FILE INTEGRITY MONITORING

Transcription

1 FIM WHITE PAPER FILE INTEGRITY MONITORING COMPLIANCE AND SECURITY FOR VIRTUAL AND PHYSICAL ENVIRONMENTS RITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SE BREACHES COBIT INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECUR ACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI SECURITY BREACHES NERC FILE INTEGRITY MONITORING PCI REGULATORY VIO S BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIO 7001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASE EM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYST GES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES M RITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECUR ACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREA OBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES N DER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSID EATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS ED AUDITS PCI SECURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAG D SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES G URITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECUR ACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACH C INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSID EATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THRE FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAI ITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA IT SECURITY AND COMPLIANCE AUTOMATION SOLUTIONS

2 EXECUTIVE SUMMARY Today s organizations rely on numerous devices and applications in their physical and virtual IT infrastructure to carry out their everyday business. When these devices are configured improperly, whether as a result of malicious hacker attacks or inadvertent employee modifications, the IT infrastructure may be exposed to security risk that leads to service outages and theft of sensitive customer or organization data. As a means of combating issues caused by improper change, organizations employ file integrity monitoring FIM solutions to keep an eye on a variety of files associated with the IT infrastructure, including configuration files, registry files, executables, and more. Many of these solutions first establish an authorized baseline configuration, which represents the known and trusted state of a system. The solution then monitors these files for any change that diverges from the established baseline configuration and alerts IT when changes are detected. IT can then determine if the change is a good or undesirable and take any necessary corrective measures. Some FIM solutions can automatically reconcile changes against pre-defined parameters to help streamline the change management process. At a minimum, a FIM solution should be able to establish a baseline, monitor for configuration change relative to the baseline, determine if change is planned or unplanned, alert when unplanned change occurs, and provide detailed information to help IT remediate any improper changes. Using a detailed requirements checklist can help ensure you ve chosen the solution for your IT infrastructure. But FIM is only part of the configuration control story. Without first verifying the integrity of the IT infrastructure, the likelihood that those changes will have a negative effect increases. Compliance policy management solutions address the need to first get configurations of the IT infrastructure into a trusted state by proactively assessing configuration settings against internal and external policies. These policies, based on industry and expert-recommended best practices and standards such as the Payment Card Industry Data Security Standard (PCI DSS), the Center for Internet Security (CIS) benchmarks, or VMware Infrastructure Hardening Guidelines, provide visibility into the state of your IT configurations and deliver prescriptive remediation guidance to help achieve a known and trusted state. When seamlessly combined with a file integrity monitoring solution, organizations gain control of their IT infrastructure configurations and maintain its trusted state. Tripwire, the leading provider of IT security and compliance automation solutions, helps organizations gain continuous compliance and take control of security and compliance of their IT infrastructure. Tripwire security and compliance automation solutions include Tripwire Enterprise, which combines file integrity monitoring, compliance policy management, realtime analysis of detected change and prescriptive remediation guidance to help IT organizations achieve and maintain the IT infrastructure in a compliant and secure state. Tripwire also offers Tripwire Log Center a complete log and security information event management (SIEM) solution that integrates with Tripwire Enterprise to provide even greater control of the IT infrastructure. And Tripwire Customer Services can help organizations quickly maximize the value of their Tripwire technology implementation. Tripwire solutions deliver visibility across the entire IT infrastructure, intelligence to enable better and faster decisions, and automation that reduces manual, repetitive tasks. AN INCREASED NEED FOR VISIBILITY INTO IT CONFIGURATIONS The IT infrastructure of an organization, whether public, private, or governmental, may have hundreds or even thousands of servers, devices, applications, and other elements that support its everyday business processes. And more and more, organizations are beginning to deploy virtual environments into this infrastructure. But for the organization to benefit from these infrastructure elements, whether physical or virtual, each must be configured properly. That is, the files associated with each element must have settings that reduce the risk of security breaches, optimize operations, and help achieve compliance with relevant regulations and standards. File integrity monitoring helps IT ensure the files associated with devices and applications across the IT infrastructure are secure, controlled, and compliant by helping IT identify improper changes made to these files, whether made maliciously or inadvertently. 2 File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

