing these relative differences is important to identify outliers on your network. A higher number of
changes could indicate a gap in your change control procedures, ineffective firewalling, non-compliant
users or malware infection whereas noticeably fewer changes could indicate a systems failure to receive
crucial updates. Using Trustwaves heatmap visualization, outliers are easily detected.
Scales for Changes by Agent
By default, the event scale will have a maximum threshold of 100 events but the maximum threshold can
be increased to 1000 events if necessary. If no changes are reported, the appropriate cell will be white,
but if changes are reported there are five distinct shades of blue that are possible. See the below scale
for how events are grouped and shaded for the 100 and 1000 scales.
Table 2: Color Key for Event Groupings
100 1000
0 0
1-25 1-250
26-50 251-500
51-75 501-750
76-100 751-1000
101+ 1001+
Both thresholds can be used in the application at any time by selecting the desired threshold from the
dropdown menu to the right of the event scale. When a new threshold is chosen, the heatmap will
update with the new scale and new shadings.
Max Threshold Selection
Dashboard
Interacting with Changes by Agent Heatmap
There are several possible interactions with the Changes by Agent heatmap that help you stay on top of
changes detected by Trustwave.
In the Changes by Agent heatmap, the left-most column lists each Agent that is registered to your
account. The names of the Agent are set during installation of the Agent, and, unless changed during
installation, Trustwave will use the name of the computer as the Agent name. By clicking on an Agent
name in the heatmap, the row will be selected, highlighting the changes detected by the Agent over the
most recent 30 days.
Selecting a Row in the Heatmap
In addition, you will see all changes sorted by priority in the Event Volume histogram and the ten most
important Critical or High changes will be listed in the Critical or High Events table on the bottom-right of
the Dashboard. (More information about the Event Volume histogram and Critical or High events table is
presented below.)
If, however, you would like to compare all Agents in your environment for a given day, you can click on
the columns header cell. As with selected a row, this will highlight the appropriate column and update
the data presented in the Dashboard to reflect your selection.
Selecting a Column in the Heatmap

The Changes by Agent heatmap also allows you to see data for an Agent on a specific day by hovering
over, or selecting, a cell. The callout presented when hovering over a cell will display the date, Agent
name, number of Critical or High events (if applicable) and the number of total events for that day. If the
cell is selected, the data on the right-side of the dashboard will update in accordance with your selection.
Selecting a Cell in the Heatmap
Table 3: Data in Changes by Agent
Data Representation Location Notes
Agent Agent name Left-most column If the Agent name exceeds the width of
of the Changes by the column, a tooltip will display the full
Agent heatmap name.
The total number of Agents installed with

FIM as well as the number of Agents
visible on the heatmap is displayed in a
label next to Changes by Agent.
Changes Blue shading In each cell of the If no changes are reported, the cell will be
heatmap white.
To see how shades are determined, hover

over each color in the scale above the
heatmap.
Critical or Red circle Superimposed over For more information, select a cell to see
High Events heatmap cells details in the Critical or High Events table
where present on the Dashboard.
No FIM Black X Superimposed over No FIM report could indicate the machine
Report for heatmap cells is offline, the Agent has been stopped,
24 Hours where present etc.
Dashboard
3.2 Filters
Events on the heatmap can be filtered by Critical or High Events or no FIM reports to help you focus on
the most important events in your environment.
Filters
3.2.1 Critical or High Events

Whenever a critical or high event is received, the cell corresponding to the Agent that reported the
Critical or High event and the day on which the Critical or High event was received will have a red circle
placed over the cell. If you choose to filter by Critical or High events, the Event Volume histogram will
show the distribution of events by priority for only those Agents that have reported a Critical or High
event in the past 30 days.
The Critical or High Events table located on right-hand side of the dashboard will also update to reflect
the filtered data shown on the updated heatmap.
The Critical or High Events Table

