Which file integrity monitoring technology is best for FIM?


In the FIM technology market, there are multiple options. Agent-based or agentless is the most common choice, but even then, there are SIEM and “pure play” FIM solutions to choose from.

FIM-agent or no agent

Agent-based or agentless FIM will never have a clear advantage. Find a balance between agentless FIM and agent-based FIM that can be said to be superior

  • Detect changes in real time-Agentless FIM scanner can only be effective as planned, usually once a day

  • Locally stored benchmark data means that only one full scan is required, and the vulnerability scanner will always need to re-benchmark and hash every file on the system every time it scans

  • Improve security through self-containment, and agentless FIM solutions will require logging in and accessing the host under test via the network

Instead, proponents of agentless vulnerability scanners will cite the advantages of their technology over agent-based FIM systems, including

  • Can be up and running in minutes without the need to deploy and maintain agents on endpoints, which makes agentless systems easier to operate

  • No need to load any third-party software on the endpoint, the agentless scanner is 100% independent

  • Agentless scanners will always find external devices or new devices added to the network, and agent-based systems are only effective when the agent is deployed to a known host

For these reasons, this argument does not completely win. Usually, most organizations use both technologies in order to benefit from all the advantages offered.

Use SIEM for FIM

It is much easier to use SIEM technology. Similar to the agentless parameter, the SIEM system can be run using the host’s WMI or the native syslog function without using any agent software on the endpoint. However, this is often seen as a poor solution for the agent-based SIEM software package. The agent will allow advanced security features such as hashing and real-time log monitoring.

For FIM, all SIEM vendors will rely on a combination of host object access audits and file system predetermined benchmarks. File system activity audits can provide real-time FIM capabilities, but compared to benign proxies, hosts require more resources to run this function. The local audit of the operating system will not provide the hash value of the file, so it cannot reach the judicial detection that the enterprise FIM agent can achieve.

SIEM vendors have solved this problem by using agents to provide planned benchmarks and hash functions. The result is the worst of all solutions-agents must be installed and maintained, but without the benefits of real-time agents!

to sum up

In short, SIEM is best suited for event log analysis, while FIM is best suited for file integrity monitoring. Then, you decide whether to use an agent-based FIM solution or an agentless system is more difficult. The conclusion is likely that the combination of the two will be the only complete solution.


Source by Mark Kedgley