FAM is a security practice that involves tracking and logging access to sensitive files. FAM should be included with any File Integrity Monitoring (FIM) solution to trigger alerts when critical host files not intended for regular use are accessed.
Data compliance regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Sarbanes-Oxley Act (SOX), and Health Insurance Portability and Accountability Act (HIPAA) require that organizations monitor how sensitive data is accessed.
In addition, CIS Critical Security Controls v83 specifically requires FAM: Data Protection 3.14: Log Sensitive Data Access
FAM helps organizations comply with these regulations by providing comprehensive details of data access and changes, which are essential for demonstrating compliance during audits. The lack of a FAM solution capable of identifying unauthorized access could result in non-compliance, potentially resulting in financial and reputational penalties.
FAM solutions are designed to capture comprehensive information about access to sensitive information, which includes:
While FAM is essential, it comes with its set of challenges:
Qualys File Integrity Monitoring (FIM) now includes advanced FAM capabilities to allow users to capture file access attempts in real time. Should there be an attempt to access a highly critical file, even without modifications, Qualys FIM will generate a detailed alert, which includes comprehensive 'who,' 'what,' 'when,' and 'where' details for access attempts.
Let’s examine a few examples of the activities performed and what Qualys FAM can capture.
Examples:
Figure 1 - Access activity performed with ‘sudo’.png
If you observe the command, jerry used sudo as a prefix; hence, the user is captured as ‘root’, but Qualys FAM is intelligent enough to capture the original user that initiated the session. See the field ‘Audit User Name’ where the original user that initiated the session, along with its user id, is captured.
Also, the exact command performed by the user can be seen under the field ‘Command executed.’
Figure 2 - Event for access activity performed with ‘sudo’.png
Figure 3 - Event for Sensitive file accessed via notepad.png
Qualys FAM captures the access activity along with comprehensive event details Figure 5 - Event for Sensitive file accessed via PowerShell.png
By detecting unauthorized access and change to system files, FIM reduces the risks of:
How do I configure FAM?
All you need to do is check one more field in your Qualys FIM app under ‘rule,’ and FAM will be enabled for you.
Figure 6 - Configuring File Access in FIM rule.png>
Does Qualys support real-time File Access Monitoring (FAM)?
Yes, Qualys FAM is real-time for both Windows and Linux OS.
Do I need to install a separate agent for FAM?
No, the same agent being used for File Integrity Monitoring (FIM) will be used for FAM, which is included with FIM.
Can I create rules to monitor unauthorized access to custom files?
Yes, users can define custom rules that specify which files need to be monitored based on their sensitivity and the applicable regulatory requirements.
Is there an extra cost for FAM?
No, it's included at no additional cost with Qualys FIM.
Can I generate automated incident and compliance reports for FAM events?
Yes, Qualys FAM supports automated incident management and compliance reporting. FIM is fully equipped for all your compliance needs.
Learn More by Trying Qualys FIM for 30 days