File Integrity Management for Today's Data Center ... - Trend Micro

File Integrity Management for 

Today’s Data Center: Change Control 

Optimized for Physical, Virtual, and 

Cloud Environments 

An ENTERPRISE MANAGEMENT ASSOCIATES ® (EMA) White Paper 

Prepared for Trend Micro 

September 2011 

IT & DATA MANAGEMENT RESEARCH, 

INDUSTRY ANALYSIS & CONSULTING

File Integrity Management for Today’s Data Center: Change Control 

Optimized for Physical, Virtual, and Cloud Environments 

Table of Contents 

Executive Summary..............................................................................................................................................1 

File Integrity Monitoring: What It Is, Why It’s Important............................................................................2 

The Challenges of Traditional FIM Solutions.................................................................................................3 

Overcoming FIM Challenges: Trend Micro Deep Security..........................................................................4 

An Integrated Approach................................................................................................................................4 

Designed for Virtualization...........................................................................................................................5 

Responding to Compliance Requirements.................................................................................................6 

EMA Perspective...................................................................................................................................................6 

About Trend Micro...............................................................................................................................................7 

©2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com



Executive Summary 

One of the most important disciplines for managing a wide range of 

IT risk is the control of change. ENTERPRISE MANAGEMENT 

ASSOCIATES ® (EMA) survey results point to the value of 

change management in improving the stability and reliability of IT, 

which enables IT to better serve the business. Change control directly 

benefits security as well, mitigating threats to valuable information 

assets posed by unexpected or unauthorized IT change, such as that 

brought about by malware or malicious actions. 

One of the most important 

disciplines for managing a 

wide range of IT risk is the 

control of change. For many 

organizations, file integrity 

monitoring (FIM) has become a 

centerpiece of change control. 

For many organizations, File Integrity Monitoring (FIM) has 

become a centerpiece of change control, monitoring and alerting 

organizations to changes in sensitive IT resources, and informing a more effective response with 

granular detail regarding what, when, and where change occurred. This, in turn, has led to a general 

consensus on the need for FIM adoption, from recommended security standards and practices to 

regulatory mandates that require its use to protect sensitive information. 

Standalone file integrity monitoring tools, however, may require organizations to embrace an 

additional management platform with its own requirements for expertise in deployment, operations 

and maintenance. This may pose a particular concern for the virtualized data center if the solution 

is not virtualization aware and requires a separate agent for each virtual machine. Not only would 

this pose a drain on physical host resources that limit the productivity expected from virtualization, 

it could also create problems of its own—such as resource-consumption “storms.” This happens 

when a FIM solution is not designed for a virtual environment and strangles availability when each 

autonomous in-guest VM agent on a shared physical host performs the same scan, or the same update, 

all at the same time. When agents must be deployed across all virtual machines there is also additional 

administrative complexity required to configure and update these agents. However, some use cases 

require an agent, necessitating flexible deployment options to protect across the data center. 

Trend Micro answers these concerns with the integration of essential file integrity monitoring with 

its Deep Security solution for physical, virtual, and Cloud servers. This integration combines the 

FIM capability many organizations need—and which many regulatory requirements demand—with 

extensive server security technology that recognizes the unique requirements of virtualization and 

the Cloud. It aligns with Deep Security’s “agentless” approach to security for virtualized servers and 

provides agent-based protection when needed. Deep Security consolidates the management of a wide 

range of server security in all Deep Security agentless and agent-based deployments—in physical, 

virtual, and Cloud servers—all managed through one console. 

In this paper, EMA explores the values of Trend Micro Deep Security for delivering essential FIM 

capability with server security that answers these requirements without the need for standalone tools, 

extending thought leadership that continues to set Trend Micro apart in technologies for securing the 

modern, virtualized data center. 

Page 1 

©2011 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com 

Page 1



File Integrity Monitoring: What It Is, Why It’s Important 

Few aspects of IT management are more vital than the management of change. Unless handled well, 

changes made to IT systems can lead to significant performance and availability problems. Outages 

and service disruptions due to IT change events can directly impact the business. Unauthorized or 

unexpected IT change can also signal an attack in progress, which could directly threaten the security 

of sensitive information systems—and the confidential data they handle. 

