Tripwire NERC Solution Suite

Tripwire products can generate evidence for audit of CCA, and identify files used for evidence of compliance, monitoring them for change and retention.

Tripwire Enterprise and Tripwire Log Center are used to verify account and access control settings on systems and networks via logs and configuration changes. For R5.2, Tripwire Enterprise can identify local user accounts and compare current state against a customer-specific approved user list, alerting when there is a variance on individual CCAs.

Tripwire Enterprise’s standard functionality is a change control and configuration management system. It can be used to baseline configurations and then used to show variance, including specific file content changes. Additionally, Tripwire Enterprise can be used to create hash fingerprints of audit records and for verification that the records themselves haven’t been tampered with.

For R4.1, tailored change audit rules can validate that Access Lists have not been tampered with or modified and verify that the list is updated in a timely fashion (7 days). For R4.2, standard monitoring access logs come out of the box with Tripwire Log Center; access controls are monitored by Tripwire Enterprise, and tailored rules can be created to search for access control logs that match lists of former employees to validate that access and activity by the former employees has been terminated.

Tripwire Enterprise validates and monitors security settings and related configurations to ensure that appropriate controls are in place (such as “deny by default”) and that explicit permission settings (R2.1), explicit controls for services and ports (R2.2), monitoring of dial-up services and features (R2.3), strong authentication for external interactive users (R2.4) and appropriate banners or other access control notifications are in place (R2.6).

Tripwire Log Center can detect and alert when a CCA stops logging activity, thus alerting on violation of the twenty-four hours a day, seven days a week requirement. For R3.2, Tripwire Enterprise validates and monitors security settings and configurations to ensure that logs and access to logs is controlled.

For R4.2, Tripwire Enterprise can monitor ports and services and can be used to compare against a tailored set of customer-specific approved services, alerting when monitoring proves variance. For R4.3, standard change audit tests can be used to check default settings on network devices (e.g. default SNMP community strings).

Tripwire Enterprise baseline and compliance reports provide evidence of current configuration states. These can be scheduled to run to meet requirements. For R5.3, Tripwire Log Center can manage logs and ensure retention for the required time periods.

For R1.3, Tripwire Log Center can facilitate monitoring of physical access and other environmental monitoring systems through automated collection and analysis of their device logs. For R1.6, logs can be monitored specifi- cally for visitor information, including correlation rules to verify that login is followed by logout in a expected timeframe.

Tripwire Log Center can detect and alert when a CCA stops logging activity, thus providing alerting on continuous 24x7 basis.

Tripwire Log Center can facilitate monitoring of physical access and other environmental monitoring systems by analyzing the logs collected for R1.3, utilizing custom correlation rules to alert on unauthorized access attempts.

Tripwire Log Center can provide evidence of 24x7 physical access monitoring using data collection, normalization and retention features

Log retention for the required periods can be assured through Tripwire Log Center’s log management and archiving capabilities.

Tripwire Enterprise can baseline and test new systems, assets and components, supporting change control practices and assisting in identifying non-compliant systems within the ESP. For R1.2, Tripwire Enterprise baseline comparisons prove that the test configuration is consistent with production, thereby increasing confidence in the results of the test.

Tripwire Enterprise can monitor ports and services and compare current state against a tailored set of customer- specific approved port and services, alerting when monitoring detects a variance. For R2.1, this same process will ensure that only those ports and services required for normal and emergency operations are enabled. For R2.2, this same process will check that all other ports and services are disabled, and provide an alert upon variance.

Tripwire Enterprise can identify software versions and installed patches and compare current state against a tailored set of customer-specific approved software versions and patches, alerting when there is a variance on specific CCAs.

Tripwire Enterprise can scan for anti-virus and malware products installed through tailored change auditing rules. Logs can be monitored to find specific malware events and allow the Tripwire operator to examine the device for incident information. For R4.1, Tripwire Enterprise checks for security settings and configurations to validate anti- virus and malware prevention is enabled and updated appropriately.

Tripwire Log Center and Tripwire Enterprise can scan logs for account management activity and configuration settings for changes to account privilege, respectively, alerting as appropriate. For 5.1, Tripwire Products can use this data to document the process and procedures, which supports reporting cycle requirements and appropriate access privileges. For 5.2, the same capabilities can be used to document appropriate disabling of accounts. For R5.3, Tripwire Enterprise can verify configuration settings for passwords and other security settings to meet and maintain compliance requirements.

Tripwire Enterprise change auditing and log monitoring features meet this requirement. For R6.1, it supports technical and procedural processes to validate and monitor security events on cyber assets. For R6.2, Tripwire Log Center can be configured to alert on a variety of events based on simple or complex rules tailored to the organization need and risk level. For R6.3 and R6.4, its log consolidation and retention features allow an organi- zation to maintain logs independent of the system or application capabilities.

For R8.2, Tripwire Enterprise can be used to monitor ports and services and can be used to compare against a tailored set of customer specific approved services, alerting upon variance. For R8.3, Tripwire Log Center can review logs and system behavior for changes to default accounts.

For R1.1, event types can be classified and tailored using custom correlation rules to help with incident identification and escalation. Tripwire VIA integration allows for comprehensive alerting on events of interest. For R1.3, Tripwire product reports on logs, events, configurations and change detection can be used to create IOC reports that may be included with an ISAC response document.

Tripwire Enterprise baselines and configuration settings can be used for validation of a successful restoration exercise.

Tripwire Enterprise can aid in the restoration of CCAs or any baselined asset by ensuring that the most recent configuration state of each CCA is captured and retained on an ongoing basis, making the restoration process much easier to verify.