File Integrity Monitoring:



Similar documents
FILE INTEGRITY MONITORING

Dynamic Data Center Compliance with Tripwire and Microsoft

Configuration Audit & Control

IT Security & Compliance. On Time. On Budget. On Demand.

TRIPWIRE NERC SOLUTION SUITE

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

Improving PCI Compliance with Network Configuration Automation

IBM Tivoli Compliance Insight Manager

Proving Control of the Infrastructure

FISMA / NIST REVISION 3 COMPLIANCE

Enforcing IT Change Management Policy

How to Eliminate the No: 1 Cause of Network Downtime. Learn about the challenges with configuration management, solutions, and best practices.

Vulnerability Management

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

PCI Data Security Standards (DSS)

The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation

Reining in the Effects of Uncontrolled Change

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

The Comprehensive Guide to PCI Security Standards Compliance

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

CorreLog Alignment to PCI Security Standards Compliance

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Beyond PCI Checklists:

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Best Practices for PCI DSS V3.0 Network Security Compliance

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

TRIPWIRE REMOTE OPERATIONS: STOP OPERATING, START ANALYZING

Payment Card Industry Data Security Standard

Enterprise Security Solutions

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Total Protection for Compliance: Unified IT Policy Auditing

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

IBM Tivoli Netcool Configuration Manager

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

WHITE PAPER. Meeting the True Intent of File Integrity Monitoring

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Current IBAT Endorsed Services

Kaseya Traverse. Kaseya Product Brief. Predictive SLA Management and Monitoring. Kaseya Traverse. Service Containers and Views

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Boosting enterprise security with integrated log management

Privilege Gone Wild: The State of Privileged Account Management in 2015

PCI DSS Reporting WHITEPAPER

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Clavister InSight TM. Protecting Values

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Vistara Lifecycle Management

March

Lumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation

Reducing the cost and complexity of endpoint management

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Trend Micro. Advanced Security Built for the Cloud

HP Server Automation Standard

How To Achieve Pca Compliance With Redhat Enterprise Linux

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

How To Buy Nitro Security

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

White Paper. Ensuring Network Compliance with NetMRI. An Opportunity to Optimize the Network. Netcordia

Privilege Gone Wild: The State of Privileged Account Management in 2015

Introduction to the HP Server Automation system security architecture

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Netwrix Auditor for Exchange

Report Book: Retina Network Security Scanner Unlimited

YOUR NETWORK SECURITY WITH PROACTIVE SECURITY INTELLIGENCE

SecureVue Product Brochure

How To Protect Your Cloud From Attack

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Monitoring Windows Workstations Seven Important Events

CA Configuration Automation

Lumension Endpoint Management and Security Suite

Avoiding the Top 5 Vulnerability Management Mistakes

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Monitoring Server File Integrity With CloudPassage Halo

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Kaseya IT Automation Framework

Self-Service SOX Auditing With S3 Control

Security Information Lifecycle

Transcription:

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments white paper Configuration Control for Virtual and Physical Infrastructures

Contents 3 Executive Summary 3 An Increased Need for Visibility into IT Configurations 4 What is File Integrity Monitoring? 4 Establishes a Baseline 5 What s Being Watched? 6 Why Do Organizations Need File Integrity Monitoring? 7 A Checklist of Product Requirements 13 Configuration Assessment: Beyond File Integrity Monitoring 13 Tripwire Complete Configuration Control 14 Tripwire The Key to Complete Coverage 2 WHITE PAPER File Integrity Monitoring