These are the reasons why those who excel in managing both IT security and IT performance to 

serve the business place high emphasis on change monitoring, as evidenced in an EMA survey of 

over 200 organizations worldwide. 1 In this study, EMA asked both large enterprises and small to 

medium-sized businesses about their level of maturity in multiple aspects of both systems and security 

management. Respondents were asked about the lengths to which they had gone in achieving four 

successive milestones: 

• Defining their management objectives (with a written definition of security policy, for example); 

• Actually implementing those objectives in practice; 

• Monitoring their environment for adherence to those objectives and to detect deviations when 

they occur; and 

• Responding to monitored events as they arise. 

Respondents were also asked about their percentage of security-related IT incidents that they regarded 

as “disruptive” (such as those requiring an unplanned response to remediate). When comparing 

percentages of disruptive security incidents to survey responses in other areas, an interesting pattern 

emerged: 

• Those who achieved all four milestones above had roughly half the median incidence of disruptive 

security events compared to others in the study. 

• This group also had lower rates of unplanned IT work, generally higher server-to-systemadministrator 

ratios, and more IT projects completed on time, within budget, and with expected 

features. In other words, not only did this group tend to do better in terms of security outcomes, 

they did better in serving the business overall. 

These high performers placed significant emphasis on technologies such as FIM, a detective control 

that monitors critical operating system and application files, directories, registry keys and values, and 

other objects. 

• FIM offers alerting and reporting capabilities to notify IT operations and security teams when 

changes to sensitive information resources have occurred. 

• FIM provides evidence of authorized changes, confirming that proper controls such as security 

patches were deployed across all targets as expected. 

• FIM helps correlate performance problems or service outages with specific changes made to IT, 

which can significantly improve root cause analysis and IT’s performance in maintaining uptime 

and availability. 

1 

IT Risk Management: Five Aspects of High Performers that Set Them Apart, EMA Advisory Note, July 2011 

Page 2 


Page 2



• FIM also alerts IT security and operations management teams when unexpected, unauthorized, or 

malicious changes have occurred, providing detailed indication not only of a security event, but the 

specifics of what was affected—system components as well as sensitive information—improving the 

accuracy of response and providing highly granular detail on threats to sensitive confidential data. 

For these reasons FIM is required by some data privacy mandates for its role in helping to assure that 

sensitive data is kept secure. 

• The use of FIM is either required or recommended by a variety of regulatory mandates and 

other widely accepted guidance. This includes the Payment Card Industry (PCI) Data Security 

Standard (Requirement 11.5), NIST Special Publication 800-53 (Control SI-4), and the SANS 

Consensus Audit Guidelines (CAG 3.7). Recommended or mandated FIM controls include alerting 

when changes are made to critical system files, configuration files, or content files. Some require 

performance of critical file comparisons at least weekly. 

• The PCI DSS further requires FIM or change-detection software to assure that log data cannot be 

modified without generating an alert 2 (Requirement 10.5.5). 

• NIST SP 800-53 also requires the detection of unauthorized changes to software and information 

(Control SI-7) and protection for the confidentiality and integrity of backup information (Control 

CP-9). 

FIM is also deployed to support compliance with other regulatory requirements, such as the Sarbanes- 

Oxley Act and related corporate governance initiatives, both in the U.S. and abroad. FIM provides 

this support by assuring that controls on separations of duties in IT are not altered and remain in 

force as required. The relevance of FIM to these objectives is reflected in guidance often adopted 

in pursuit of corporate governance in IT such as COBIT (Control Objectives for Information and 

Related Technology) FIM is particularly relevant to COBIT domains of Acquire and Implement (AI) 

and Deliver and Support (DS). FIM is also used to help assure confidentiality for sensitive data required 

under mandates and standards such as: 

• HIPAA (Health Insurance Portability and Accountability Act) provisions for protecting healthcare 

patient data in the U.S., 

• The ISO 27000-series family of information security management systems standards, 

• Financial industry requirements such as the Gramm-Leach-Bliley Act (GLBA), and 

• Other initiatives to assure confidentiality and privacy for sensitive data. 

