A server administrator is hardening a critical file server. An audit finding has highlighted a risk that unauthorized changes to critical operating system files and configuration settings could go undetected. The administrator needs to implement a security control that specifically monitors the server for such modifications and generates an alert if they occur. Which of the following solutions BEST addresses this requirement?
A Security Information and Event Management (SIEM) system
The correct answer is a Host Intrusion Detection System (HIDS). A HIDS is designed to monitor and analyze the internal state of a host system. A core function of many HIDS solutions is file integrity monitoring (FIM), which involves creating a baseline of critical system files and configurations and then continuously checking for unauthorized changes. This directly meets the scenario's requirement to detect and alert on modifications to OS files.
A Network Intrusion Prevention System (NIPS) is incorrect because it operates at the network level, inspecting traffic as it passes through the network. It would not have visibility into file system changes occurring locally on the host itself.
While an antivirus/anti-malware solution is a crucial host security component, its primary function is to scan for and remediate known malicious software. It is not specifically designed to monitor and alert on all configuration or system file changes, which may be performed by a legitimate but unauthorized user rather than by malware.
A Security Information and Event Management (SIEM) system aggregates, correlates, and analyzes log data from various sources, including from a HIDS. However, the SIEM itself does not perform the direct monitoring of files on the host; it relies on a tool like a HIDS to generate and forward those specific events for analysis.