3 WHAT IS FILE INTEGRITY MONITORING? In an IT network, files can range from simple text files to configuration scripts, and any edit to such files can compromise its integrity. A change to a single line item in a 100-line script could prove detrimental to an entire file or operating system. For example, incorrectly assigning the wrong IP address to a startup script or a newly installed network printer could disrupt the network. Below are some examples of the type of configuration settings a file integrity monitoring solution detects and monitors: Registry Entries Configuration files.exe File and directory permissions Tables Indexes Stored procedures Rules ACLs Adds/Deletes/Modifications Auditing/logging Access controls System files Web root File integrity monitoring solutions, also called change auditing solutions, ensure the file for a server, device, hypervisor, application, or other element in the IT infrastructure remains in a known good state, even in the face of inevitable changes to these files. Ideally FIM not only detects any change to files, but also includes capabilities that help IT immediately remediate issues caused by improper change. The following sections describe the capabilities often available with file integrity monitoring solutions. ESTABLISHES A BASELINE When IT deploys a system/component into its technology infrastructure, it typically does so with the knowledge that the component is initially configured appropriately. A file integrity monitoring solution captures the known good state of the entire system s IT configuration settings when it is deployed or when it has been configured with recommended settings and uses this state as a baseline configuration against which the solution can compare a later configuration. Many times this configuration state is referred to as a golden, compliance, or configuration baseline. A baseline-tocurrent-configuration comparison lets the solution immediately and automatically detect discrepancies caused by change. Given today s rapid deployment of virtual machines, an ideal file integrity monitoring solution would also include in the baseline the configurations of virtual environment elements. These elements include the physical server, hypervisor, each guest OS, and any applications and databases running on a guest OS. ALERTS AND NOTIFIES IT When the solution detects change, whether authorized or unauthorized, IT needs to determine whether or not the integrity of a file has been compromised and whether the change requires immediate attention. IT should have the ability to specify which devices and files are critical and therefore require high-level, immediate attention versus those that do not. For example the configuration file of an e-commerce site or a database populated with sensitive customer financial or medical data would warrant immediate attention, while configuration changes to non-critical systems could be addressed as time permitted. Based on whether a system was viewed as critical or non-critical, the solution should be able to send alerts and notifications using a variety of methods to be sure IT receives them. For example, an alert is worthless if the detected change disrupted service. Other methods of notifying IT include an alert in the system tray, SNMP, CMD, SYSLOG, page, or within the management console. Early detection enables the administrator to quickly make any necessary corrections..:. File integrity monitoring solutions, also called change auditing solutions, ensure the file for a server, device, hypervisor, application, or other element in the IT infrastructure remains in a known good state, even in the face of inevitable changes to these files..:. File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments 3

4 HELPS RECONCILE AUTHORIZED VERSUS UNAUTHORIZED CHANGE Many solutions integrate with change management processes and change management databases. By comparing authorized change tickets with detected changes, IT can immediately determine if the change was planned or unplanned. FIM solutions can also create exception incident tickets within existing change management systems and enrich existing incident tickets with change data. Some solutions additionally can identify who made a change, allowing organizations to enforce the recommended zero tolerance policy for unauthorized change or to determine that the change originated from an external source. Even if an organization does not have a change management system, but instead has a list of approved changes, an ideal solution would be able to automatically reconcile detected changes with this list. HELPS DETERMINE IF A CHANGE TOOK SYSTEMS OUT OF COMPLIANCE With the numerous compliance mandates organizations face today, IT must also determine if a detected change removes a system from a compliant state. A file integrity monitoring system can do this by comparing each detected change against settings contained in a compliance policy. Those changes that do not take the system out of compliance can be viewed as lower priority, while those that do impact compliance should send alerts, so IT can take immediate measures to return the system to a compliant state. ANALYZES AND PRIORITIZES EACH DETECTED CHANGE Depending on the size of an organization, the number of changes a file integrity monitoring solution may detect can be tremendous. Realistically, IT could never manually review each change to see if it impacted compliance, security or operational performance and availability. To help IT focus on the changes that really need attention, they need compliance policy management and reconciliation with authorized changes, but they also must determine if the type of change, the conditions under which a change was made, or a host of other criteria indicate that a given change requires immediate attention. In addition, the solution should be able to auto-promote the remaining changes typically ones that are both intentional and beneficial relieving IT of the need to manually review them. PROVIDES ASSISTANCE IN REMEDIATION Although it may seem counter-intuitive, most system administrators, or other IT staff, prefer to roll back critical changes manually. What many want is information that a change has been made along with step-by-step assistance in recovering from changes they determine to be undesirable. A file integrity monitoring system should include highly prescriptive instructions to not only enable quick remediation of improper settings, but to also allow less-experienced IT personnel to correct problems they might not have the experience or knowledge to correct on their own..:. FIM is only part of the configuration control story. Without first verifying the integrity of the IT infrastructure, the likelihood that those changes will have a negative effect increases. Compliance policy management solutions address the need to first get configurations of the IT infrastructure into a trusted state..:. 4 File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