Executive Summary Today s organizations rely on numerous devices and applications in their physical and virtual IT infrastructure to carry out their everyday business. When these devices are configured improperly, whether as a result of malicious hacker attacks or inadvertent employee modifications, the IT infrastructure may be exposed to security risk that leads to service outages and theft of sensitive customer or organization data. As a means of combating issues caused by improper change, organizations employ file integrity monitoring solutions to keep an eye on a variety of files associated with the IT infrastructure, including configuration files, registry files, executables, and more. Many of these solutions first establish an authorized baseline configuration, which represents the known and trusted state of a system. The solution then monitors these files for any change that diverges from the established baseline configuration and alerts IT when changes are detected. IT can then determine if the change is a good change or an undesirable one and take any necessary corrective measures. Some file integrity monitoring solutions can automatically reconcile changes against pre-defined parameters to help streamline the change management process. At a minimum, a file integrity monitoring solution should be able to establish a baseline, monitor for configuration change relative to the baseline, determine if change is planned or unplanned, alert when unplanned change occurs, and provide detailed information to help IT remediate any improper changes. Using a detailed requirements checklist can help ensure you ve chosen the right integrity monitoring solution for your IT infrastructure. But file integrity monitoring is only half of the configuration control story. Without first verifying the integrity of the IT infrastructure, the likelihood that those changes will have a negative effect increases. Configuration assessment solutions address the need to first get configurations of the IT infrastructure into a trusted state by proactively assessing configuration settings against internal and external policies. These policies, based on industry and expert-recommended best practices and standards such as the Payment Card Industry Data Security Standard (PCI DSS), the Center for Internet Security (CIS) benchmarks, or VMware Infrastructure Hardening Guidelines, provide visibility into the state of your IT configurations and deliver prescriptive remediation guidance to help achieve a known and trusted state. When seamlessly combined with a file integrity monitoring solution, organizations gain control of their IT infrastructure configurations and maintain its trusted state. Tripwire s industry leading configuration assessment and file integrity monitoring software solutions enable IT organizations to achieve and maintain configuration control. With industryleading policies for comprehensive infrastructure elements and platforms, Tripwire Enterprise is the first solution to effectively combine configuration assessment and file integrity monitoring, enabling automated and sustainable configuration control throughout virtual and physical infrastructures. An Increased Need for Visibility into IT Configurations The IT infrastructure of an organization, whether public, private, or governmental, may have hundreds or even thousands of servers, devices, applications, and other elements that support its everyday business processes. And more and more, organizations are beginning to deploy virtual environments into this infrastructure. But for the organization to benefit from these infrastructure elements, whether physical or virtual, each must be configured properly. That is, the files associated with each element must have settings that reduce the risk of security breaches, optimize operations, and help achieve compliance with relevant regulations and standards. File integrity monitoring helps IT ensure the files associated with devices and applications across the IT infrastructure are secure, controlled, and compliant by helping IT identify improper changes made to these files, whether made maliciously or inadvertently. 3 WHITE PAPER File Integrity Monitoring

What is File Integrity Monitoring? In an IT network, files can range from simple text files to configuration scripts, and any edit to such files can compromise its integrity. A change to a single line item in a 100-line script could prove detrimental to an entire file or operating system. For example, incorrectly assigning the wrong IP address to a startup script or a newly installed network printer could disrupt the network. Below are some examples of the type of configuration settings a File Integrity Monitoring solution detects and monitors: Registry Entries Configuration files.exe File and directory permissions Tables Indexes Stored procedures Rules ACLs Adds/Deletes/Modifications Auditing/logging Access controls System files Web root File integrity monitoring solutions, often called change auditing solutions, ensure the file for a server, device, hypervisor, application, or other element in the IT infrastructure remains in a known good state, even in the face of inevitable changes to these files. An ideal file integrity monitoring solution not only detects any change to files, but also includes capabilities that help IT immediately remediate issues caused by improper change. The following sections describe the capabilities often available with file integrity monitoring solutions. Establishes a Baseline When IT deploys a system/component into its technology infrastructure, it typically does so with the knowledge that the component is initially configured appropriately. A file integrity monitoring solution captures the known good state of the entire system s IT configuration settings when it is deployed or when it has been configured with recommended settings and uses this state as a baseline configuration against which the solution can compare a later configuration. Many times this configuration state is referred to as a golden, compliance, or configuration baseline. A baseline-to-current-configuration comparison lets the solution immediately and automatically detect discrepancies caused by change. Given today s rapid deployment of virtual machines, an ideal file integrity monitoring solution would also include in the baseline the configurations of virtual environment elements. These elements include the physical server, hypervisor, each guest OS, and any applications and databases running on a guest OS. Alerts and Notifies IT When the solution detects change, whether authorized or unauthorized, IT needs to determine whether or not the integrity of a file has been compromised and whether the change requires immediate attention. IT should have the ability to specify which devices and files are critical and therefore require high-level, immediate attention versus those that do not. For example the configuration file of an e-commerce site or a database populated with sensitive customer financial or medical data would warrant immediate attention, while configuration changes to non-critical systems could be addressed as time permitted. Based on whether a system was viewed as critical or non-critical, the solution should be able to send alerts and notifications using a variety of methods to be sure IT receives them. For example, an email alert is worthless if the detected change disrupted email service. Other methods of notifying IT include an alert in the system tray, SNMP, CMD, SYSLOG, page, or within the management console. Early detection enables the administrator to quickly make any necessary corrections. Helps Reconcile Authorized Versus Unauthorized Change Many file integrity monitoring solutions integrate with change management processes and change management databases. By comparing authorized change tickets with detected changes, IT can immediately determine if the change was planned or unplanned. File integrity monitoring solutions can also create exception incident tickets within 4 WHITE PAPER File Integrity Monitoring

