How WFEC Brings Power to Half a Million Americans with Tripwire Security

“Tripwire has helped us further increase our security presence and reduce our risk. I’ve been really impressed with it. I’m usually vendor agnostic, but I tell people: ‘Go Tripwire.’”

Before Tripwire, Norman and his team used inefficient manual processes for system baselining, so they needed a modern refresh of their security strategy. Their manual baselining consisted of gathering data by hand and attempting to draw insights from incomplete information that was immediately out of date, incurred too much administrative overhead, and was prone to human error.

Manual security processes also put stress on organizations due to the cybersecurity skills gap—a dearth of available industry talent that leads to small security teams who always find themselves spread too thin. WFEC was no exception. “In terms of business needs and challenges that Tripwire helps us solve, one of the biggest business challenges facing technology departments ranging from IT/OT operations to information security is resources. And the most precious resource is the human factor that can produce information out of the data that’s being collected. And for most organizations there’s that headcount there that can’t be achieved,” Norman says.

“Tripwire helps solve that problem by performing the functions of a human. It can collect the data and create information from that data. It can even perform actionable decisions based on that information through some of the pre-programmed logic, so it completes the circle for us.”

“Some of our tasks have gone from taking hours to minutes to complete. A manual process of baselining and validating can be a long, arduous, excruciating task. Tripwire helped us reduce that to a matter of minutes.”

WFEC needed an automated baselining solution to use its resources more efficiently, which led them to search for a file integrity monitoring (FIM) tool. Norman found that other cybersecurity solutions didn’t center on FIM, only including it as an extension or added module. Other solutions didn’t demonstrate much knowledge of the unique problems faced by the energy industry, either. According to Norman, “The biggest advantage that we got with Tripwire is that FIM is its core technology. That was a big factor for us.”

Tripwire Enterprise takes the headache out of baselining by enabling teams to customize FIM processes. “We baseline and check at specific intervals depending on what we’re trying to do. It’s just dependent upon what we’re trying to do and the goal we’re trying to achieve,” says Norman.

Along with the need to align operations with NERC CIP compliance and FIM, WFEC had a number of other issues commonly faced by security teams in the critical infrastructure sector—it needed to deliver its services without interruption. Maintaining optimal IT/OT operational uptime, availability and resiliency of services was key. Other essential goals were to use resources more efficiently and reduce administrative overhead.

WFEC needed to find a solution that would help it identify indicators of compromise and monitor for suspicious activity. For companies like WFEC, an antivirus solution simply won’t cut it. “Tripwire is not resource-intensive the way anti-virus is,” says Norman. “From my perspective, Tripwire does more than traditional antivirus does. It gives you more insight.”

Verizon’s 2018 Data Breach Investigations Report cites that 68 percent of data breaches take months or longer to discover—a lag time that spells serious consequences for critical services like power and energy. WFEC had a big task ahead: harden its systems and devices or risk being underprepared for a breach.

“Tripwire has helped us take action to further harden our devices. This goes back to the many different policies Tripwire has regarding standards like NIST.”

WFEC implemented Tripwire Enterprise and Tripwire Whitelist Profiler to assist in NERC CIP compliance and to meet its security objectives. According to Norman, “It’s got benefits for both security and operations. It’s a very good tool. The ease of installing the product has helped me pass that off to people who don’t know the solution. They just hit the ground running with it. That’s been a big plus.”

Counter-intuitive security tools tend to end up gathering digital dust, but Norman and his team found value in Tripwire right away. “We implemented it ourselves. The installation process was easy to follow. It’s a well-designed product, especially the upgrade process. The ease of the installation and upgrades has helped my people take it over.”

“The fact that Tripwire is able to compare and contrast the logic within the actual rules and policies make it very powerful. The core flexibility of the product allows for that robust monitoring platform that can benefit pretty much any organization that utilizes technology across any vertical.”

Tripwire Enterprise and Tripwire Whitelist Profiler help organizations like WFEC simplify system hardening and attack surface reduction. Norman and his team achieved the following security and compliance objectives:

• Maintained NERC CIP compliance
• Achieved device hardening using Tripwire Enterprise’s broad set of policies
• Integrated operations with SIEM through log correlation for faster incident detection
• Initiated continuous baseline monitoring set at user-designated intervals
• Provided powerful and flexible COCR (command output capture rules)
• Minimized disruption and resource consumption thanks to Tripwire’s lightweight agents

Tripwire Whitelist Profiler is an app used by Tripwire Enterprise users who need to automate proof of configuration compliance. According to Norman, “The biggest thing for me was the Whitelist Profiler. It performed the necessary functions that we need to do to maintain the compliance oversight requirements that we had.”

Most compliance standards specify recommended configuration settings. Tripwire Enterprise alerts of discrepancies, but some regulations require users to additionally provide detailed lists of the actual system settings and software to prove compliance. Just like the process of baselining for FIM, this can be a taxing and error-prone manual effort. Whitelist Profiler solves this problem by reporting on all configuration settings and comparing them to a pre-defined whitelist. It quickly generates audit reports to prove compliance by listing enabled network ports, running OS services, installed software, active user accounts and more.

Along with using Tripwire Whitelist Profiler to prove compliance, WFEC found that Tripwire solutions help secure both the operational and IT/OT sides of the company. When IT and OT security procedures become integrated, Tripwire users stand to benefit from improved security against threat actors, as well as the anti-siloing impacts of greater organizational efficiency.

“We use Tripwire as a security and operational tool. The operational part allows us to monitor the health of the system,” Norman says. “We initially implemented it for our critical system areas to help monitor for compliance and security. And now we’re looking at expanding that to our corporate environment. We’ll be able to go down further inside the file objects, a better level of insight for those systems.”

“Tripwire by itself is a complete package. So there’s not a lot for us to integrate with because Tripwire is the whole three-step cycle: input, process and output.”