File Integrity Monitoring: Invented Here, Perfected Here

Tripwire Enterprise started life as a host-based intrusion detection system that detected macro changes to files and folders. Years spent honing this ability has resulted in a solution that detects even the finest-grained changes—for example, to registry entries, configuration files, executables, and more in servers; to tables, indexes, and stored procedures in databases; to routing tables, firewall rules, configuration files, and ACLs in network devices; and to group policy options and global policies for directory services. Couple this with ChangeIQ^™ intelligent change assessment and prioritization, and it’s easy to see why Tripwire Enterprise is considered “best-of-breed” file integrity monitoring.

Tripwire Enterprise is smart about change. With thousands of changes occurring daily—even in mission-critical servers—you need active change intelligence to differentiate between “good” and “bad” change. ChangeIQ assesses and prioritizes changes using features like customizable severities and scoring to represent risk; different actions based on whether changes are to new, modified or deleted files; auto-reconciliation of detected changes to match change manifests, policies, or reference servers; and approval templates that make it easy to track the circumstances around changes. With ChangeIQ, you gain true change intelligence.

There are dozens of log-based, simplified file integrity solutions on the market. Many try to provide security by showing that “something” changed without letting you know what changed. Not Tripwire Enterprise. Detailed before-and-after views leverage continuous, versioned baselines to show whether detected changes were to content, hashing, permissions, general file attributes or any other parameter. Without this side-by-side view you’re left guessing the possible severity of every change.

When investigating a file or configuration change to determine whether or not to sound an alarm, one of the most important data points to assess is “Who?”. Who made this change? Are they part of the CAB or on the change team? Do they normally have rights to this system, or are they an unexpected user? Knowing “who” details can put the spotlight on an insider threat, or quickly change an event’s status from emergency to business-as-usual.

File Integrity Manager provides real-time change monitoring and detection, as well as schedule-based checks and scans. This means you receive immediate, prioritized notifications when changes are made to critical files and configurations or to confidential folders and directories. This insures that you don’t fall victim to the breach-to-detection gap, which can run to months and lead to staggering data losses and severely impact your brand and credibility.

File Integrity Manager provides agentless monitoring of network devices, firewalls and many appliances, but uses a robust, streamlined agent for most platform analysis. Why? Simply put, there’s no comparison to the speed, detail, and accuracy of file integrity analysis you get when using a trusted agent. Competitors who use agentless or “dissolvable agent” solutions can’t touch the depth and speed of Tripwire Enterprise’s trusted and stable agent.

Some changes, such as to permissions and to critical configuration files, should never occur without proper planning and authorization. Still, not all changes are critical. How do you know the difference? Tripwire provides Critical Change Rules—pre-packaged sets of content—that monitor for the most serious changes and save you from having to reconcile hundreds of less important change events.

Systems like BMC Remedy and other ITIL-based change management tools are excellent resources to understand if detected changes were planned. The File Integrity Manager in Tripwire Enterprise enables integration with change ticketing systems to not only automate the reconciliation of detected changes, but to validate that planned changes have actually taken place.