There are many other global regulations and guidelines that are supported by FIM solutions as part of 

security best practices and comprehensive risk management. 

The Challenges of Traditional FIM Solutions 

In order to embrace the potential of file integrity monitoring, however, organizations must often 

consider adding another management tool to their environment—which runs the risk of increasing 

IT complexity. A FIM-specific tool may have its own deployment and configuration requirements in 

addition to those of existing IT management platforms. Successful deployment may demand expertise 

specific to the tool. It may also require its own agents on managed systems, which can add to resource 

demands on endpoints and servers where FIM is deployed. 

2 

The requirement allows log data to be added to log files without generating an alert. 

Page 3 


Page 3



This complexity multiplies in virtualized environments, which is a concern with virtualization increasing 

across business data centers. Virtualization does indeed optimize under-utilized IT resources—yet 

virtualization itself adds significant complexity to the data center, combining multiple systems and 

adding layers of software abstraction to the physical environment. This, however, only heightens the 

need for resources to monitor and verify the integrity of these complex systems and the expanded 

attack surface they expose—but without further complicating the 

virtualized environment. FIM tools that meet this need must be 

In weighing the need for FIM, 

many organizations may want to 

ask themselves a few questions 

about their FIM requirements. 

aware of the potential changes unique to virtualized environments, 

such as hypervisor issues, activity both within and between Virtual 

Machines (VMs) on a shared host, and VM sprawl. 

In weighing the need for FIM against these concerns, many 

organizations may want to ask themselves a few questions about 

their FIM requirements: 

• Will adding another management tool to address file integrity monitoring also add to IT complexity 

Organizations concerned about this issue may want to consider solutions in which FIM capabilities 

are consolidated with tools that serve additional functions, such as those that monitor and defend 

against unauthorized or malicious IT change as part of systems management or security defense. 

• How much functionality does a FIM solution need to support the company’s security, compliance, 

and business objectives Some FIM tools offer elaborate feature sets for defining and assessing file 

integrity, managing and remediating change issues, or multiple templates for compliance reporting 

and analysis which may be more than the enterprise needs. Many organizations that define their 

change management objectives may find that their requirements may be addressable by more 

focused offerings that meet their needs while limiting complexity. 

Overcoming FIM Challenges: Trend Micro Deep Security 

Trend Micro addresses these concerns with its Deep Security solution, a server security platform 

designed to support physical, virtual, and Cloud servers. By offering file integrity monitoring in the 

context of a broader solution—including antivirus, firewall, intrusion prevention Web application 

protection, and log inspection—Deep Security provides an integrated approach to FIM that overcomes 

the issues of traditional tools. 

An Integrated Approach 

Trend Micro Deep Security FIM provides file integrity monitoring 

as part of a single integrated server security platform. With FIM 

included, no added deployment or operational complexity is 

required in order to leverage needed FIM capability with Deep 

Security. With a simple license key switch, FIM can be enabled 

across all Deep Security servers, and managed by the same Deep 

Security console that is already managing antivirus, firewall, and 

other Deep Security technologies. 

Trend Micro Deep Security FIM 

provides file integrity monitoring 

as part of a single integrated 

server security platform. 

Deep Security FIM monitors critical operating system and application files, directories, registry keys 

and values, and other system components to detect and report malicious and unexpected changes in 

real time. It reduces administrative overhead with trusted event tagging that automatically replicates 

Page 4 


Page 4



actions for similar events across the entire data center. Deep Security simplifies FIM administration 

through automatic Cloud-based whitelisting enabled by Trend Micro’s presence on millions of systems 

worldwide. This capability gives Deep Security the ability to distinguish legitimate, unmodified software 

by recognizing its acceptance across Trend Micro’s large installed base. For Deep Security FIM, this 

translates into greatly reducing the number of questionable changes in the event log. 

Designed for Virtualization 

Trend Micro Deep Security is designed with the virtualized environment explicitly in mind. Competing 

solutions that fail to recognize the distinctive differences between virtualized and non-virtualized 

environments may require a separate instance of an agent to run within each virtual machine, even if 

several VMs run on a shared physical host. This redundancy can lead to needless resource exhaustion, 

limitations on the numbers of VMs a virtualized physical host can support (which reduces the ability 

of virtualization to optimize the physical environment), and issues such as resource overloads (or 

“storms”) caused when similar agents on multiple VMs all execute the same process at the same time, 

such as system scanning or updates. 

