ExpertOps MSSP Service Description | Tripwire

Tripwire ExpertOps for MSSP Service Description

Download the pdf

Tripwire® ExpertOpsSM for MSSP Service includes system administration provided by Tripwire’s Managed Services during the ExpertOps for MSSP Services term. Tripwire ExpertOps for MSSP Services are offered on an annual basis, and include monitoring, reporting and support during the term based on the Asset Owner’s configuration instructions and policies, and as set forth below.

 

Tripwire Expert Service Roles & Responsibilities

ExpertOps Managed Services Team:  Provides day to day maintenance of the console and managed nodes and capabilities, and acts as an escalation point for MSSPs in the course of their service delivery.

Managed Services lead: A member of the ExpertOps Managed Services team that acts as the main point of contact for the MSSP.

Managed Security Services Provider (MSSP): Our MSSP partners will be the point of contact for their Asset Owners who wish to use the ExpertOps hosted solution. MSSPs will work with the Asset Owners to fine tune the ExpertOps environment to suit the needs of the Asset Owner.

The responsibilities of the MSSP include:
  • Tactical tuning assistance to ensure that the most important information is highlighted for action;
  • Customized reporting and dashboards, with a more detailed analysis of results;
  • Dedicated problem resolution support;
  • Administration of the Event Sender App, which can provide a regular ‘feed’ of change and compliance data to the Asset Owner’s existing SIEM solution. *Advanced training will be required for MSSPs to offer Event Sender; and
  • Administration of the Tripwire Enterprise Integration Framework (TEIF), which allows the automatic reconciliation of changes observed by TE against the Asset Owner’s existing change ticketing system (e.g. ServiceNow, Remedy, etc.). Advanced training will be required for MSSPs to offer TEIF.

Asset Owners: As the relationship with the Asset Owner and MSSP can vary, the term Asset Owner is used to describe the group that is responsible for the in scope assets being monitored.

Certain tasks can only be performed by the Asset Owner including:
  • Proxy Maintenance; including onboarding and resource allocation
  • Asset Classification
  • Agent Deployment and Updates
  • Change Reconciliation (Promotion)
Specific responsibilities are provided in the table that follows.

 

Tripwire ExpertOps Features Descriptions

Management

Console Maintenance: As part of ongoing application maintenance, Tripwire periodically releases patches addressing emergent issues affecting the software, and updates with product improvements. The Managed Services Lead will communicate the timing of the implementation of patches and updates to MSSP who will relay the schedule to the Asset Owner. As a component of the service, the Managed Services team maintains a general policy to upgrade all Hosted instances within 10 days of a general release.

  • Patch Engineering: Tripwire will regularly produce patches based on environmental, security, or feature releases and updates. » Patch Schedule: The MSSP will schedule the installation of the patch with the Asset Owner.
  • Patch Installation: Tripwire will install console updates based on the schedule agreed to with the MSSP.

Content Maintenance: Tripwire releases updates to FIM and policy content based on industry benchmark availability and the urgency of updates for a particular platform (“SCM Content”), and Tripwire IP360’s vulnerability definition data set (“VM Content”). The MSSP will work with the Asset Owner to determine the applicability of available SCM Content to the Asset Owner’s requirements and to ensure that the latest version of VM Content is in place within two business days of release, as applicable.

  • Content Updates - Build: Tripwire is responsible for the creation and publication of new and updated core operating system FIM rules and operating system configuration policy tests for Tripwire supported operating system releases or updates to published policies.
  • Update Applicability Determination: The MSSP will work with the asset owner to determine if the newly available rules or tests are applicable to asset owner’s requirements.
  • Content Updates - Installation: Tripwire will install the newly available rules or policy tests as published when requested by the MSSP.
  • Content Updates - Validation: The MSSP will validate the installation of the new rules and policy tests. Validation includes any rule tuning, default severity setting, and policy test customization at the direction of the asset owner.

Service Status Updates: A weekly status report will be delivered by the MSSP to Tripwire and the asset owner. This report will contain a high level overview of the daily and weekly activities completed. This report will also include any noteworthy issues encountered (with resolution, if any), event tickets created, and status of change requests submitted by the MSSP.

