One of the differences between servers in data centers and desktops is that servers don't reboot a lot. So the bad guys can build an in memory system that doesn't change anything on disk (which avoids the configuration management system from flagging it) and if it cloaks itself as a normally long lived process then active monitors might be fooled as well. It then runs, effectively undetected, until the server reboots which can be months (or even years).

Tools to protect against those threats are going to have start taking into account process activity and footprint.