existing change management systems and enrich existing incident tickets with change data. Some file integrity monitoring solutions additionally can identify who made a change, allowing organizations to enforce the recommended zero tolerance policy for unauthorized change or to determine that the change originated from an external source. Provides Assistance in Remediation Although it may seem counter-intuitive, most system administrators, or other IT staff, prefer to roll back changes manually. What many want is information that a change has been made along with step-by-step assistance in recovering from changes they determine to be undesirable. A file integrity monitoring system should include highly prescriptive instructions to not only enable quick remediation of improper settings, but to also allow less-experienced IT personnel to correct problems they might not have the experience or knowledge to correct on their own. What s Being Watched? File integrity monitoring solutions monitor changes to files associated with the servers, databases, routers, applications, and other devices and elements in the enterprise IT infrastructure. Files monitored may include registry files, configuration files, executables, file and directory permissions, tables, indexes, stored procedures, rules and the list goes on. In fact, the current reality is that today s IT infrastructure, even for smaller organizations, is far too complex to be monitored manually. The following table provides a sampling of the type of IT configurations these solutions may monitor: SERVER FILE SYSTEMS DATABASES NETWORK DEVICES DIRECTORY SERVICES HYPERVISORS APPLICATIONS Registry entries Tables Routing tables Privileged group Permissions Web server keys Configuration files Indexes Firewall rules Group policy options Firewall settings System files.exe Stored procedures Configuration files RSoP Auditing/logging Logs File permissions Permission grants ACLs Access controls Registry settings 5 WHITE PAPER File Integrity Monitoring

File attributes being monitored may include hostname, username, ticket number, data and time stamp and operation type. Specifically for server file systems, the following table provides an overview of the type of attributes these solutions may monitor: Access time WINDOWS Creation time Write time Size Package data Read-only DACL SACL Group Owner Growing MD5 SHA-1 Hidden flag Stream count Stream MD5 Offline flag System flag Temp flag Compressed flag Archive flag Access time Change time Modify time Size Package data ACL User Group Permissions Growing MD5 SHA-1 UNIX In addition, these solutions now must pay attention to the configurations of components of virtualized environments. Depending on the virtualization approach used, these environments may include the virtualized server, a hypervisor, multiple guest OSes, and any applications that run on top of each guest OS. In fact, a recent Ziff-Davis publication reported that 70 percent of companies polled had already virtualized at the time of the study, or had plans to virtualize some time in 2008. 1 And given that Gartner anticipates that 60 percent of production virtual machines will be less secure than their physical counterparts through 2009, file integrity monitoring solutions must be capable of monitoring these virtual environments. 2 File integrity monitoring solutions offer an automated single point of control for monitoring all devices in the IT infrastructure, avoiding time-consuming, error-prone manual auditing. Why Do Organizations Need File Integrity Monitoring? When high-profile security breaches hit the front page of popular news sites, the underlying culprit for the breach is often unauthorized change. According to a recent study, Nine of 10 breaches involved some type of unknown including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period. Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. 3 File integrity monitoring solutions immediately detect and inform IT of changes that introduce risk, allowing organizations to quickly address and recover from security issues rather than waiting for a flood of customer complaints to realize a problem has occurred. Files are Common Targets for Attack Hackers access the enterprise network through back door mechanisms, sniffing out IP addresses, phishing with plausible email requests for information, and adding rootkits to gain access to the root of a system undetected. Inadvertent file changes often create the security vulnerabilities hackers use in their attacks. And with today s virtualized environments that include highly portable disk images, organizations will likely see more and more infiltration of the enterprise network through an image file that has been taken offsite, modified to enable malicious activity, and then returned to its place in the network. Because files can be easily compromised, it is critical to continually monitor key files. If files are not monitored, and an outage or event occurs, it could possibly take days before the problem can be tracked. During that time system availability and security becomes vulnerable. 6 WHITE PAPER File Integrity Monitoring

