Within the FIM technology market there are choices to be made. Agent-based or agentless is the most common choice, but even then there are both SIEM, and ‘pure-play’ FIM, solutions to choose between.
FIM – Agents or Agentless
There is never a clear advantage for either agent-based or agentless FIM as a host intrusion detection and configuration management technology. There is a balance to be found between agentless FIM and the arguably superior operation of agent-based FIM, offering
- Real-time detection of changes – agentless FIM scanners can only be effective on a scheduled basis, typically once every day
- Locally stored baseline data meaning a one-off full scan is all that is needed, while a vulnerability scanner will always need to re-baseline and hash every single file on the system each time it scans
- Greater security by being self-contained, whereas an agentless FIM solution will require a logon and network access to the host under test
Conversely, proponents of the Agentless vulnerability scanner will cite the advantages of their technology over an agent-based FIM system, including
- Up and running in minutes, with no need to deploy and maintain agents on end points, makes an agentless system easier to operate
- No need to load any 3rd party software onto endpoints, an agentless scanner is 100% self-contained
- Foreign or new devices being added to a network will always be discovered by an agentless scanner, while an agent-based system is only effective where agents have been deployed onto known hosts For these reasons there is no outright winner of this argument and typically, most organizations run both types of technology in order to benefit from all the advantages offered.
Using SIEM for FIM
Using SIEM technology is much easier to deal with. Similar to the agentless argument, a SIEM system may be operated without requiring any agent software on the endpoints, using WMI or native syslog capabilities of the host. However this is typically seen as an inferior solution the agent-based SIEM package. An agent will allow for advanced security functions such as hashing and real-time log monitoring.
For FIM, all SIEM vendors will rely on a combination of host object access auditing, combined with a scheduled baseline of the filesystem. The auditing of filesystem activity can give real-time FIM capabilities, but will require substantially higher resources from the host to operate this than a benign agent. The native auditing of the OS will not provide hash values for files so the forensic detection of a Trojan cannot be achieved to the extent that an enterprise FIM agent will do so. Similarly, monitoring the Windows registry using Object Access Auditing is even more cumbersome and usually forces big compromises to be made to the breadth of monitoring, leaving a weak host intrusion detection system (HIDS) capability.
The SIEM vendors have moved to address this problem by providing a scheduled baseline and hash function using an agent. The result is a solution that is the worst of all options – an agent must be installed and maintained, but without the benefits of a real-time agent!
In summary, SIEM is best used for event log analysis and FIM is best used for File Integrity Monitoring and HIDS. Whether you then decide to use an agent-based FIM solution or an agentless system is tougher. In all likelihood, the conclusion will be that a combination of the two is going to be only complete solution.