Malware attacks are escalating. For example, there were 57 million IoT malware attacks in the first half of 2022, a staggering 77% increase year to date.
Unfortunately, traditional signature-based antivirus and sand-boxing technologies are insufficient against today’s sophisticated attacks. In particular, advanced persistent threat (APT) viruses, Trojan malware and zero-day malware often evade these defenses. For one thing, it takes about 72 hours for signature-based detection of a new variant to be available and fully distributed.
As a result, file integrity monitoring (FIM) is more important than ever in defending against malware. But which file integrity monitoring approach is better: agent-based or agentless? Keep reading for a complete comparison of the two approaches to determine which one better suits your organization’s needs.
Background: How does FIM differ from file activity monitoring?
Before we get into agentless vs. agent-based FIM, we need to say a few words about the difference between file activity monitoring and file integrity monitoring. File activity monitoring can give you a really useful picture of which files were changed and by whom. It can be implemented using native auditing functions, such as Windows Object Access Auditing or an AuditD policy on Linux.
However this approach falls far short of what FIM delivers. Genuine file integrity monitoring does not simply record file change activity and file attribute changes; it analyzes that data to see if anything unwanted or dangerous has happened. In particular, genuine, security-grade FIM solutions deliver on the “I” in “FIM”: They maintain a secure file hash value for every file and use it to assess file integrity. The SHA2 and SHA512 algorithms provide an unbreakable and infallible measure of a file’s makeup, like a 100%-accurate DNA fingerprint.
What are the agentless and agent-based FIM models?
In an agentless FIM model, a central authority is responsible for extracting, collecting and analyzing data from monitored devices. The central collector system interrogates the monitored devices by logging in to them across a network using privileged accounts, and then analyzes the file inventory and file hash values to determine whether changes have been made.
In agent-based FIM models, agents extract and collect the data and generate the hash values, and then push the information to the central system for analysis.
What are the pros and cons of each approach?
Agentless FIM Tools
In general, agentless FIM tools offer quick deployment, lower ownership costs and reduced management overhead. If you just require the collection of basic inventory and performance metrics or legacy system monitoring, agentless FIM tools may be all you need. In addition, organizations managing more than 10,000 machines can especially benefit from the efficiency of the agentless approach.
However, agentless FIM tools are highly dependent on network connectivity, so they do not work for roaming users, machines in a DMZ (demilitarized zone) and inactive machines.
Pros
- Easy and quick deployment because there is no need to install any programs or deploy any files to the endpoints
- Less maintenance since there are no agents to update
- Simple host configuration, with no risk of interference from an agent
Cons
- Extremely resource-intensive for the host and the network
- Cannot identify risks in real time, since scans are usually run once per day and the frequency often cannot be changed
- May not be available on all devices
- Arguably less secure, since it requires all hosts to be open to remote access at the root or system level
- May not be able to monitor encrypted traffic and custom applications successfully
- May require custom configuration and network routing to capture traffic analysis
- Requires privileged account with remote access for in-depth evaluation
Agent-based FIM Tools
Agent-based FIM tools are usually best for distributed, heterogenous networks with remote locations and limited bandwidth, since they are less dependent on network connectivity. Made for frequent, real-time monitoring, they provide a continuous and real-time picture of changes to the integrity of platforms and applications, which is vital for early breach detection and application/configuration control and change verification.
In addition, since FIM agents run continuously and independently of any central management server, integrity changes will be recorded even if contact with the management server is lost and then communicated back when communication is restored. Therefore, agent-based FIM works for endpoints that disconnect from the corporate network, such as laptops and phones.
Keep in mind that agents are no longer something to be feared. Indeed, it is rare to find an application host that doesn’t have a third-party antivirus agent, backup and restore agent, or DLP agent. Also, Linux-based patch management actually requires agents for complete performance.
However, agent-based FIM solutions involve greater deployment and maintenance overhead.
Pros
- Continuous, real-time recording of all system and file integrity changes
- Efficiency due to running from a one-time baseline operation, less resource-intensive than agentless solutions
- Creates audit trails for compliance
- Increased security — the agent runs locally with root/system access without any need to open the host up to high privilege remote access
- Detailed reporting for further investigation and a “closed” host security system
- Still records change activity transmission on laptop and mobile when network connectivity is disrupted
- Supplements file changes information with kernel-source intelligence
- Provides a full assessment of OS, processes, files, hardware, and connected devices
- Helps admins perform immediate risk mitigation activities
- Finer grain monitoring polices can be used
- Helps implement application control on each target machine since the agent can monitor the machine in real time, react to file and configuration changes, detect new processes and services and implement site-specific rules for detecting suspicious activity
Cons
- Requires installation on all monitored networks and devices, and ongoing updates
- Some CPU and RAM processing requirements
- Requires introduction of third-party agent onto hosts, increased risk of unwanted interference with primary service delivery
Comparison Summary
Agent-based FIM | Agentless FIM | |
---|---|---|
Deployment | Agent installation is needed on each target system, which requires planning and management for large, geographically dispersed organizations. | No installation needed. |
Breadth and depth of metrics | Monitors a wider variety of metrics and provides deeper insights into inventory and IT asset performance. | Monitors a lesser variety of metrics for superficial insights into inventory and performance. |
Time | Real-time, continuous recording of integrity changes always provides current system status. | Depends on central schedules. |
Resource overhead | Agent requires constant but low levels of resources. | No resource overhead on the target system in between scans, but relatively high peaks in resource demands during poll cycles. |
Network overhead | Minimal network overhead. | Uses more bandwidth. |
Network dependence | Less dependent on the network and can operate when disconnected from the monitoring station. | Highly dependent on network connectivity. |
Expandability | Agents can be customized and extended. | No such capability. |
Maintenance | Occasional patching, monitoring and agent troubleshooting required, which can be difficult in large and geographically dispersed organizations. | No maintenance is required on the target systems. |
Governance issues | High-level approval may be required for agent installation. | No governance issues. |
Configuration auditing | Configuration compliance reports run in parallel on all devices simultaneously; agent has direct access to results within minutes. | Compliance analysis is more intensive; use of host commands via remote shell will typically take longer. |
Choosing the right FIM software for your organization
Each approach to file integrity monitoring offers significant value that the other lacks. For example, agentless FIM tools help those that can’t install agents on their printers, switches, routers, and other devices, but the integrity of firewall configuration settings can only be analyzed via an agentless approach.
Accordingly, most organizations will benefit from choosing a FIM solution that provides both agent-based and agentless options.
How Netwrix can help
Netwrix Change Tracker has advanced FIM capabilities that use an agent to continuously detect unauthorized changes and other suspicious activity and provide you with real-time alerts. This is a perfect solution to those who want to increase confidence in their system integrity and at the same time reduce their complexity and cost. This solution has following capabilities:
- Hardens systems faster
- Closes the loop on change control
- Ensures critical system files are authentic using advanced FIM and file reputation lookup
- Tracks the complete history of changes