Organizations Faced with Compliance Requirements Over the past few years, several regulatory compliance acts have been instituted, including Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA), which target public companies in an effort to rebuild consumer confidence following several major accounting scandals. More recently, the Payment Card Industry Data Security Standard (PCI DSS) was developed by the major credit card companies along with other stakeholders to address ongoing issues with theft of financial data. In addition, federal government entities are subject to various regulations and standards, including the Federal Information Security Management Act (FISMA) and standards issued by the National Institute of Standards and Technology (NIST) as well as others. Not only is file integrity important to the stability and known state of the IT infrastructure, it is also important for complying with regulations, standards, and compliance audits. Because IT plays a huge part in the financial and retail sectors, all these regulatory acts have a technology component to them. Section 404 of SOX and section 501(b) of GLBA address the security of technology systems in the financial sector. And section 11.5 of the PCI DSS states that a company must: Deploy file integrity monitoring software to alert personnel to unauthorized modifications of critical system or content files, and configure the software to perform critical file comparisons at least weekly. Section 10.5.5 of the PCI DSS states that a company must: Verify the use of file integrity monitoring or change detection software for logs by examining system settings and monitored files and results from monitoring activities. File integrity monitoring helps organizations detect changes to files that increase security risk and take systems out of compliance and an operationally optimal state. These solutions also provide an audit trail and proof that appropriate controls on technology have been put in place critical for easing the burden of proving compliance in an audit. By increasing visibility into change through on-demand reports and alerts and notifications, and following up with explicit instructions for returning systems to a known good state, organizations avoid many of the unfortunate consequences of poorly configured systems system outages, loss of e-commerce capabilities, stolen sensitive customer data or intellectual property, and fines from noncompliance. A Checklist of Product Requirements We ve so far described what file integrity monitoring is and why it s needed. You ve also learned what a file integrity solution monitors and some must-haves for the solution you choose. Following is a detailed checklist for what you should look for when evaluating a file integrity monitoring solution: 7 WHITE PAPER File Integrity Monitoring

Integrity Verification The following requirements address how any file integrity monitoring solution should verify file and attribute integrity. INTEGRITY VERIFICATION Y / N Can automatically check for changes to file/directory contents. Can automatically check for changes to file/directory permissions. Can automatically check for changes to file/directory time/date stamps. Can automatically check for changes to file/directory names. Can automatically check for changes to file/directory ownership. Can automatically check for additions/modifications/deletions to Windows registry keys. Can check for file content changes using cyclic redundancy checking and/or digital signature checking. Supports multiple hashing algorithms (e.g. MD5, SHA). Can automatically detect changes to access control lists. Can monitor security identifier and descriptor. Ability to correlate event audit logs to determine which user made a change. Ability to detect changes to server file systems. Ability to detect changes to databases. Ability to detect changes to network devices. Ability to detect changes to directory services file systems. Ability to detect changes to hypervisor file systems. Ability to detect changes to virtual workloads. Ability to detect changes to virtual network devices (vswitches). Ability to detect changes to application file systems. Ability to archive new versions of configurations as changes are detected and baseline configurations evolve. Examines parts of configuration file that apply to a standard (internal and external) and compares the actual to the expected. Ability to detect changes as frequently as required in real-time and/or through a scan-based approach. 8 WHITE PAPER File Integrity Monitoring