This table has five different columns with data to help you investigate these changes, and is sorted by
priority (Critical events are displayed on top of High events) and then date:
Priority: The risk rating assigned by Trustwave to the change. Critical events are represented by
four red rectangles while High events are represented by three orange triangles.
Date: The date on which Trustwave recorded the event.
IP Address: The internal IP address reported by the Agent.
Agent Name: The name of the Agent.
Affected Object: The path to the file, directory, registry key or registry value affected by the Critical
or High event. For paths that are exceptionally longs, a tooltip will display the full path on hover.
If it is the case that this is not enough information to diagnose whether the change was expected, each
row in the table can be double-clicked to take you to a Details page where the event can be selected to

get all information for the event. You may also reach this page by clicking on the hyperlinked count of
Critical or High events presented above the Critical or High Events table. This page operates in the same
manner as the All Events page, which is described in more detail below.
Double-Clicking an Event Displays Event Details
3.2.2 No FIM Report

If an Agent does not send in a FIM report for an entire day, the corresponding cell will have a black x
displayed. Note that this does not mean that no changes were reported but that the Agent did not send
any FIM report, indicating that the machine is offline, the Agent has been disabled or something else is
interfering with normal FIM functionality. If this happens, ensure the machine is online, that the machine
can communicate with Trustwave and that the Agent is running. If the above checks do not indicate a
problem, then debug logs from the Agent should be collected and shared with Trustwave for analysis.
As with the Critical or High Events filter, when the No FIM Report filter is selected only rows where at
least one cell displays a black x will be displayed in the heatmap, and the right-hand side of the
dashboard will update accordingly.
Note: Both filters can be selected simultaneously. In that case, we will show only rows in the
heatmap where Agents reported a Critical or High event in the last month OR did not send in
a FIM report for at least one day in the last month.
Dashboard
3.2.3 Reset
When a selection is made of a column or row, the data will be filtered down to meet the criteria of that
selection. By clicking the Reset button, all heatmap and filter selections will be cleared.
3.2.4 Refresh
The TrustKeeper Agent sends FIM data back to Trustwave four times a day, and as soon as the data is
processed it is available to be viewed in the heatmap. To update the data in the heatmap, the refresh
button can be clicked. If new data is available, the heatmap will be re-generated to show the latest
changes detected by Trustwave.
3.3 Event Volume

Trustwave applies a priority to every change in an effort to direct your attention to the most suspicious
changes throughout your network. It is expected that nearly all changes will be Medium or Low in priority
while Critical or High values should be especially rare. The Event Volume histogram shows the breakdown
of events by severity for the Agent selection visible in the Changes by Agent heatmap. For further
analysis of any group of event priorities, the appropriate bar or hyperlinked sum can be clicked to display
all collected details. (Note: If the sum is 0 then the bar and sum will not be linked.) If even more analysis
is needed, all event details can be exported and imported into data analysis tools such as Excel to discern
patterns.
Event Volume Histogram
While Trustwave maintains and updates the priority calculations, knowledge of your particular
environment is crucial for making sense of the data. The Changes by Agent heatmap will allow you to
identify trends, outliers and frequencies for your Agent population, which will help you determine what
behavior is normal for your network. This understanding is critical for using the raw data to identify
trends within the raw change data made available to you in the Trustwave FIM application.

Table 4: Event Priority Breakdown
Priority Icon Description
Critical Critical events warrant immediate attention. They represent activity

associated with known attack vectors or severe breakdowns in
change controls.
Examples:
Adding registry values to