Trend Micro Deep Security FIM overcomes these issues with a single dedicated security VM (or 

“virtual appliance”) on each physical host that coordinates or staggers scans and updates across all 

guest VMs. To provide this virtual appliance, Deep Security integrates with VMware vShield APIs and 

leverages the VMTool driver to communicate with each guest VM. This approach uses only the small 

footprint VMTool driver instead of separate, individual FIM agents on each guest VM. This eliminates 

the need to deploy, configure, and update redundant FIM agents for each VM—often required for 

management solutions that are not virtualization aware—substantially improving the performance 

of virtualization while reducing administrative complexity. This approach to FIM is an extension of 

Deep Security’s agentless approach to virtualized server security with agentless anti-malware, firewall, 

intrusion prevention, and Web application protection. For FIM, this approach enables Deep Security 

to coordinate FIM activities across each VM, eliminating the risk of resource storms, maximizing 

virtualization resources, and reducing management complexity. Trend Micro also recognizes that 

virtual machines may be added or taken offline much more fluidly than physical systems. With the 

dedicated virtual appliance, Deep Security FIM automatically covers new VMs when brought online, 

as well as inactive guests when reactivated. 

Some FIM deployments require agent-based protection, such as non-virtualized physical servers, virtual 

environments not using vShield, or virtual machines in public Clouds in which the user does not have 

hypervisor control that would allow the security virtual appliance to monitor guest VMs. In these cases, 

Deep Security FIM can be deployed as an agent-based solution using a single agent that integrates 

anti-malware, firewall, intrusion prevention, and all other selected Deep Security technologies. Also, 

in virtual data centers or private Clouds, select VMs can be custom-protected with in-guest agents, 

allowing for flexible protection. (For example, at this time, registry changes can only be detected with 

agent-based deployments.) 

The Deep Security virtual appliance coordinates with the guest VMs in both agentless and agent-based 

deployments. The virtual appliance coordinates scans to prevent activity storms and ensures that VMs 

are monitored even if an agent were to disappear when a VM is reconfigured. Agent-based FIM can 

also protect VMs as they move back and forth between the data center and a public Cloud, providing 

data center flexibility and supporting hybrid Cloud deployments. 

Page 5 


Page 5



With a combination of deployment options, enterprises can deploy agentless FIM on virtual machines 

and in private Clouds, using a dedicated virtual appliance to optimize resources and reduce administrative 

complexity, and deploy agent-based FIM on physical servers, select virtual and private Cloud VMs, and 

in the public Cloud, for flexible protection. Regardless of how Deep Security FIM is implemented, 

Deep Security provides one management console that consolidates visibility across both agentless and 

agent-based FIM deployments on physical, virtual, and Cloud servers. 

For further support of virtual and private Cloud environments, Trend Micro Deep Security FIM also 

delivers strong integrity monitoring for the hypervisor. Deep Security leverages capabilities such as 

the Trusted Computing Group’s Trusted Platform Module (TPM) specification or Intel’s Trusted 

Execution Technology (TXT) to enable strong validation of the hypervisor and hypervisor integrity 

monitoring for VMware vSphere environments. This capability is vital to protecting enterprises against 

hypervisor tampering, which could potentially lead to compromise of guest VMs. 

Responding to Compliance Requirements 

Trend Micro Deep Security delivers FIM capabilities to support the compliance regulations, data 

privacy mandates, and internal governance standards mentioned earlier, including the need to detect 

change and alert IT operations and security teams when action is needed. Some examples of key 

regulatory requirements or standards and guidelines that mandate or recommend the use of FIM and 

are addressed by Deep Security FIM include: 

• PCI DSS Requirements 10.5.5 and 11.5, 

• NIST SP 800-53 and associated FISMA requirements, 

• The SANS Consensus Audit Guidelines, and 

• Many other mandates, standards, and recommendations, such as NERC CIP requirements to 

detect and respond to the introduction of malicious code, limit the propagation of malicious code, 

and implement processes to test and update malicious code protections. 

