Introduction
Within just the FIM technologies market place there are options to be created. Agent-dependent or agentless is the most widespread option, but even then there are both SIEM, and ‘pure-play’ FIM, alternatives to opt for amongst.
FIM – Agents or Agentless
There is hardly ever a distinct gain for either agent-centered or agentless FIM. There is a stability to be discovered involving agentless FIM and the arguably outstanding procedure of agent-based mostly FIM, giving
- Genuine-time detection of adjustments – agentless FIM scanners can only be effective on a scheduled foundation, usually at the time just about every working day
- Locally saved baseline data meaning a a single-off complete scan is all that is wanted, even though a vulnerability scanner will usually want to re-baseline and hash every single one file on the technique each individual time it scans
- Larger security by getting self-contained, whereas an agentless FIM remedy will involve a logon and network entry to the host under examination
Conversely, proponents of the Agentless vulnerability scanner will cite the pros of their engineering above an agent-based mostly FIM technique, together with
- Up and jogging in minutes, with no will need to deploy and keep brokers on finish factors, makes an agentless technique easier to work
- No need to have to load any 3rd occasion computer software onto endpoints, an agentless scanner is 100% self-contained
- Foreign or new products becoming additional to a community will always be discovered by an agentless scanner, even though an agent-centered method is only successful where agents have been deployed onto known hosts
For these good reasons there is no outright winner of this argument and ordinarily, most corporations operate equally forms of technologies in purchase to profit from all the positive aspects offered.
Applying SIEM for FIM
Making use of SIEM technological know-how is much easier to deal with. Related to the agentless argument, a SIEM method might be operated without requiring any agent software program on the endpoints, working with WMI or native syslog capabilities of the host. Nonetheless this is ordinarily found as an inferior answer the agent-based mostly SIEM deal. An agent will permit for state-of-the-art safety features this sort of as hashing and genuine-time log monitoring.
For FIM, all SIEM suppliers will depend on a mixture of host item obtain auditing, blended with a scheduled baseline of the filesystem. The auditing of filesystem activity can give genuine-time FIM abilities, but will have to have substantially higher sources from the host to function this than a benign agent. The native auditing of the OS will not present hash values for information so the forensic detection of a Trojan are unable to be attained to the extent that an business FIM agent will do so.
The SIEM vendors have moved to address this dilemma by furnishing a scheduled baseline and hash purpose working with an agent. The end result is a resolution that is the worst of all solutions – an agent have to be set up and taken care of, but devoid of the rewards of a serious-time agent!
Summary
In summary, SIEM is very best utilised for function log analysis and FIM is best utilised for File Integrity Checking. No matter whether you then decide to use an agent-based FIM remedy or an agentless system is tougher. In all likelihood, the summary will be that a combination of the two is going to be only total answer.