HKLM\Software\Microsoft\Windows\Current\Version\Run
Unexpected FIM cache modifications
High High events may not be associated with known attack vectors but
are still suspicious and should be investigated with urgency.
Examples:
Log files decreasing in size
No privilege restrictions for registry entries
Medium Medium changes may be standard but could also violate change
control policies. Changes that grant extra privileges to critical files
or ownership changes
Examples:
Group change on a file
Removal of privileges from a file
Low Low changes appear to be normal behavior and, while they must
be monitored, present are almost certainly innocuous.
Examples:
Log files increasing in size
Directory creation
Dashboard
4 Email Preferences
Within the Trustwave FIM application, you can choose between three options for receiving email. By
default, all users will receive a daily email summary of FIM activity which can be used to review the
previous days events. You may also choose to receive a weekly digest that presents data collected from
the previous week, or you may choose to receive email notifications only when a Critical or High event is
recorded.
FIM Email Preferences
These settings apply only to emails sent as part of the Trustwave FIM application. The following table
describes how to set your FIM application email preferences.
Table 5: FIM Email Settings
Preference Setting Notes
I dont want any FIM Ensure Receiving Email No FIM email will be sent. Do note that
email. box is un-checked events must be reviewed at least weekly
to satisfy PCI 11.5.
I only want a daily or Check Receiving Email An email will be sent at the beginning of
weekly email. each day or week.
Check Daily or Weekly
I only want daily or Check Receiving Email An email will be sent at the beginning of
weekly email IF a Critical each day or week only if a Critical or
Check Daily or Weekly
or High event is detected. High event is detected.
Check Only Receiving
Critical and High Severity
Events
I want every email. Check all boxes except An email will be sent at the beginning of
the Only Receiving each day and at the beginning of each
Critical and High Severity week.
Events

FIM email reports have several key elements, including:
Events Severity (Daily/Weekly) a breakdown of all events by priority. Each sum is linked so
that clicking the link in the email will direct you to TrustKeeper for further investigation. If you need
your username, it is included in the email next to the Username label.
Agent Activity (Daily/Weekly) Statistics regarding the number of Agents installed that have
FIM, the number of Agents that contributed to the report and the number of Agents gone quiet,
meaning Agents that did not send in a FIM report for the day in question.
Notable Hosts (Daily) Any host on which we detect a Critical or High event is a notable host, and
to start your investigation we present the internal IP address, Agent name, object (e.g., file) for
which we detected the Critical or High event(s) and the number of Critical or High events on that
object. A host may have multiple objects that report a Critical or High change so all objects reporting
Critical or High events on a given host will be presented in the same table.
Events by Day (Weekly) Available only in the weekly email, the Events by Day table shows how
many of each priority we detected for each of the past seven days to allow you to identify trends.
Agents Gone Quiet (Daily/Weekly) If an Agent did not send in a FIM report for the date of the
email digest, we will list the Agent name and IP address in this section.
Sample Daily Email
Email Preferences
Sample Weekly Email
Note: All emails are sent from Trustwave FIM Service at noreply@trustwave.com. If you
receive an email purporting to be a Trustwave FIM email, do not open the email and please
forward to FIM@trustwave.com.

5 All Events Page

The All Events page displays all events from the current day, but the date range and priority can be
modified. On this page, raw data and event details can be viewed and exported for further investigation.
All Events for the Current Day
Table 6: All Events Table
Column Heading Description
Event Object The file, directory, registry key or registry value that was modified.
Event Type The type of change detected on a given object. Sample event types include
file removal, file change, new directory.
Time A timestamp of the modification of the event object.
Priority A color-coded icon that represents the relatively risk associated with the
change according to Trustwaves recommendations.
Source The name of the TrustKeeper Agent that reported the event.
IP The internal IP address of the computer on which the TrustKeeper Agent is

installed.
Event Description A simple description of the change that was detected.
All Events Page

6 Exporting Data
You can export any of the data in All Events to perform advanced data analysis using a tool such as
Microsoft Excel.
1. To export data from any of the tables in the Trustwave FIM application, click the gear icon above the
table and click Export.
You are then prompted to select the columns to include in your exported report, as well as the
format of the report. Report format options include:
Excel
CSV
PDF
HTML
XML
2. After you have made your selections, click Export and your report will be downloaded automatically.
To help you organize your reports, TrustKeeper will name all exported reports in the following
fashion:
FIM-[Table Name]_[Start Date of Data Pull]-[End Date of Data Pull]
As an example, if you export all data from the Event Summary table from 2012-05-06 to 2012-06-05
to an Excel file, then the file is named FIM-Event-Summary_20120506-2012-0605.xlsx.
Note: PCI requirement 11.5 requires a formal review of FIM reports on at least a weekly
basis. You should also review FIM activity in the TrustKeeper Portal on a daily basis. If you
have a QSA performing a PCI assessment, they may require these reports to demonstrate
your compliance with requirement 11.5.

