Real-time File Access Monitoring (FAM) with Qualys FIM

Lavish Jhamb

Last updated on: April 29, 2024

What is File Access Monitoring (FAM)?

FAM is a security practice that involves tracking and logging access to sensitive files. FAM should be included with any File Integrity Monitoring (FIM) solution to trigger alerts when critical host files not intended for regular use are accessed.

Importance of FAM in regulatory compliance

Data compliance regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Sarbanes-Oxley Act (SOX), and Health Insurance Portability and Accountability Act (HIPAA) require that organizations monitor how sensitive data is accessed.

In addition, CIS Critical Security Controls v83 specifically requires FAM: Data Protection 3.14: Log Sensitive Data Access

FAM helps organizations comply with these regulations by providing comprehensive details of data access and changes, which are essential for demonstrating compliance during audits. The lack of a FAM solution capable of identifying unauthorized access could result in non-compliance, potentially resulting in financial and reputational penalties.

What details should a FAM solution capture?

FAM solutions are designed to capture comprehensive information about access to sensitive information, which includes:

  • User information: Users that attempt to access specific files. This information is crucial for accountability and to identify authorized or unauthorized users.
  • Timestamps: An exact timestamp of when a file access occurs.
  • Accessed File Details: Information about the specific file being accessed, including the name and location. This allows for more granular information on file interaction.
  • Processes: Details about processes or methods used to access a file.
  • Host details: Information on the host where the file access takes place.

Challenges with FAM

While FAM is essential, it comes with its set of challenges:

  1. Managing large volumes of data – FAM often generates large volumes of access alerts, which can be resource-intensive and complex.
  2. Gaining immediate visibility on access details and attempts related to critical files.
  3. Logged events, which should be easily accessible for review, filtering, or searching.
  4. Automated incident generation for suspicious files or any access attempts to specific and highly sensitive information.
  5. The ability to generate automated compliance reports that show detailed audit trails for file access events.
  6. Alert Fatigue, asmonitoring file access generates a significant amount of data, and an FAM solution should be able to distinguish between routine events and actual security incidents to suppress noise.
  7. Keeping up with Regulatory Changes as regulatory requirements can change, requiring organizations to continually adapt to new guidelines.

The solution – Qualys FAM

Qualys File Integrity Monitoring (FIM) now includes advanced FAM capabilities to allow users to capture file access attempts in real time. Should there be an attempt to access a highly critical file, even without modifications, Qualys FIM will generate a detailed alert, which includes comprehensive ‘who,’ ‘what,’ ‘when,’ and ‘where’ details for access attempts.

Let’s take a deep dive!

Let’s examine a few examples of the activities performed and what Qualys FAM can capture.

Examples:

A user named ‘jerry’ tries to read a sensitive file ‘/etc/sudoers’ on the Linux host

Figure 1 – Access activity performed with ‘sudo’.png

If you observe the command, jerry used sudo as a prefix; hence, the user is captured as ‘root’, but Qualys FAM is intelligent enough to capture the original user that initiated the session. See the field ‘Audit User Name’ where the original user that initiated the session, along with its user id, is captured.

Also, the exact command performed by the user can be seen under the field ‘Command executed.’

Figure 2 – Event for access activity performed with ‘sudo’.png

Administrator user opens a sensitive file using notepad on the Windows host

Figure 3 – Event for Sensitive file accessed via notepad.png

Administrator user tries to access a sensitive file via PowerShell command

Qualys FAM captures the access activity along with comprehensive event details
Figure 5 – Event for Sensitive file accessed via PowerShell.png

Risk reduction with Qualys FIM

By detecting unauthorized access and change to system files, FIM reduces the risks of:

  • Data breaches, particularly stemming from the misuse of privileged access.
  • Server downtime, caused by unplanned or unauthorized alterations to sensitive files.
  • Compliance failures, resulting from an inability to demonstrate oversight of access and modifications to sensitive data.

FAQ

How do I configure FAM?
All you need to do is check one more field in your Qualys FIM app under ‘rule,’ and FAM will be enabled for you.

Figure 6 – Configuring File Access in FIM rule.png>

Does Qualys support real-time File Access Monitoring (FAM)?
Yes, Qualys FAM is real-time for both Windows and Linux OS.

Do I need to install a separate agent for FAM?
No, the same agent being used for File Integrity Monitoring (FIM) will be used for FAM, which is included with FIM.

Can I create rules to monitor unauthorized access to custom files?
Yes, users can define custom rules that specify which files need to be monitored based on their sensitivity and the applicable regulatory requirements.

Is there an extra cost for FAM?
No, it’s included at no additional cost with Qualys FIM.

Can I generate automated incident and compliance reports for FAM events?
Yes, Qualys FAM supports automated incident management and compliance reporting. FIM is fully equipped for all your compliance needs.


Learn More by Trying Qualys FIM for 30 days


Learn More

Share your Comments

Comments

Your email address will not be published. Required fields are marked *