Service Plan Development: During a standard implementation, the MSSP and Asset Owner will jointly develop a plan that outlines communication practices, escalation practices and any specialized requests from the Asset Owner. MSSPs should provide the Asset Owners with an in depth, granular document that highlights detailed console configurations, history of changes, and joint operational procedures as they apply to change and configuration management (Operational Use Plan), which is updated as needed.

Proxy Maintenance: A proxy virtual appliance is required by the Export Operations service to serve as a secure gateway between the asset owner’s environment and the Tripwire hosted environment. This proxy appliance is typically deployed to an asset owner’s DMZ that has IP and port limited access to the asset owner’s environment.

  • Proxy Onboarding: A proxy deployment in the asset owner’s environment is the responsibility of the asset owner. This will typically require augmentation of firewall rules and processor and disk space provided from an asset owner’s virtual host. The number of proxies required will depend on the asset owner’s physical network configuration. Additional details on proxy requirements are available in the ExpertOps Onboarding Checklist.
  • Proxy Updates (including Apps): Once a secure link between the proxy appliance(s) and the Tripwire hosted solution has been established, updates to the proxy device will be maintained by the MSSP with binaries provided by Tripwire.

Asset Onboarding: The MSSP will review any new assets that are added and, upon guidance from the Asset Owner, classify the assets for monitoring and reporting using the appropriate tagging within the software.

Asset Owner Requests: Asset Owner configuration or informational requests will be made directly to the MSSP through the MSSP designated process. If advanced support is required from Tripwire, the MSSP will make a request through Tripwire’s Customer Center.

User Management: In order to support effective separation of duties, the Managed Services Lead is responsible for creating and managing user roles within the Tripwire.io portal.

Custom App Monitoring Configuration: Tripwire Enterprise can be configured to monitor custom applications. The MSSP will work with the Asset Owner to deliver a Tripwire provided application monitoring questionnaire to the appropriate subject matter expert. Application monitoring may include specific directories to be monitored or database queries to identify important changes. It is critical that accurate and detailed information be provided by application subject matter experts to ensure the effectiveness of monitoring.

FIM & SCM Reporting Creation and Maintenance: The MSSP is responsible for creation and customization of FIM (file integrity monitoring) reports based on direction from the Asset Owner.

ASPL Updates: Tripwire frequently provides updated vulnerability definitions provided in Tripwire IP360’s Advanced Security Profiling Language (ASPL). The Managed Services Lead is responsible for keeping the VnEs up to date with the latest ASPL available from Tripwire.

Device Profiler onboarding: Device Profilers, like the proxy appliance, need to reside in the Asset Owner’s environment as guests on the Asset Owner’s provided virtual hosts. Alternatively, if no virtual environment is available, a physical Device Profiler is available. Both the physical and virtual Device Profilers will be implemented by the Asset Owner.

VM Scan profiles: Tripwire IP360 scan profiles define the protocols, ports, and methods for scans. Scan profiles also define scan schedules. Networks and Device Profiler assignments are not defined by the scan profiles.

  • Scan profile creation: Tripwire provides generic scan profiles that can be applied to networks without modification.
  • Scan profile maintenance & scheduling: Many customers prefer to use the Tripwire scan profiles as templates to create their own custom scan profiles. MSSPs will work with the Asset Owner to establish custom scan requirements, and will coordinate with the Managed Services Lead on their creation and implementation.

 

Monitoring

Health Monitoring: As with any enterprise class application, Tripwire software benefits from occasional maintenance activities and performance review. In conjunction with the MSSP, the Managed Services Lead will regularly review the operational metrics of the solution and make any adjustments or corrections considered necessary or advisable.

  • Application Health Monitoring: Tripwire will monitor applications provided by Tripwire as part of this service. Tripwire will notify the MSSP in the event of a complete loss of a service.
  • Asset Owner Environment Health: The MSSP will monitor the health of the Asset Owner’s environment that is necessary for the communication between the Tripwire service and the assets. This would include any Tripwire supplied appliances.
  • Tripwire Hosted Environment Health: Tripwire will monitor the hosted infrastructure including the supporting database and VPN terminus at the hosted solution site. Tripwire will notify the MSSP in the event of a complete loss of a service.

