Summary

Tripwire has the only true File Integrity Monitoring solution. All others do little more than just detect changes, whether the changes are good or bad—because they have no way of telling the difference. Tripwire FIM, with its unique ChangeIQ capabilities, provides multiple ways to determine low-risk change from high-risk change, and do so at the speed of change.

But the intelligence does not stop there. Tripwire FIM also integrates with Tripwire Log Center to form the Tripwire VIA Solution Suite. Tripwire VIA allows Changes of Interest to be correlated in context with Log Events of Interest. This enables security professionals to better protect their environment—including cardholder data—by allowing them to quickly see and trace problem-causing activities all at once, and in a way that shows how the individual activities are related and interrelated.

Be sure to read earlier posts in this series (if you haven’t already) for more information.

Good News

PCI DSS 11.5 requires merchants to “…alert on unauthorized modification of critical system, content or configuration files…”. That should be good news, right?  Alerting on unauthorized change requires more from a FIM than simply detecting change.  It requires the ability to analyze each detected change to determine if it is expected or unexpected.  Tripwire FIM can do that and others cannot; they don’t have the intelligence to make that determination nor the architecture to manage large amounts of change data over time. (more…)

Successful?

Just because a change is proposed and scheduled does not mean that it was actually made or made correctly. Many changes are intended to make improvements, or to correct problems, so being able to confirm they have successfully been made is critical. Otherwise the improvements are not realized or the problems remain when you think they have been resolved—both scenarios are ingredients for trouble.

Tripwire’s FIM not only knows when things change, it can compare what actually changed to what was expected to change.  No other FIM can do this at the level Tripwire can.  Tripwire FIM provides independent confirmation of change processes and policies.

High-risk?

There are some changes that just shouldn’t be made because they pose increased risk to the environment.  Critical configuration files are one example. Each of these files contains one or more configuration settings values that must be in predefined states or ranges to meet and maintain security

policy. If any of these files is changed the settings values must immediately reevaluated to determine if they are still within policy.  Application executable (.exe) files of a mission critical application are another example of files that should possibly generate an alert if they change for any reason.  Tripwire FIM not only knows what has changed, but it also knows if certain files are supposed to change or if the actual change was within policy. Without the ability to analyze change you have little more than “noise”.

Maintaining a Desired State

True FIM—Tripwire FIM—allows you to know what state you are in and then maintain that state. This is only possible because of our version-based architecture and our ChangeIQ capabilities which allow us to filter low-risk change (expected) from high-risk change (unexpected).  No other FIM has either of these capabilities.  Maintaining a desired state is at the core of best practice security.  And if you constantly apply best practices you get compliance for free—it is simply a byproduct of daily operations.

Tripwire FIM improves security and proves compliance.  All other FIM creates volumes of noise!

What changed?

Knowing only that a file has changed is of little use unless you know what about the file or what within the file has changed.  Each file has dozens of attributes that, if changed, could spell trouble.  Tripwire can capture any of those attributes providing essential information to help determine if the change is harmful or harmless.

If you know exactly what within a file has been changed you can quickly determine if the change was high-risk and you also have the information required to fix the issue.  For any human-readable file type, Tripwire agents can harvest the actual content that was changed and show the character-for-character differences in a before-and-after view.  It is just one more way Tripwire FIM does more than simply detect that a file has been changed.

Who made the change?

Knowing who made a change can often determine if a change is suspect or low-risk. But capturing the “who data” is not easy so hardly any other FIM can provide this important information.  Tripwire knows who made the change through the use of real-time detection agents.  And these agents do not require OS Auditing to be enabled on the device—which is something most IT professionals will not permit.

Be sure to keep watching for more True FIM—Tripwire FIM posts by Ed Rarick coming later this week.