Operational Requirements The following requirements address how any file integrity monitoring solution is managed and supported from a user perspective. OPERATIONAL REQUIREMENTS Y / N Ability to generate a baseline of a server(s) so that integrity is based on a known-good state. Ability to create a single baseline that can be distributed to a group of servers to verify differences from baseline (i.e. configuration verification). Execution of commands based on integrity violations. Policy files can be remotely distributed via a console to one or more machines. Policy templates are available from vendor. Files and directories can be grouped together in policy template (rule blocks). Specify severity level to individual files and/or directories. Supports file directory recursion. Console can view status of machines. Console can group agents. Ability to have monitoring (view-only) only consoles available for defined users. Templates can utilize wildcards or variables (to encompass minor differences in file system contents between systems). Can operate through firewall (ports opened). Works well in low bandwidth connections. Can update snapshot database from console. Ability to easily and quickly update multiple baselines at once, in cases where routine maintenance and/or changes cause integrity violations. Ability to automatically promote baseline. Management console that is cross platform (i.e. Windows and Unix). Management console can detect status of agents. Allows users to quickly compare two versions and quickly isolate changes or differences between versions. Agents operate on Windows, Linux and Unix. Can change agent passphrases from console. Transfer only delta change information for each scan (after the first), not all configuration data each time Scalability to address requirements of both individual departments and entire enterprise worldwide. Ability to provide users access from anywhere to a single location which allows them to view, search, and compare configurations. Provides immediate access to detailed change information. Arrange and manage monitored components in a number of ways including by location, device type, and responsibility. Enables explanations, descriptions, or labels to be annotated to any version by users. Provides authorized users the ability to establish one specific version as a trusted configuration for each system. Provides standard sets of defaults and templates for each operating environment 9 WHITE PAPER File Integrity Monitoring

Policy Management Requirements Superior file integrity monitoring requires not only the detection and reporting of unauthorized changes, but an assessment of how an existing or just changed configuration compares with established organizational and regulatory guidelines. Such a capability should include: POLICY MANAGEMENT Y / N Ability to compare an asset s configuration state against a pre-defined policy to determine whether or not the configuration is compliant. Seamlessly integrates with file integrity monitoring data to immediately reassess upon detected changes (continuous compliance). Vendor supplied policy templates. Supports Center for Internet Security (CIS) benchmarks out-of-the-box. Supports security standards (NIST, DISA, VMware, ISO 27001) out-of-the-box. Supports regulatory requirements (PCI, SOX, FISMA, FDCC, NERC, COBIT) out-of-the-box. Supports operational/performance policies out-of-the-box for business-critical applications. Ability to easily modify standard policies to conform to unique organizational needs. Capture and automate own organizational (internal) policies. Ability to assess all the same platforms on which you are tracking changes, i.e. operating systems, network devices, data bases, directory servers, etc. Provides out-of-the-box remediation guidance to help fix non-compliant configurations. Ability to systematically waive policy tests to seamlessly integrate into compliance processes and requirements. Ability to detect and ignore files that are in a policy, but are not on the monitored system. Ability to run configuration assessment on existing data without requiring a rescan. Ability to use same scan data in multiple, different policy checks without requiring a rescan. Provides proof to management that various departments are in compliance with set security policies. Ability to report policy scorecards to summarize the compliance status of a device. Ability to assign different weights to different tests that comprise a policy scorecard. Ability to ignore certain tests for certain periods of time (i.e. support for policy waivers). Ability to report on current policy waivers in effect and their expiration dates. 10 WHITE PAPER File Integrity Monitoring