7 Recommendations
Trustwave has several recommendations for getting the most out of your FIM service.
It is very important that the FIM-enabled TrustKeeper Agent system is installed on a

system that is clean and is running full anti-virus and malware scans. FIM will detect
changes to a system, which is critical, but if the system is already compromised then
the data is of marginal value.
7.1 Monitoring with Care

Trustwave recommends monitoring the following objects with extra care:
1. All objects in and under the Sys32 directory. Sys32 contains the core operating system files. Hackers
very commonly modify these contents after successfully compromising a device.
2. The following registry objects:
a. HKEY_LOCAL_MACHINE (A.K.A. HKLM)
i. SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ii. SOFTWARE\Wow6432Node\Microsoft\WindowsCurrentVersion\Run
iii. SYSTEM\CurrentControlSet\services
b. HKEY_CURRENT_USER (A.K.A. HKCU)
iv. SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run
The above registry objects are modified to allow programs to run at system startup. It is common
for malware to modify these objects in order to run at startup and begin the collection of data or
system compromise.
c. Values under HKEY_CLASSES_ROOT

Some malware will change program associations so that known extensions will open with bogus
programs. Unusual changes to values under this key can signal compromise.
7.2 Reacting to Findings

Some events are benign while others are malicious. Trustwave has ranked the risk of all events with
general rules based on our extensive security experience. However, it is ultimately up to you to
determine if an action is important or malicious and if you want to take action.
If you do suspect a suspicious change or system compromise, Trustwave recommends running the object
through anti-virus. One helpful tool called VirusTotal (https://www.virustotal.com/) will run the object
through several different anti-virus scanning engines to see if the file is infected. Another helpful, free
tool is MalwareBytes (http://www.malwarebytes.org/). MalwareBytes will scan your computer and search
for, and remove, identified malware.
Recommendations
Additionally, suspicious activity should motivate you to check your other computer security settings. The
TrustKeeper Agents PCI bundle (see Other Agent Services on page 22) offers several checks that will
help you ensure that Windows automatic update and Windows Firewall are turned on, which is crucial to
protecting your computer. Security policy checks run by the Agent will inform you if password lockouts
and minimum password lengths are set securely. The TrustKeeper Agent will also scan your file system
for storage of credit card data. Storing credit card data is a risky practice, and identifying where this data
is on your system is a crucial first step in reducing your overall risk of a data compromise.
You should also check your file systems access control lists if you suspect malicious activity. Each object
has an access control list that dictates who has access to the object. Without access, a user account
cannot use the object in question. Windows Sysinternals provides tools that help you audit your access
control lists. One helpful, free tool that helps you manage permissions is AccessEnum, and is available at
http://technet.microsoft.com/en-us/sysinternals/bb897332.
Lastly, if there are changes that do not agree with corporate policy, you may decide to restore your
system to a previous backup. This, of course, relies upon having consistent system backups.

8 Other Agent Services

The TrustKeeper Agent offers a variety of other useful compliance and security services. To purchase any
of these services, please contact your Trustwave representative or Trustwave Sales at (888)878-7817 or
infosales@trustwave.com.
8.1 PCI Bundle