5 WHAT S BEING WATCHED? File integrity monitoring solutions monitor changes to files associated with the servers, databases, routers, applications, and other devices and elements in the enterprise IT infrastructure. Files monitored may include registry files, configuration files, executables, file and directory permissions, tables, indexes, stored procedures, rules and the list goes on. In fact, the reality is that today s IT infrastructure, even for smaller organizations, is far too complex to be monitored manually. The following table provides a sampling of the type of IT configurations these solutions may monitor: WINDOWS Access time Creation time Write time Size Package data Read-only DACL SACL Group Owner Growing MD5 SHA-1 Hidden flag Stream count Stream MD5 Offline flag System flag Temp flag Compressed flag Archive flag UNIX Access time Change time Modify time Size Package data ACL User Group Permissions Growing MD5 SHA-1 In addition, these solutions now must pay attention to the configurations of components of virtualized environments. Depending on the virtualization approach used, these environments may include the virtualized server, a hypervisor, multiple guest OSes, and any applications that run on top of each guest OS. In fact, a recent Ziff-Davis publication reported that 70 percent of companies polled had already virtualized at the time of the study, or had plans to virtualize some time in the coming year. 1 And given that Gartner anticipated that 60 percent of production virtual machines would be less secure than their physical counterparts through 2009, file integrity monitoring solutions must be capable of monitoring these virtual environments. 2 File integrity monitoring solutions offer an automated single point of control for monitoring all devices in the IT infrastructure, including virtual infrastructure, avoiding time-consuming, error-prone manual auditing. File attributes being monitored may include hostname, username, ticket number, date and time stamp and operation type. Specifically for server file systems, the table below provides an overview of the type of attributes these solutions may monitor: SERVER FILE SYSTEMS DATABASES NETWORK DEVICES DIRECTORY SERVICES HYPERVISORS APPLICATIONS Registry entries Tables Routing tables Privileged group Permissions Web server keys Configuration files Indexes Firewall rules Group policy options Firewall settings System files.exe Stored procedures Configuration files RSoP Auditing/logging Logs File permissions Permission grants ACLs Access controls Registry settings File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments 5

6 WHY DO ORGANIZATIONS NEED FILE INTEGRITY MONITORING? When high-profile security breaches hit the front page of popular news sites, the underlying culprit for the breach is often unauthorized change. According to a recent study, Nine of 10 breaches involved some type of unknown including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period. Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. 3 File integrity monitoring solutions immediately detect and inform IT of changes that introduce risk, allowing organizations to quickly address and recover from security issues rather than waiting for a flood of customer complaints to realize a problem has occurred. FILES ARE COMMON TARGETS FOR ATTACK Hackers access the enterprise network through back door mechanisms, sniffing out IP addresses, phishing with plausible requests for information, and adding rootkits to gain undetected access to the root of a system. Inadvertent file changes often create the security vulnerabilities hackers use in their attacks. And with today s virtualized environments that include highly portable disk images, organizations will likely see more and more infiltration of the enterprise network through an image file that has been taken offsite, modified to enable malicious activity, and then returned to its place in the network. Because files can be easily compromised, it is critical to continually monitor key files. If files are not monitored and an outage or event occurs, it might take days before the problem can be tracked. During that time, system availability and security becomes vulnerable. ORGANIZATIONS FACE COMPLIANCE REQUIREMENTS Over the past few years, several regulatory compliance acts have been instituted, including Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA), that target public companies in an effort to rebuild consumer confidence following several major accounting scandals. The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major credit card companies along with other stakeholders to address ongoing issues with theft of financial data. In addition, federal government entities are subject to various regulations and standards, including the Federal Information Security Management Act (FISMA), standards issued by the National Institute of Standards and Technology (NIST), and others. Not only is file integrity important to the stability and known state of the IT infrastructure, it is also important for complying with regulations, standards, and compliance audits. Because IT plays a huge part in the financial and retail sectors, all these regulatory acts have a technology component to them. Section 404 of SOX and section 501(b) of GLBA address the security of technology systems in the financial sector. And section 11.5 of the PCI DSS states that a company must: Deploy file integrity monitoring software to alert personnel to unauthorized modifications of critical system or content files, and configure the software to perform critical file comparisons at least weekly. Section of the PCI DSS states that a company must: Verify the use of file integrity monitoring or change detection software for logs by examining system settings and monitored files and results from monitoring activities. File integrity monitoring helps organizations detect changes to files and ideally analyze those changes to determine if they increase security risk or take systems out of compliance and an operationally optimal state. These solutions also provide an audit trail and proof that appropriate controls on technology have been put in place critical for easing the burden of proving compliance in an audit. By increasing visibility into change through on-demand reports and alerts and notifications, and following up with explicit instructions for returning systems to a known good state, organizations avoid many of the unfortunate consequences of poorly configured systems system outages, loss of e-commerce capabilities, stolen sensitive customer data or intellectual property, and fines from non-compliance. 6 File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

