Inside the FIM technology marketplace there are choices to be made. Agent-based or agentless is the most frequent option, but then you will find SIEM, and'pure-play' FIM, options to select between.
FIM - Agents or Agentless
There's never a clear benefit for agent-based or agentless FIM. There's a balance to be found between agentless FIM and the possibly superior operation of agent-based FIM, offering
Real-time discovery of modifications - agentless FIM scanners can only be effective on a scheduled basis, normally once daily
Locally stored baseline info indicates a one-off complete scan is all that's required, while a vulnerability scanner will probably always Should re-baseline and hash Each and Every document on the system Every Time it scans
Greater safety by being self explanatory, whereas an agentless FIM alternative will require a logon and community accessibility to the server under evaluation
Conversely, proponents of this Agentless vulnerability scanner will cite the Benefits of the technologies within an agent-based FIM system, such as
Ready to go in minutes, without needing to deploy and keep agents on end things, makes an agentless system much easier to run
No need to load any 3rd party applications on endpoints, an agentless scanner is 100% self-contained
Australian or new devices being added into a system will always be detected through an agentless scanner, even whereas an agent-based system is only effective where representatives are deployed onto famous hosts
For all these reasons there isn't any outright winner of the debate and typically, many organizations operate both kinds of technologies so as to benefit from all of the benefits provided.
Utilizing SIEM for FIM
Utilizing SIEM technology is far less difficult to manage. Like the agentless debate, a SIEM program could be operated without needing any agent applications on the endpoints, using WMI or native syslog capacities of the server. However that is typically regarded as a poor alternative the agent-based SIEM bundle. A broker will allow for innovative security purposes like hashing and real time log tracking.
For FIM, all SIEM sellers will rely upon a mix of host object access auditing, together with a scheduled baseline of this filesystem. The auditing of filesystem action can provide real time FIM capacities, but will need considerably higher funds from the server to run this than the usual benign representative. The native auditing of this OS won't offer hash values for documents so the forensic discovery of a Trojan cannot be attained to the extent that a venture FIM representative is going to do so.
The SIEM sellers have moved to deal with this dilemma by supplying a scheduled baseline and hash function employing a broker. The outcome is a solution that's the worst of all choices - an agent has to be set up and maintained, but without the advantages of a realtor!
In short, SIEM is utilized for event log analysis and FIM is used for File Integrity Monitoring. Whether you decide to utilize an agent-based FIM alternative or an agentless program is more demanding. In most likelihood, the end will probably be a combination of both will be just whole solution.