The following modules are part of the PCI bundle of Agent services that Trustwave offers. Data reported
from these modules is collected in the My Agents page of PCI Manager in the TrustKeeper Portal.
Each of these services is meant to provide valuable help in achieving PCI compliance.
IP Address Beacon Module: The primary purpose of this module is to install the Agent for our PCI
Compliance based customers. It will detect the current external IP address for the network that the
local machine is connected to at that time and report it to TrustKeeper every 5-10
minutes. Merchants can then set up their external scanning services to reference the IP from the
Agent.
System Security Detection Module: This module is responsible for detecting the following on the
local machine where the Agent is installed: if Windows Firewall is currently on; if an anti-virus
software is installed; and if Windows Update is turned on. Some older versions of Windows may not
allow the Agent to correctly determine some of these values.
POS Compliance Detection Module: This module is responsible for checking what version of POS
software is installed on the local machine. It will check the version against the PA-DSS list of
compliant payment applications. If the application is not found, the merchant has the ability to report
that their POS is missing on our list. This will cause the agent to go into recon mode for the next
inspection and send us more information about their POS software. In turn, this will allow us to
update the Agent with signatures to detect that piece of software in the future. If a POS is
successfully detected by this module, it will automatically be added to the merchants Products and
Services screen with Agent listed under the Added by column for that entry.
Track Data Scanner Module: This module is responsible for scanning the local machine's hard disk
drive for track data (magnetic stripe) being stored electronically. It is very useful for double checking
that the merchant does not store credit card track data, or if third-party applications may be storing
information without the merchants knowledge. The module has been written to also ignore certain
file types where many false positives could be found, such as picture files.
Security Configuration Detection Module: This module is responsible for checking security settings
within Windows that correspond to questions asked on the SAQ (any of the full 12 requirements,
even if they did not take SAQ D). For example, it will check the password requirements when a user
logs in incorrectly. PCI requires that the user be locked out of the system after not more than six
failed attempts to enter their password for a minimum of 30 minutes. If either condition is not met,
the agent will flag the instance and report it. It is designed to double check your answers on the SAQ
for questions relating to system settings.
Network Inventory Scan Module: This module is responsible for inventorying any device that is
currently on the same network segment as the local machine (that the agent is installed on) and
Other Agent Services

reporting that devices unique MAC address. Merchants can whitelist (ignore) machines they trust and
provide a comment as to what the device is. Over time this will build up a list of trusted computers
and devices. Once the list is complete, any other rogue devices found by the network inventory
module would be newly flagged systems. These systems could either be placed by the organization,
or placed on the network by a user with malicious intent. It is designed to flag any and all devices
that are not trusted by the organization.
8.2 Managed Security Services

The following module is provided as a managed service. Data is collected and presented in the Managed
Security Services Console, and support is provided by the Trustwave Secure Operations Center (SOC).
Windows Log Monitoring (WLM): Works in conjunction with Windows Logging to report Windows logs
to Trustwave for monitoring purposes.

Appendix A: Glossary
Following is a glossary of FIM related terms.
Table 7: Glossary
Term Definition
ACLs Access Control List. Each object has an ACL that determines who
has permission to interact with the object. Trustwave's FIM service
will monitor changes to ACLs to inform you of permission changes
to your files.
Alert Alerts are generated by events and reported in the FIM Application
available in the TrustKeeper Portal.
All Events The All Events screen lists each individual event as opposed to
aggregating events as is done in the Event Summary table. The All
Events data provides more information about each event and is
meant to further more in-depth analysis of object modifications.
Cache An inventory of monitored system objects and their properties used

by the TrustKeeper Agent FIM service to detect changes.
Change Any modification to an object. Changes include:
Additions
Deletions
Content Changes
Permissions Changes
Ownership Changes
Directory Also commonly known as a folder, a directory is a container for

files.
Event A change of any kind to an object.
Event Description A simple description of the change that was detected.
Event Object The file, directory, registry key or registry value that was modified.
The user can find a path to the object in both the Event Summary
and All Events tables.
Event Type The type of change detected on a given object. Event types
include:
Directory Changed
New Directory

