FIM detects integrity violations across global IT systems in real time. File, directory, and windows registry changes are monitored by creating rules as part of a FIM monitoring profile.
Before creating a profile, analyze your environment. Identify the areas of information that may be lucrative for an attacker, so that you know where you need to concentrate.
A well-thought out plan is vital to the success of your file monitoring practices. Key factors to consider while making such decisions should be:
- Critical areas for the organization that must be put under continuous monitoring.
- Type of actions or activities that should be monitored for specific file paths.
- Highly probable attack surface areas in the environment.
You can create FIM profile in the following three ways:
- Import Profile from Library : FIM contains its own library of out-of-the-box monitoring profiles. You can import the required profile from the Library and use it as is or customize it as per your requirement.
- Create a Profile: You can also create a customized profile from scratch and add the required rules, assets, and tags.
- Clone a Profile: Using this option, you can copy an existing profile along with its rules. You can then customize it as per your requirement.
Following are the best practices while creating rules in a profile:
- Avoid monitoring everything inside a folder or folders under it. Using Inclusion or Exclusion filters will reduce the false positives to a good extent.
- Avoid selecting All event actions to be monitored. Instead select only what’s required in order to curb noise issues.
- Log files serve as digital footprints and are critical. But if such files are monitored for content changes, then it will overwhelm the platform with events as log files are written on continuous basis. Hence, log files should be monitored for Security modifications and deletions.
- Keep the monitoring rule simple. Making the rule unnecessarily complex will lead to ambiguity. For example, it’s better to exclude the whole directory instead of writing 50 file type exclusions.
- Depth of the folder to be monitored should be kept max to 3 unless required otherwise. This will not only optimize the scan time but also reduces CPU load and agent processing.