7 A CHECKLIST OF PRODUCT REQUIREMENTS We ve so far described what file integrity monitoring is and why it s needed. You ve also learned what a file integrity solution monitors and some must-haves for the solution you choose. Following is a detailed checklist for what you should look for when evaluating a file integrity monitoring solution: INTEGRITY VERIFICATION The following requirements address how any file integrity monitoring solution should verify file and attribute integrity. INTEGRITY VERIFICATION Y / N Can automatically check for changes to file/directory contents. Can automatically check for changes to file/directory permissions. Can automatically check for changes to file/directory time/date stamps. Can automatically check for changes to file/directory names. Can automatically check for changes to file/directory ownership. Can automatically check for additions/modifications/deletions to Windows registry keys. Can check for file content changes using cyclic redundancy checking and/or digital signature checking. Supports multiple hashing algorithms (e.g. MD5, SHA). Can automatically detect changes to access control lists. Can monitor security identifier and descriptor. Ability to correlate event audit logs to determine which user made a change. Ability to detect changes to server file systems. Ability to detect changes to databases. Ability to detect changes to network devices. Ability to detect changes to directory services file systems. Ability to detect changes to hypervisor file systems. Ability to detect changes to virtual workloads. Ability to detect changes to virtual network devices (vswitches). Ability to detect changes to application file systems. Ability to archive new versions of configurations as changes are detected and baseline configurations evolve. Examines parts of configuration file that apply to a compliance policy (internal and external) and compares the actual to the expected. Ability to reconcile detected changes with change tickets in a Change Management System (CMS) or a list of approved changes. Ability to analyze changes in real time to determine if they impact file integrity based on conditions under which change was made, type of change made and user-specified severity of a change. File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments 7

8 OPERATIONAL REQUIREMENTS The following requirements address how any file integrity monitoring solution is managed and supported from a user perspective. OPERATIONAL REQUIREMENTS Y / N Ability to generate a baseline of a server(s) so that integrity is based on a known good state. Ability to create a single baseline that can be distributed to a group of servers to verify differences from baseline (i.e. configuration verification). Execution of commands based on integrity violations. Policy files can be remotely distributed via a console to one or more machines. Policy templates are available from vendor. Files and directories can be grouped together in policy template (rule blocks). Specify severity level to individual files and/or directories. Supports file directory recursion. Console can view status of machines. Console can group agents. Ability to have monitoring (view-only) only consoles available for defined users. Templates can utilize wildcards or variables (to encompass minor differences in file system contents between systems). Can operate through firewall (ports opened). Works well in low bandwidth connections. Can update snapshot database from console. Ability to easily and quickly update multiple baselines at once, in cases where routine maintenance and/or changes cause integrity violations. Ability to automatically promote baseline. Ability to auto-promote changes when real-time analysis of change indicates they are inconsequential or beneficial. Management console that is cross platform (i.e. Windows and Unix). Management console can detect status of agents. Allows users to quickly compare two versions and quickly isolate changes or differences between versions. Agents operate on Windows, Linux and Unix. Can change agent passphrases from console. Transfer only delta change information for each scan (after the first), not all configuration data each time Scalability to address requirements of both individual departments and entire enterprise worldwide. Ability to provide users access from anywhere to a single location which allows them to view, search, and compare configurations. Provides immediate access to detailed change information. Arrange and manage monitored components in a number of ways including by location, device type, and responsibility. Enables explanations, descriptions, or labels to be annotated to any version by users. Provides authorized users the ability to establish one specific version as a trusted configuration for each system. Provides standard sets of defaults and templates for each operating environment 8 File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