Term Definition
Directory Removed
File Changed
New File
File Removed
Registry Key Changed
New Registry Key
Registry Key Removed
Registry Value Changed
New Registry Value
Registry Value Removed
Registry Changed
New Registry
Registry Removed
Unknown
File The basic object on a computer where information is stored. Files

can store information for an application (e.g., a Microsoft Word
document) or critical system/application information (e.g., software
DLLs or executables).
FIM Abbreviation for File Integrity Monitoring.
FIM Application The online application where a user can see all FIM data reported
by their TrustKeeper Agents.
FIM Module Each TrustKeeper Agent function is offered in a module. The FIM
Module is what allows and executes the Trustwave File Integrity
Monitoring service.
In order to see results from the FIM module, you must have access
to the FIM Application available in the TrustKeeper Portal. Access to
the FIM Application and deployment of the FIM Module is controlled
by the Trustwave Provisioning team.
Group Groups are logical collections of users, and, like file owners, can
govern access to a given object.
Hash The result of running a complex mathematical calculation on an

object to derive a fixed-length string. Hashes are commonly used to
verify the integrity of data, and, thus are essential for FIM tools.
Here are two examples:
1. Checksums for software: If you are going to download a

Term Definition
piece of software from a trusted website, how can you

verify that the contents of the software files are
legitimate?
One common way that software providers answer this question
is by providing checksums for known legitimate software
packages. Essentially, the software provider will run a
command that generates a hash value for the software
package--the result of which is often called a checksum--and
then publish the checksum on their site. The software provider
will also inform the user of how to calculate their own
checksum, which would then be done after the user downloads
the software package. If the checksums match, then the user
can be sure that the contents of the software package they
downloaded match the known, legitimate software package the
software provider listed on their website.
2. Hashes in FIM products: Given their ability to represent

the state of an object in a fixed-length string, hashes are
commonly used in FIM products. During the initial check,
FIM services will generate hashes for each monitored
object. On subsequent runs of the service, a new hash is
generated and compared with the existing hash. A
change in hash indicates that the file content has
changed in some way. A change in file permissions or
ownership will not change the file hash.
A change in file name will change the hash of a file but that
will not be reported as a hash change in the FIM Application.
Given that a change in file name will look like an entirely new
file has been created, the TrustKeeper Agent will report this as
a file addition. If the original file is deleted, then a file deletion
will also be reported. For example, if I have a file named
test.txt and then I save the document as test-1.txt, I will then
have two files on my computer: test.txt and test-1.txt. The
TrustKeeper Agent will not have test-1.txt in its cache. Thus,
we would see test-1.txt listed as a file addition in the FIM
Application.
IP The internal IP address of the computer on which the TrustKeeper

Agent is installed.
Last Change A timestamp of the modification of the event object. In the Event
Summary table, this will be the latest modification time as changes
are aggregated by Event Type and Event Object in this table.
Object Any of the Windows entities monitored by the Trustwave File

Integrity Monitoring service. Objects include:
Files

Term Definition
Directories
Registry Keys
Registry Values
Owner The user account that owns an object, which mainly stipulates who
has access to a given object and can edit it.
Path The location or address for an object on a computer. For example,

the path to file test.txt on John Does' computer might look like this:
C:\Users\JohnDoe\Desktop\test.txt. By placing the file path in
Windows Explorer, the user can view the object.
Priority A severity ranking for an event. There are four different priority
levels:
Low
Medium
High
Critical
Registry A database that holds configuration settings for the Windows

operating system and is used by applications to interact with
Windows. Software programs can store and access a variety of data
in the registry. Data is written and accessed using standard
Windows APIs. Changes to the registry are uncommon.
Registry Key A registry key is similar to a folder and can contain registry subkeys
as well as registry values.
Registry Value Registry values store data used by applications.
Source The name of TrustKeeper Agent that reported the event.
Sys32 The Sys32 folder and its subfolders contain the core operating
system files for the Windows operating system.
Time A timestamp of the modification of the event object.
Total Events The number of events since the FIM module last ran. By selecting
the event entry in the Event Summary table and clicking View
Details, the user can see each individual change.
TrustKeeper Agent Also referred to as the Agent. The TrustKeeper Agent is the
software used to deliver the Trustwave FIM service. Other services
available from Trustwave run via the TrustKeeper Agent include:
PAN and track data detection: discovers credit card numbers

and other sensitive data that should not be stored on your

Term Definition
computers.
Network inventory: compiles a list of all devices on a

computer's network segment, including rogue devices.
Security policy checks: confirms that Windows policies are

configured according to PCI standards as well as whether anti-
virus, Windows automatic update and firewall are enabled.
Windows Log Monitoring: monitors event logs generated by

