Security Configuration Management: Fundamental Security
The SANS Institute for information security lists “secure configurations for hardware and software” as Number Three on its definitive list of “20 Critical Security Controls.” And analyst firm Gartner has shown that security configuration management is the Number One priority in devising a server protection strategy. How can you get this protection?
Tripwire Enterprise’s Policy Manager, a standalone solution or part of Tripwire's SCM Suite, continuously assesses IT configurations against over 300 policies, standards, regulations and vendor guidelines. It's more comprehensive than any other policy management solution, with polices for scores of platforms, dozens of server types, databases and applications, devices and firewalls, in virtual and physical environments. Policy Manager pinpoints non-compliant settings, offers built-in remediation advice, and makes policy status and vulnerabilities not only visible, but actionable.
Tripwire policies come form over 20 unique policy sources—for example, worldwide policies like PCI, CIS and ISO-27001; US-centric policies like NERC, NIST and SOX; and international policies like GPG-13, MAS and ISO-27001. It also supports over 300 policy-platform combinations for operating systems like Windows, Solaris and AIX; databases like IBM DB2, Oracle and MS SQL Server; and numerous application and network devices. It offers over 189,000 unique configuration tests that are ready to use, out of the box—no customization required.
Policy Manager’s built-in reports are perfect for users who need to assess their current IT configurations and get them into an audit-passing state. But CISOs and security directors now need to up-level raw security data and convert it into business insight they can share with boards of directors and senior executives. The Tripwire VIA™ Data Mart is an add-on for Policy Manager that converts raw security data from Tripwire Enterprise into business-focused, risk-aligned reports on overall security posture and trends.
Policy Manager provides dozens of simple and intuitive policy dashboards that can provide instant insight into compliance scores, pass/fail test ratios, compliance trends and summary results. These dashboards can be plugged into custom home pages for any Tripwire Enterprise user on a “role-based access” basis, allowing everyone from CISOs to system administrators to view policy and compliance states.
Policy reports are easily linked from one report to the next, so users can drill from high-level representations of policy scores right down to the specifics they need. Answer questions like: What test failures combined to make us only 60 percent compliant on this policy? What were the details of the failures? Are there waivers or exceptions in place? Are these failures related to changes detected by Tripwire Enterprise’s File Integrity Manager?
Not every configuration item can be tested in a straight pass/fail manner. Systems can be temporarily non-compliant due to upgrades, system status or business processes. Policy Manager allows security managers to create and track waivers to temporarily override failing policy scores, while still flagging these exceptions and noting them in reports and dashboards.
Policy customization allows Tripwire Enterprise users to establish custom weights for test scores, create scoring thresholds and determine which policy test results need to be flagged and examined. With customizable policy tests, IT security teams can customize an industry-standard policy into a security policy that fits their specific needs.
How do you test a system when you don’t have credentials for it? If your test process does get credentialed, how can you be sure these credentials will be used only as needed? Policy Access Controls allow Tripwire Administrators to establish the right level of access for required tests, while providing visibility to these “keys to the kingdom.”