9 POLICY MANAGEMENT REQUIREMENTS Superior file integrity monitoring requires not only the detection and reporting of unauthorized changes, specific types of changes, changes made under certain conditions, and user-specified severity of changes. It must also perform an assessment of how an existing or just changed configuration compares with established organizational and regulatory guidelines. Such a capability should include: POLICY MANAGEMENT Ability to compare an asset s configuration state against a pre-defined policy to determine whether or not the configuration is compliant. Seamlessly integrates with file integrity monitoring data to immediately reassess upon detected changes (continuous compliance). Vendor supplied policy templates. Y / N Supports Center for Internet Security (CIS) benchmarks out-of-the-box. Supports security standards (NIST, DISA, VMware, ISO 27001) out-of-the-box. Supports regulatory requirements (PCI, SOX, FISMA, FDCC, NERC, COBIT) out-of-the-box. Supports operational/performance policies out-of-the-box for business-critical applications. Ability to easily modify standard policies to conform to unique organizational needs. Capture and automate own organizational (internal) policies. Ability to assess all the same platforms on which you are tracking changes, i.e. operating systems, network devices, data bases, directory servers, etc. Provides out-of-the-box remediation guidance to help fix non-compliant configurations. Ability to systematically waive policy tests to seamlessly integrate into compliance processes and requirements. Ability to detect and ignore files that are in a policy, but are not on the monitored system. Ability to run assess configurations against existing data without requiring a rescan. Ability to use same scan data in multiple, different policy checks without requiring a rescan. Provides proof to management that various departments are in compliance with set security policies. Ability to report policy scorecards to summarize the compliance status of a device. Ability to assign different weights to different tests that comprise a policy scorecard. Ability to ignore certain tests for certain periods of time (i.e. support for policy waivers). Ability to report on current policy waivers in effect and their expiration dates. File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments 9

10 SECURITY AND CONTROL REQUIREMENTS The following requirements address security requirements that any file integrity monitoring solution should include. SECURITY AND CONTROL Establish levels of access and control for specific groups of users. Assigns established access and control to particular groups of devices. Provides secure communication between devices and database. Increases ability to audit the network by placing relevant change information in one central repository Informs authorized persons of when, how and who made changes. Provides proof to management that various departments are in compliance with set security policies. Enables compliance with security and regulatory requirements (e.g. CIS, PCI, ISO, SOX, FISMA, FDCC, FFIEC, NERC, HIPAA, JSOX, GLBA, etc.) Reports devices that don t meet established operational or regulatory policies. Analyzes changes in real time to determine if they introduce risk based on conditions under which change was made, type of change made and user-specified severity of a change. Default policy templates to automatically check detected changes against internal or external policies. Console has auditing facilities. Communication link between agent and console is secure (SSL). Ability to verify agent security and pass phrases. Y / N ENTERPRISE MANAGEMENT INTEGRATION REQUIREMENTS The following requirements address integration requirements that any file integrity monitoring solution should include. INTEGRATION Command line interfaces and or API to allow for custom integration. Launch in context commands to provide the ability to launch and take actions from other EMS systems. Interface launch commands (toolbar actions) to provide one click actions. Integration or links to change ticketing systems (e.g. HP OpenView, BMC Remedy, Peregrine, Tivoli) to correlate and match requested change tickets to actual changes. Integrates with security information and event management (SIEM) solutions to provide log management capabilities and correlate change and compliance status information with security event information from a single point of control. Ability to create tickets and/or incidents in change management system based upon integrity violations. Integration into virtual management console to keep inventory information consistent and help secure virtual environments. Y / N 10 File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