Windows to help meet PCI logging requirements.
TrustKeeper Portal This is Trustwave's cloud-based portal through which all Trustwave
data is presented and accessed. The Trustwave FIM Application is
available within the TrustKeeper Portal, meaning FIM data can be
managed anywhere that a client can access the Internet. The
TrustKeeper Portal and all customer applications can be accessed at
https://login.trustwave.com.
Windows Explorer The GUI used to navigate the Windows file system. While most
navigation is done by clicking on icons that represent locations on
the computer, paths can be pasted into the Windows Explorer
address bar for quick access. The Trustwave FIM Application
provides the full path to each object in the All Events screen when
an individual event is clicked.

About Trustwave
Trustwave is a leading provider of information security and compliance management solutions to large
and small businesses thought the world. Trustwave analyzes, protects and validates an organizations
data management infrastructure from the network to the application layer to ensure the protection of
information and compliance with industry standards and regulations such as the PCI DSS and ISO 27002,
among others. Financial institutions, large and small retailers, global electric exchanges, educational
institutions, business service firms and government agencies rely on Trustwave. The companys solutions
include on-demand compliance management, managed security services, digital certificates and 24x7
multilingual support. Trustwave is headquartered in Chicago with offices throughout North America,
South America, Europe, the Middle East, Africa, Asia, and Australia.


File Integrity Monitoring Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

File Integrity Monitoring Guide

Uploaded by

Copyright:

Available Formats

.trustwave.

com Updated October 9, 2007

File Integrity Monitoring

The most current version of this document may be obtained by contacting:

Trustwave FIM Support:

Version Date Changes

1.0 June 2012 Initial release

2.0 July 2013 FIM Dashboard Update

Copyright 2012 Trustwave Holdings, Inc. All rights reserved. i

About This Document

Copyright 2012 Trustwave Holdings, Inc. All rights reserved. ii

About This Document ii

2 Logging on to the Portal 6

5 All Events Page 18

8 Other Agent Services 22

Copyright 2013 Trustwave Holdings, Inc. All rights reserved. iii

iv Copyright 2013 Trustwave Holdings, Inc. All rights reserved.

Granular change descriptions that are easy to understand

2 Logging on to the Portal

Logging on to the Portal

The FIM Dashboard

The Dashboard is comprised of the following components:

3.1 Changes by Agent

Copyright 2013 Trustwave Holdings, Inc. All rights reserved. 7

Scales for Changes by Agent

Max Threshold Selection

Selecting a Row in the Heatmap

Selecting a Column in the Heatmap

Copyright 2013 Trustwave Holdings, Inc. All rights reserved. 9

Selecting a Cell in the Heatmap

Table 3: Data in Changes by Agent

Data Representation Location Notes

The total number of Agents installed with

To see how shades are determined, hover

3.2.1 Critical or High Events

The Critical or High Events Table

Date: The date on which Trustwave recorded the event.

IP Address: The internal IP address reported by the Agent.

Agent Name: The name of the Agent.

Copyright 2013 Trustwave Holdings, Inc. All rights reserved. 11

Double-Clicking an Event Displays Event Details

3.2.2 No FIM Report

3.3 Event Volume

Event Volume Histogram

Copyright 2013 Trustwave Holdings, Inc. All rights reserved. 13

Table 4: Event Priority Breakdown

Priority Icon Description

Critical Critical events warrant immediate attention. They represent activity

Adding registry values to

Unexpected FIM cache modifications

Log files decreasing in size

No privilege restrictions for registry entries

Group change on a file

Removal of privileges from a file

Log files increasing in size

FIM Email Preferences

Preference Setting Notes

Copyright 2013 Trustwave Holdings, Inc. All rights reserved. 15

FIM email reports have several key elements, including:

Sample Daily Email

Copyright 2013 Trustwave Holdings, Inc. All rights reserved. 17

5 All Events Page

All Events for the Current Day

Table 6: All Events Table