TL;DR: Security teams still miss small, unauthorised configuration changes because they rely on delayed logs and periodic scans instead of real-time file integrity monitoring, according to Netwrix. The editorial lesson is simple: detection only works when it is tied to the I/O layer and a trusted baseline, not when it waits for the attacker to finish.
NHIMG editorial — based on content published by Netwrix: Resource center Blog One config changed. Nobody noticed
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should security teams implement file integrity monitoring without drowning in alerts?
A: Security teams should anchor file integrity monitoring to a trusted baseline, then reconcile each change against approved tickets, maintenance windows, and accountable owners.
Q: Why do delayed logs and scheduled scans miss dangerous configuration drift?
A: Delayed logs and scheduled scans create a detection gap between the moment a change occurs and the moment a tool sees it.
Q: What breaks when configuration baselines are stale or incomplete?
A: When baselines are stale or incomplete, every deviation becomes ambiguous and teams lose the ability to distinguish approved drift from unauthorised change.
Practitioner guidance
- Deploy point-of-change integrity monitoring Instrument critical systems so file, registry, and configuration edits are captured as they happen, not only after log aggregation or scan cycles.
- Maintain system baselines as living references Promote approved drift into the baseline, retire stale references, and review exceptions against a hardened source image for every key server class.
- Reconcile change events to approved work Link detected modifications to tickets, maintenance windows, and accountable owners so analysts can suppress known-good activity and investigate the rest.
What's in the full article
Netwrix's full article covers the operational detail this post intentionally leaves for the source:
- How the Gen 7 Agent hooks into the Windows I/O path and what that means for file integrity telemetry.
- How Change Tracker reconciles detected events against ServiceNow, BMC Remedy, and other change systems.
- How baseline promotion and exception handling work across Windows, Linux, network devices, and virtualisation targets.
- How the article maps the control model to CIS, PCI DSS, and NERC CIP reporting needs.
👉 Read Netwrix's analysis of point-of-change detection and file integrity monitoring →
File integrity change detection: is your control late or live?
Explore further
Real-time change detection is a governance control, not a logging feature. When a registry value, SSH configuration, or firewall rule changes without being seen at the moment of modification, the programme has already lost the first decision point. Logs and scanners can confirm a change later, but they cannot preserve the evidence window that makes containment possible. Practitioners should treat point-of-change visibility as a governance requirement, not an operational convenience.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should be accountable when an unplanned system change has no matching change record?
A: The accountable owner should be the person or team responsible for the configuration item, with the change routed back through the governance process for review and remediation. If no owner can be identified, that is itself a control failure. Change governance must make ownership visible before the incident matures.
👉 Read our full editorial: Change detection at the point of change, not after the breach