11 REPORTING AND ALERTING REQUIREMENTS The following requirements address reporting and alerting functionality that any file integrity monitoring solution should include. REPORTING AND ALERTING Product has multiple levels of reporting. Provides executive level summary reports/dashboards. Reports can be sent via . Reports can be sent as a SNMP trap. Reports can be sent to syslog. Reports can be printed. Reports can be archived locally. Reports clearly denote severity levels of integrity violations. Reports can be filtered and searchable. Reports can be exported to other applications (CSV, xml or html format). Reports can be created on demand. Reports can easily be customized. Sends alerts to a Web Console, Network Consoles, and pagers whenever a high-priority file, content or configuration change is detected. Alerts users when configurations change and introduce risk or non-compliance, and provides details on what change was made and who made the change. Alerts can be based on complex combinations of events using Boolean algebra (i.e. criteria sets) Provides a single source of change information. Specifies the relative significance of a change according to the monitoring rules for a system component. Enables searches of configuration histories and audit logs for specified content using a variety of search criteria and filters. Allows searching to be predefined or saved for future use by all users. Identifies all devices whose configurations differ from their designated baselines, or either contain or are missing specified configuration settings. Audit logging that provides a change control record for all change activity by recording detected changes, added and deleted devices, modified user accounts, etc. Console can send alert when agent connections are lost. Can differentiate authorized vs. unauthorized changes based on change window, who made the change, what the change was, etc. Provides a role-based and customizable user interface. Y / N POLICY COMPLIANCE MANAGEMENT: BEYOND FILE INTEGRITY MONITORING In early 2008, a hacker broke into the database of a Montana-based financial services company, stealing 226,000 current and form client records, including their social security numbers, account balances, and account numbers. And in March of the same year, a well-known auto parts retailer experienced a network intrusion that exposed over 56,000 customer records, including their financial data. Stories like these are emerging more frequently. In response, many organizations have deployed file integrity monitoring solutions an important part of the configuration control equation because it allows an organization to detect and remediate improper changes when they occur. However, there s another part of the equation compliance policy management that helps organizations proactively assess and validate systems according to internal operational and security policy and in compliance with external regulations and standards. Compliance policy management ensures the integrity of your IT configurations by proactively comparing them against internal policies or external policies for standards, regulations and security best practices. By proactively identifying misconfiguration risks and providing prescriptive remediation guidance, policy compliance management enables a rapid return to a known and trusted state. Combined, compliance policy management and file integrity monitoring give complete configuration control and continuous compliance initial confidence that systems are configured in a known and trusted state, and confidence that they ll maintain that state by monitoring for and detecting any improper change. File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments 11

12 TRIPWIRE COMPLETE CONFIGURATION CONTROL Tripwire Enterprise software is the only solution that effectively combines powerful compliance policy management with file integrity monitoring to get the IT infrastructure into a known and trusted state and keep it there. It does this by immediately detecting file and configuration changes through continuous file integrity monitoring and assessing those changes in real-time against a host of criteria called ChangeIQ capabilities to identify changes that introduce risk or take systems out of compliance. Tripwire Enterprise then provides remediation advice for undesirable changes so IT can immediately fix issues, and auto-promotes all other changes so IT doesn t have to spend time manually reviewing a tremendous number of probably intentional and beneficial changes. MORE POLICIES AND PLATFORMS Tripwire Enterprise offers file integrity monitoring and policy compliance management and ships with coverage for nearly 40 platforms across a broad range of core business applications, servers, file systems, directory services, virtualization, network devices, databases and middleware. Tripwire provides over 100 out-of-the-box policies to assess and validate configurations against known standards such as CIS, PCI, SOX, NIST, COBIT, FISMA, FDCC, VMware, etc., as well as operational policies tuned for performance and reliability. With numerous out-of-the-box compliance policies, Tripwire helps organizations gain control over the configuration of their businesscritical systems. Tripwire additionally offers PCI for Retailers and PCI for Hospitality at an affordable, fixed-price-per-store or hotel pricing scheme. These offerings allow retail businesses and those in the hospitality industry to ensure that customer data is secure not only in the corporate IT infrastructure, but also at the registers and other point of sale (POS) devices located in the retail store or hotel. For organizations with virtualized environments, Tripwire even has a policy for VMware ESX 3.5 that combines CIS policies for virtual environments with recommendations developed by VMware for securing ESX servers. ADDITIONAL VALUABLE FEATURES Organizations often spend time and money hiring consultants to develop optimal configurations for security and operational efficiency. When the consultant leaves or IT staff turnover occurs, there s typically little or no documentation that enables the organization to recreate or fix these configurations. Tripwire ensures that organizations retain this knowledge by allowing them to capture configuration settings as a golden policy they can re-apply to servers, applications, or devices being released into production to ensure consistency across their IT environments. Tripwire s flexible, easy-to-use compliance policy manager also sets it apart from other configuration control solutions. Many configuration changes are actually beneficial to the organization; in such cases, being able to easily update a policy to reflect the desirable change is a huge convenience to IT. Tripwire s management console makes it easy for IT to update policies. FLEXIBLE, MULTI-LEVEL REPORTING Tripwire s reports and dashboards allow users to see as much information as they need without deluging them with unnecessary details or leaving them needing more information. CISOs can see high-level dashboard reports, while system administrators and technicians receive detailed information that lets them immediately fix improper settings. Tripwire includes a comprehensive library of reports that can be tailored to any environment and need and ships with 30 out-of-the-box reports. EXPERIENCED CONSULTING FOR IMMEDIATE VALUE With Tripwire s years of experience helping thousands of customers worldwide, from mid-sized organizations to Fortune 1000, meet and achieve compliance with the PCI DSS and other regulations and standards, customers can rapidly attain compliance, mitigate security risks and increase operational efficiency with relevant policies by taking advantage of the deep expertise of Tripwire Customer Services. 12 File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