Operational Incident Handling: The MSSP will interface directly with the Asset Owners to address incidents with applications provided by Tripwire. If the MSSP determines that the issue is related to the functions of Tripwire provided applications, Tripwire will track and resolve the incident as predefined by our SLA agreement.

  • Requests from Asset Owners: The MSSP will collect requests directly from Asset Owners. The MSSP will be responsible for entering a ticket into Tripwire’s service request system. The MSSP will be responsible for confirming the resolution and communicating status and completion back to the Asset owner.
  • Ticketing Monitoring / Resolution: Tripwire will track the service request in its ticketing system. Updates to ticket status will be available in the ticketing system and via e-mail to the MSSP when updates to the request are made. Depending on the severity of the ticket, different service level agreements will apply.

Agent Maintenance: Tripwire provides new versions of its agent to support new features and operating systems as well as to address security and functionality issues. Agents should be kept up to date with the latest version appropriate to the Asset Owner’s operating system. The MSSP will confirm with Tripwire the proper agent versions to run and stage those versions in the Tripwire console. Where possible, the MSSP should use the console’s push functionality to upgrade the agents in place with proper approval from the Asset Owners. The MSSP will assist the Asset Owner to update any agents that cannot be upgraded by a push from the console.

Node Health: The MSSP will verify that all monitored nodes are communicating with the TE Console on a daily basis (business days) and will verify that the monitored nodes are completing their scans as expected. MSSPs will analyze node health error conditions and provide tactical troubleshooting assistance to improve the completeness of monitoring results. Any identified errors or unexpected behavior will be investigated and remediated by the MSSP with the guidance and assistance of the Asset Owner.

Proxy Appliance Health: The proxy appliance is the gateway to the Tripwire Expert Operations service. The proxy resides in or close to the Asset Owner’s network. The proxy appliance is virtual and is hosted by the Asset Owner. The MSSP can monitor the proxy appliance via the TE console. The MSSP will work with the Asset Owner to ensure the availability of the proxy appliance as it is a key component of the service.

Device Profiler Health: The Device Profiler should be updated following a new release of Tripwire IP360 software. Tripwire will update the hosted VnE and notify the MSP that a new version is available. The MSP will work with the Asset Owner to schedule a push upgrade of the Device Profiler.

 

Business Process Integration

TW Apps Management: For MSSPs, the Managed Services Lead will review the operation of Tripwire integrations to ensure optimal function and efficiency. Problems will be escalated as needed. The MSSP service tier includes a subscription license for the Dynamic Software Reconciliation (DSR) and Event Sender apps during the ExpertOps term. In addition, MSSPs are granted a subscription license for the Tripwire Enterprise Integration Framework (TEIF) app.

  • DSR: Tripwire The application will automatically promote configuration changes based on installed software manifests provided from trusted credible sources.
  • Event Sender: The MSSP will manage all configuration changes. Advanced Training required prior to MSSP taking ownership.
  • TEIF: The MSSP will manage all configuration changes. Advanced Training required prior to MSSP taking ownership.

Tripwire Apps Upgrade: The following applies to Remote Operations only. As part of ongoing application maintenance, Tripwire R&D periodically releases patches that address emergent issues affecting TW-Apps. Tripwire generally recommends that all Asset Owners’ Tripwire Enterprise components remain current with official patches, and the MSSP will work with the Asset Owner to review the impact and criticality of any available patches and update TW-Apps in a planned maintenance window.

Change Reconciliation (Promotion): The Asset Owner is ultimately responsible for the promotion of changes discovered by rules approved by the Asset Owner. The Asset Owner may submit formal documentation for criteria to allow the MSSP to promote some or all changes on their behalf. Tripwire can also perform promotions if provided the documented criteria from the Asset Owner.

