Sometimes you just can’t see the obvious when it’s right in front of you. Usually, this happens because you’re so invested – materially, emotionally, or historically – in the way things have been that you have a hard time reconciling the way things are.
This is true for companies as well. The technology that made you famous and built your company becomes — sooner or later — a simple enabler that helps you launch into a new space and solve new problems. Or you die. (Nobody on the planet explains this better than Clayton Christensen, author of The Innovator’s Dilemma. This book makes it clear that “outstanding companies can do everything right and still lose their market leadership.”)
What’s that got to do with Tripwire?
At the end of the last century we became known as The File Integrity Company. This happened when the PCI DSS said “thou shalt implement a file integrity solution — like Tripwire — to oversee changes to critical files.” (We still thank the good people at PCI for jump-starting our young company, even though the reference has long since been removed.)
We discovered along the way that our FIM technology was a really good platform for scanning and assessing configuration items, the settings that tell servers what they can and can’t do. Then we discovered we could make it easy for our customers to compare their current CI states to existing standards like CIS, DISA-STIGS, ISO-27001 and twenty or so others, and actually make measured, deliberate progress towards getting more secure.
Tripwire’s Security Configuration Management offering was born, and now our biggest customer implementations – with tens of thousands of servers and devices being assessed in one organization – use our SCM to satisfy their configuration vulnerability needs. Sometimes they don’t even use our file integrity monitoring capabilities… even though it’s the underlying technology of our SCM.
I’ve recently seen two key indicators of the shift in importance of FIM relative to SCM: Securosis.com’s Mike Rothman (@securityincite) has been writing a series on vulnerability management with lots of good info, and SANS.org has released the latest version of their Top 20 Security Controls. Both these make it clear that integrity monitoring, our most distinctive corporate competence, is dying as security control, but emerging as an enabler of configuration vulnerability solutions.
The Securosis.com posts said, “Further evolution [of vulnerability assessment solutions] will add the ability to monitor for system file changes and integrity – it is the same underlying technology.” It’s interesting that they’ll evolve to a place we’ve already been.
The SANS Top 20 list has been newly reprioritized in Version 3.1. Interestingly, there’s no place on it for “file integrity monitoring” per se. (It actually hasn’t been on there for several versions.) But FIM is listed as the key enabler for two high-priority controls — Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers and Critical Control 10: Secure Configurations for Network Devices – both of which are near the top of the list. In fact, only two controls — related to discovering what you’ve already got in your infrastructure — are more important to get right than these two.
If you doubt whether SCM is as important as all that, please check out my friend Dwayne’s post from yesterday. See that problem there? See the quarter-million Social Security numbers stolen? We solve that problem with our SCM solution.
We’ll always do FIM, and I expect we’ll always be best in the world at it. We’re pretty good at log collection and SIEM, too.
But I look forward to the time when we’re even more widely know for being the company that allows vast, multinational organizations to:
- Continually assure their IT device configurations are as safe as they can be, given the job they need to do and the environment they do it in
- Do it again and again when things drift (because they always do)
- Do it for all business units and geographies, with maximum visibility for the CISO
- View system hardening levels as their best overall indicator of the risk and security posture of their organization
It’s good to know where you’ve been. But manageable, business-enabling, enterprise-wide SCM is where we’re going.