13 TRIPWIRE THE KEY TO COMPLETE COVERAGE The need for file integrity monitoring of systems throughout virtual and physical infrastructures would be difficult to dispute. Without a solution to detect and reconcile improper change, organizations are subject to any number of negative consequences stolen data and information, system outages, diminished reputation, and lost revenue and productivity. However, choosing a file integrity monitoring solution requires knowledge of desirable features that solution should include. In addition to having comprehensive and reliable file integrity monitoring capabilities, the ideal solution should include policy compliance management capabilities that enable proactive validation of the state of the IT infrastructure against internal and external best practices and policies. This policy-based approach helps organization achieve a known and trusted state. The solution should also include the ability to analyze changes as they are detected to determine if they introduce risk or move systems into a non-compliant state and provide easy access to remediation guidance, so IT can immediately fix undesirable change. And to ensure IT isn t overwhelmed by the huge number of detected changes, the solution should have the ability to auto-promote desirable changes. Tripwire, the leading provider of IT security and compliance automation solutions, combines powerful policy compliance management, file integrity monitoring, real-time analysis of change and optional automated remediation in a single solution: Tripwire Enterprise. With Tripwire Enterprise, organizations achieve and maintain configuration control and ensure compliance with important standards and regulations, generate evidence of compliance for easier and less costly audits, reduce security risks, and increase confidence in the delivery of services and information to the organization and its customers. In addition, Tripwire Enterprise integrates with Tripwire Log Center, a log and event management solution that provides everything you need to meet log compliance requirements with ultra-efficient log management and sophisticated event management in a single, easy-todeploy solution. Combine Tripwire Log Center with Tripwire Enterprise as part of the Tripwire VIA platform to broaden compliance coverage and reduce security risk by increasing visibility, intelligence and automation. TRIPWIRE VIA SOLUTIONS TRIPWIRE ENTERPRISE»» Continuous file integrity monitoring»» Compliance policy management»» Real-time analysis of change for risk or non-compliance»» On-demand, automated remediation of undesirable change TRIPWIRE LOG CENTER»» Log capture/storage of tens of thousands of events per second»» Google-like searches of log activity for forensic analysis»» Flexible collection of logs from almost any source»» Detection of and alerting to suspicious events File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments 13

14 ..: Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses, government agencies, and service providers take control of their physical, virtual, and cloud infrastructure. Thousands of customers rely on Tripwire s integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA, the integrated compliance and security software platform, delivers best-of-breed file integrity, policy compliance and log and event management solutions, paving the way for organizations to proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. :. LEARN MORE AT ON TWITTER Tripwire, Inc. Tripwire, VIA and ChangeIQ are trademarks of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. WPFIM3n