File Integrity Monitoring: Invented Here, Perfected Here

Tripwire Enterprise started life as a host-based intrusion detection system that detected macro changes to files and folders. Years spent honing this ability has resulted in a solution that detects even the finest-grained changes—for example, to registry entries, configuration files, executables, and more in servers; to tables, indexes, and stored procedures in databases; to routing tables, firewall rules, configuration files, and ACLs in network devices; and to group policy options and global policies for directory services. Couple this with ChangeIQ^™ intelligent change assessment and prioritization, and it’s easy to see why Tripwire Enterprise is considered “best-of-breed” file integrity monitoring.

Tripwire Enterprise is smart about change. With thousands of changes occurring daily—even in mission-critical servers—you need active change intelligence to differentiate between “good” and “bad” change. File Integrity Manager’s ChangeIQ capabilities assess and prioritize changes using features like customizable severities and scoring to represent risk; different actions based on whether changes are to new, modified or deleted files; auto-reconciliation of detected changes to match change manifests, policies, or reference servers; and approval templates that make it easy to track the circumstances around changes. With ChangeIQ, you have true change intelligence.

There are dozens of log-based, simplified file integrity solutions on the market. Many try to provide security by showing that “something” changed without saying what changed. Not Tripwire Enterprise. Detailed before-and-after views leverage continuous, versioned baselines to show whether detected changes were to content, hashing, permissions, general file attributes or any other parameter. Without this side-by-side view you’re left guessing the risk, severity, impact and even importance of every change.

When investigating a file or configuration change to determine whether or not to sound an alarm, one of the most important data points to assess is “Who.” Who made this change? Are they part of the CAB or on the change team? Do they normally have rights to this system, or are they an unexpected user? Knowing “who” details can put the spotlight on an insider threat or quickly change an event’s status from emergency to business-as-usual.

File Integrity Manager provides real-time change monitoring and detection, as well as schedule-based checks and scans. This means you can receive immediate, prioritized notification when changes are made to critical files and configurations like permissions or confidential folders and directories. This insures that you don’t fall victim to the breach-to-detection gap, which can run months and lead to staggering data losses and severely impact your brand and credibility.

File Integrity Manager provides agentless monitoring of network devices, firewalls and many appliances, but uses a robust, streamlined agent for most platform analysis. Why? Simply put, there’s no comparison to the speed, detail, and accuracy of file integrity analysis you get when using a trusted agent. Competitors who use agentless or “dissolvable agent” solutions can’t touch the depth and speed of Tripwire Enterprise’s trusted and stable agent.

Some changes should never be allowed without proper authorization and planning, for example, changes to permissions and on critical configuration files. But not all changes are critical. How do you know the difference? Tripwire provides pre-packed sets of content—Critical Change Rules—that allow you to monitor for the most serious changes without having to reconcile hundreds of less threatening change events.

Systems like BMC Remedy and other ITIL-based change management tools are excellent resources to understand if detected changes were planned. Tripwire Enterprise’s File Integrity Manager enables integration with change ticketing systems to not only automate the reconciliation of detected changes, but to validate that planned changes have taken place.