 

Regulatory

Policy Tuning and Guidance: The MSSP will update, or tune compliance policy tests as requested by the Asset Owner. This may include changes to the test condition but does not include the development of new rule logic to harvest content from TE nodes or logic to parse or filter results.

Waiver Management: The MSSP will create and update waivers as directed by the Asset Owner escalation contact. This includes the inclusion of on-boarded nodes in applicable waivers as well adjustment to waiver expiration dates and/or comments.

Audit Contribution: The MSSP will provide audit artifacts directly to the Asset Owner within the scope of assets monitored by Tripwire services. The MSSP can offer best practice recommendations for remediation based on vulnerability and configuration assessments but ultimately, the Asset Owner is responsible for remediation of any audit findings.

 

Management Consulting

CISO + Executive Review: The MSSP will provide regularly scheduled reporting as defined by Tripwire services agreement to key Asset Owner stakeholders that will include deployment health statistics as well as an overview of achievements towards the Asset Owner’s objectives. This report will provide insight into the ongoing improvement and utility of the Tripwire environment.

Operational Use Plan Update: The MSSP will make recommendations for updates to the Operational Use Plan as needed to allow the Asset Owner to maximize the automation capabilities that the Tripwire solution can provide. This can range from security and event alerting practices to change management process integrations to audit artifact creation. Guidance starts during the implementation process and extends during the ExpertOps for MSSP Services term.

Service Performance Reviews: The MSSP will conduct a periodic review of the Tripwire environment to audit configurations, reporting, dashboards and integrations. This is to ensure that there is a continuous cycle of improvement and optimization in the managed Tripwire environment. The service review will also include an overview of all event tickets, change requests, and achievements towards SLA attainment. Reviews will be conducted depending on the MSSP’s agreements with the Asset Owners.

 

Analysis and Problem Support

Defect Support: Problem resolution will be managed by the Tripwire Customer Center during business hours according to Tripwire’s then current Support Policy. The Managed Services Lead will coordinate problem resolution for MSSPs who will confirm and communicate the resolution with the Asset Owners.

Reporting Analysis: The MSSP will review the observed FIM or policy compliance changes and look for unusual activity (e.g. significant spike in Change Rate report, unusual Frequently Changed Nodes entries, etc.). If any such activity is observed, the MSSP will inform the Asset Owner during the regular service review.

 

Other ExpertOps for MSSP Services Information

Professional Services

The ExpertOps for MSSP Service fee includes Professional Services for a standard implementation.

Professional Services may be provided remotely or on site, and may include:
  • Deploy and configure ExpertOps virtual appliance on Asset Owner identified host
  • In scope assets (or representative number) onboarded into the solution
  • Asset classification/grouping
  • Reporting strategy defined; dashboards implemented
  • Tripwire roles and responsibilities overview
  • Hands on knowledge transfer throughout the engagement
  • Best practice monitoring recommendations and operational use plan developed
For Tripwire ExpertOps SCM and Tripwire ExpertOps Remote Operations for TE only:
  • Dynamic Software Reconciliation and Event Sender configured, as needed (SCM ONLY)
  • Configuration assessment implementation (SCM ONLY)
  • Change audit implementation (SCM ONLY)
Excluded Services

The ExpertOps for MSSP Service fee does not include other Professional Services, which are available on a time and expense basis, and which must be ordered separately.

Examples of Professional Services that are not included in the ExpertOps for MSSP Service fee are:
  • Development of custom policies
  • Custom integrations with ticketing systems
  • Integration with third-party products
Data Center Location and Business Hours

Unless otherwise stated by Tripwire, the console and Asset Owner Content are hosted on a data center in the United States, accessed by the Managed Services team. The Managed Services team is available during business hours, 6:00am-6:00pm Pacific, Monday-Friday, excluding national holidays.

Certifications and Audit Reports

Copies of the current PCI-DSS Attestation of Compliance and the SOC 2 audit for ExpertOps for MSSP Services are available on request under a non-disclosure agreement.

Service Description Updates

Tripwire reserves the right to update or otherwise change these Service Descriptions from time to time. Any changes to these Service Descriptions shall be effective upon publication by Tripwire, by way of posting such changes at: Visit Here.