Security and Control Requirements The following requirements address security requirements that any file integrity monitoring solution should include. SECURITY AND CONTROL Y / N Establish levels of access and control for specific groups of users. Assigns established access and control to particular groups of devices. Provides secure communication between devices and database. Increases ability to audit the network by placing relevant change information in one central repository Informs authorized persons of when, how and who made changes. Provides proof to management that various departments are in compliance with set security policies. Enables compliance with security and regulatory requirements (e.g. CIS, PCI, ISO, SOX, FISMA, FDCC, FFIEC, NERC, HIPAA, JSOX, GLBA, etc.) Reports devices that don t meet established operational or regulatory policies. Default policy templates to automatically check detected changes against internal or external policies. Console has auditing facilities. Communication link between agent and console is secure (SSL). Ability to verify agent security and pass phrases. Reporting and Alerting Requirements The following requirements address reporting and alerting functionality that any file integrity monitoring solution should include. REPORTING AND ALERTING Y / N Product has multiple levels of reporting. Provides executive level summary reports/dashboards. Reports can be sent via email. Reports can be sent as a SNMP trap. Reports can be sent to syslog. Reports can be printed. Reports can be archived locally. Reports clearly denote severity levels of integrity violations. Reports can be filtered and searchable. Reports can be exported to other applications (CSV, xml or html format). Reports can be created on demand. Reports can easily be customized. Sends alerts to a Web Console, Network Consoles, email and pagers whenever a configuration change is detected. 11 WHITE PAPER File Integrity Monitoring

REPORTING AND ALERTING (Continued) Y / N Alerts users of when configurations change, what change was made and who made the change. Alerts can be based on complex combinations of events using Boolean algebra (i.e. criteria sets) Provides a single source of change information. Specifies the relative significance of a change according to the monitoring rules for a system component. Enables searches of configuration histories and audit logs for specified content using a variety of search criteria and filters. Allows searching to be predefined or saved for future use by all users. Identifies all devices whose configurations differ from their designated baselines, or either contain or are missing specified configuration settings. Audit logging that provides a change control record for all change activity by recording detected changes, added and deleted devices, modified user accounts, etc. Console can send alert when agent connections are lost. Can differentiate authorized vs. unauthorized changes based on change window, who made the change, what the change was, etc. Provides a role-based and customizable user interface. Enterprise Management Integration Requirements The following requirements address integration requirements that any file integrity monitoring solution should include. INTEGRATION Y / N Command line interfaces and or API to allow for custom integration. Launch in context commands to provide the ability to launch and take actions from other EMS systems. Interface launch commands (toolbar actions) to provide one click actions. Integration or links to change ticketing systems (e.g. HP OpenView, BMC Remedy, Peregrine, Tivoli) to correlate and match requested change tickets to actual changes. Integration or links to change ticketing systems (e.g. HP OpenView, BMC Remedy, Peregrine, Tivoli) to correlate and match requested change contents to actual changes. Ability to create tickets and/or incidents in change management system based upon integrity violations. Integration into virtual management console to keep inventory information consistent and help secure virtual environments. 12 WHITE PAPER File Integrity Monitoring

Configuration Assessment: Beyond File Integrity Monitoring In early 2008, a hacker broke into the database of a Montana-based financial services company, stealing 226,000 current and form client records, including their social security numbers, account balances, and account numbers. And in March of the same year, a well-known auto parts retailer experienced a network intrusion that exposed over 56,000 customer records, including their financial data. Stories like these are emerging more frequently. In response, many organizations have deployed file integrity monitoring solutions an important part of the configuration control equation because it allows an organization to detect and remediate improper changes when they occur. However, there s a second part of the equation configuration assessment that helps organizations proactively assess and validate systems according to internal operational and security policy and in compliance with external regulations and standards. Configuration assessment ensures the integrity of your IT configurations by proactively comparing them against internal policies, compliance standards and security best practices. By proactively identifying misconfiguration risks and providing prescriptive remediation guidance, configuration assessment enables a rapid return to a known and trusted state. Combined, configuration assessment and file integrity monitoring give complete configuration control and continuous compliance initial confidence that systems are configured in a known and trusted state, and confidence that they ll maintain that state by monitoring for and detecting any improper change. Tripwire Complete Configuration Control Tripwire Enterprise software is the only solution that effectively combines powerful configuration assessment with file integrity monitoring to get the IT infrastructure into a known and trusted state and keep it there by immediately detecting improper file changes through continuous file integrity monitoring. More Policies and Platforms Tripwire Enterprise offers file integrity monitoring and configuration assessment ships with coverage for nearly 40 platforms across a broad range of core-business applications, servers, file systems, directory services, virtualization, network devices, databases and middleware. Tripwire provides over 100 out-of-the-box policies to assess and validate configurations against known standards such as CIS, PCI, SOX, NIST, COBIT, FISMA, FDCC, VMware, etc., as well as operational policies tuned for performance and reliability. With numerous out-of-the-box configuration assessments, Tripwire helps organizations gain control over the configuration of their business-critical systems. Tripwire additionally offers PCI for Retailers at an affordable, fixed-price-per-store pricing scheme that allows retail businesses to ensure that customer data is secure not only in the corporate IT infrastructure, but also at the registers and other point of sale (POS) devices located in the retail store. For organizations with virtualized environments, Tripwire even has a policy for VMware ESX 3.5 that combines CIS policies for virtual environments with recommendations developed by VMware for securing ESX servers. Additional Valuable Features Organizations often spend time and money hiring consultants to develop optimal configurations for security and operational efficiency. When the consultant leaves or IT staff turnover occurs, there s typically little or no documentation that enables the organization to recreate or fix these configurations. Tripwire ensures that organizations retain this knowledge by allowing them to capture configuration settings as a golden policy they can re-apply to servers, applications, or devices being released into production to ensure consistency across their IT environments. Tripwire s flexible, easy-to-use policy management console also sets it apart from other configuration control solutions. Many configuration changes are actually beneficial to the organization; in such cases, being able to easily update a 13 WHITE PAPER File Integrity Monitoring