Deep Security FIM integrates defense with essential visibility into IT change, delivering more complete 

awareness of the state of security and compliance, and alerting IT operations and security teams 

when a response is required. As part of an integrated server security platform, Deep Security FIM 

also coordinates with other security technologies to provide more comprehensive compliance support 

while simplifying administration. 

EMA Perspective 

The highest performers in EMA survey results in both security and 

IT operational efficiency have demonstrated a strong commitment 

to the value of change discipline in IT. File integrity monitoring has 

become a vital aspect of this discipline for many organizations. It has 

been embraced by regulators for increasing awareness of changes 

that could threaten highly sensitive information, and has become a 

centerpiece of both operations and security management in many 

enterprises as a result. 

At the same time, however, the benefits of FIM should be weighed 

against the cost of increasing operational burdens or risk. Standalone 

Trend Micro Deep Security 

offers a particularly salient 

example of an integrated 

solution. Deep Security delivers 

FIM in a solution designed for 

physical, virtual, and Cloud 

servers with virtualizationaware 

server security 

Page 6 


Page 6



solutions may add complexity to the IT environment, or may offer more features than the enterprise 

requires to meet its FIM objectives, unnecessarily burdening administration. Organization should 

therefore weigh their requirements for FIM in light of today’s wide spectrum of offerings, including 

those that deliver needed FIM capability integrated with broader solutions. For those requiring 

essential capabilities of monitoring critical operating system and application files, an integrated 

solution that unifies and streamlines multiple aspects of server security, compliance, and operational 

risk management may be preferred. 

Trend Micro Deep Security offers a particularly salient example of such an integrated solution. Deep 

Security delivers FIM in a solution designed for physical, virtual, and Cloud servers with virtualizationaware 

server security and is deployed with a simple license activation. By delivering essential FIM 

capability that protects critical operating system and application files and components, Deep Security 

answers many requirements for file integrity monitoring, offering a unified approach that combines 

FIM with widely accepted security technologies. 

As such, Deep Security FIM represents an extension of Trend Micro thought leadership. One of the 

first major security vendors to embrace significant investment in securing the virtualized data center 

and Cloud environments, Trend Micro continues to expand that lead by becoming one of the first 

vendors to integrate file integrity monitoring with host firewall, intrusion detection and prevention, 

antivirus/anti-malware and other widely accepted technologies to defend today’s mixed server 

environments—physical, virtual, and Cloud. By doing so, the Trend Micro solution helps organizations 

simplify and optimize the management of a wide spectrum of risk that benefits not only the security 

and compliance posture, but also provides more granular protection for sensitive information while 

helping the modern data center to deliver on its promise to better serve the business. 

About Trend Micro 

Trend Micro Incorporated, an innovator in Cloud security worldwide, aims to create a world safe for 

exchanging digital information with its Internet content security and threat management solutions 

for businesses and consumers. A pioneer in server security with over 20 years’ experience, Trend 

Micro delivers client, server, and Cloud-based security that fits its customers’ and partners’ needs, 

quickly stops new threats, and protects data in physical, virtualized, and Cloud environments. 

Powered by the industry-leading Trend Micro Smart Protection Network Cloud-based security 

infrastructure and supported by over 1,000 threat intelligence experts around the globe, Trend 

Micro products and services stop threats where they emerge – from the Internet. For additional 

information, visit www.trendmicro.com. 

Page 7 


Page 7

About Enterprise Management Associates, Inc. 

Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum 

of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, 

and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, 

analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or 

blogs.enterprisemanagement.com. You can also follow EMA on Twitter or Facebook. 

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission 

of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change 

without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and 

“Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries. 

©2011 Enterprise Management Associates, Inc. All Rights Reserved. EMA, ENTERPRISE MANAGEMENT ASSOCIATES ® , and the 

mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc. 

Corporate Headquarters: 

5777 Central Avenue, Suite 105 

Boulder, CO 80301 

Phone: +1 303.543.9500 

Fax: +1 303.543.7687 

www.enterprisemanagement.com 

2327.090811

File Integrity Management for Today's Data Center ... - Trend Micro

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?