We have FIM as a service, instead of running it ourselves. It has pre-configured settings|
From what I can tell of recent events I've had to confirm, the Windows Registry is part of the changes to be monitored, obviously for traces of compromise. But it is monitoring specific keys, not the file(s)
HKEY Software / System / Etc. Each of the keys have their risk score and on every MS patch day, I see a lot of changes occuring. "Autorun's" are a big one
Mind you, the changes are scored individually and it is the sequence that may raise an alarm. FIM is like an IDS/IPS, and that's why we've outsourced it. It is too complex to maintain on a part time basis, and the FIM/AV/Compliance package that we run costs less than $100 per unit per year.
Mar 27th 2016
1 year ago
You could have a look at the OSSEC HIDS which has a FIM feature. It's a good starting point (for UNIX & Windows hosts)|
Now, like log management, it's up to you to know your business / environment and where are your important data!
Mar 28th 2016
1 year ago