policy to reflect the desirable change is a huge convenience to IT. Tripwire s management console makes it easy for IT to update policies. Flexible, Multi-level Reporting Tripwire s reports and dashboards allow users to see as much information as they need without deluging them with unnecessary details or leaving them needing more information. CISOs can see high-level dashboard reports, while system administrators and technicians receive detailed information that lets them immediately fix improper settings. Tripwire includes a comprehensive library of reports that can be tailored to any environment and need and ships with 30 out-of-the-box reports. Experienced Consulting for Immediate Value With Tripwire s years of experience helping over 6,000 customers worldwide, from mid-sized organizations to Fortune 1000, meet and achieve compliance with the PCI DSS and other regulations and standards, customers can rapidly attain compliance, mitigate security risks and increase operational efficiency with relevant policies by taking advantage of the deep expertise of Tripwire Professional Services. Tripwire The Key to Complete Coverage The need for file integrity monitoring of systems throughout virtual and physical infrastructures would be difficult to dispute. Without a solution to detect and reconcile improper change, organizations are subject to any number of negative consequences stolen data and information, system outages, diminished reputation, and lost revenue and productivity. However, choosing a file integrity monitoring solution requires knowledge of desirable features that solution should include. In addition to having comprehensive and reliable file integrity monitoring capabilities, the ideal solution should include configuration assessment capabilities which enable proactive validation of the state of the IT infrastructure against internal and external best practices and policies. This policy-based approach helps organization achieve a known and trusted state. When seamlessly combined with file integrity monitoring, that trusted state is preserved, and facilitates continuous compliance with relevant standards and regulations. Tripwire, the leader in Configuration Control, combines powerful configuration assessment with file integrity monitoring in a single solution: Tripwire Enterprise. With Tripwire Enterprise, organizations achieve and maintain configuration control and ensure compliance with important standards and regulations, generates evidence of compliance for easier and less costly audits, reduces security risks, and increases the confidence in the delivery of services and information to the organization and its customers. 1 Virtualization s Time to Roll, Baseline Magazine, October 2007. 2 Neil MacDonald, Gartner Data Center Conference, 2007. 3 2008 Data Breach Investigations Report, http://www.verizonbusiness.com/about/news/displaynews.xml?newsi d=25135&mode=vzlong&lang=en&width=530 14 WHITE PAPER File Integrity Monitoring

About Tripwire Tripwire helps over 6,000 enterprises worldwide reduce security risk, attain compliance and increase operational efficiency throughout their virtual and physical environments. Using Tripwire s industry-leading configuration assessment and change auditing solutions, organizations successfully achieve and maintain IT configuration control. Tripwire is headquartered in Portland, Oregon, with offices worldwide. www.tripwire.com 2008 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. WPFIM2

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information