Endpoint Detection and Response (EDR)

Protect your critical endpoints with highly resilient cyber threat security.
Detect, Contain, Analyze, and Remediate

Detect

Focus on unauthorized system state changes, analyze them using internal or partner IOCs, anomaly detection, and behavior and policy violations. Stay ahead of threat actors.

CONTAIN

Quickly respond to limit damage and loss. Leverage automation and integration with business context to respond faster and with precision. Control rogue processes and traffic, and remove malicious files.

Analyze

Focus on critical actions for investigation. Get current and historical state information—objects, processes and activities. Leverage threat intelligence and vulnerability data. Prioritize based on business context.

REMEDIATE

Repair the endpoint, revert to a safe configuration, and remove unauthorized objects. Integrate and automate security, compliance and IT processes for effectiveness and efficiency. Regain control and confidence after a security incident and resume safe operations.

Endpoint Detection and Response: Proactive Endpoint Defense

Download

Additional Resources

SANS - A MATURITY MODEL FOR ENDPOINT SECURITY

RESPONDING TO HIGH-IMPACT VULNERABILITIES: ARE YOU PREPARED?

How Tripwire Ruined My Day (And Saved My Year)

Ian Robertson from Trion Worlds, had his day ruined when Tripwire’s alerting system woke him during the middle of the night warning something wasn’t right. He wasn't a happy camper but thanks to the alert, Trion Worlds was able to quickly resolve the malicious issue before the company ended up in countless headlines.

Tripwire Endpoint Detection and Response (EDR)

While information security relies on multi-layer defense strategy with the goal of infrastructure resilience, it is important to recognize that the endpoint is the primary target of cyber attacks. Anything that can be targeted in an attack or used as a conduit to a device that can be attacked must be included in coordinating overall defenses. Effective enterprise security should enable defenders to identify critical assets, detect and assess breaches and security incidents, respond to contain any damage, remediate and repair the impacted endpoints, and prevent the spread of further attacks in the enterprise.

Tripwire Threat Intelligence Partners

Endpoint Detection and Response (EDR) Use Cases

PROACTIVE ENDPOINT MONITORING

Continuous Monitoring Of All Critical Endpoints

Tripwire continuously monitors a vast array of endpoints and their file changes, compares against a baseline configuration and determines good vs bad, authorized vs unauthorized and potentially high-risk changes. The endpoints can be on the enterprise network, in the data center or in the cloud and can include Windows desktops and servers, OS X, AIX, HP-UX, CentOS, Debian, Oracle Linux, RHEL, SUSE, Solaris, Amazon Web Services and Azure deployments.

ENDPOINT BREACH DETECTION

Multiple Methods Of Advanced Detection

Tripwire monitors system state changes and correlates these changes with system events and application logs. These state changes might relate to installed software, files on the file system, the registry, user privileges, user behavior or running processes or open ports.

Tripwire leverages a range of detection methods for comprehensive endpoint threat detection:

  • IOC Detection—All system state changes observed by Tripwire can be compared to internal indicators of compromise (IOC) or sent to a threat intelligence service for evaluation.
  • Anomaly Detection—Changes in the system from the known good base configuration.
  • Behavior Detection—Identifying "bad" behavior on the system.  (e.g. Why did the apache user start creating files in the system directory? Or, why did the Apache user start logging in remotely?)
  • Policy Violations—System changes made outside of approved configuration windows (new software installed, new users added, etc.).
  • ADVANCED THREAT DETECTION

    Integrated Threat Intelligence Automation

    With the industry’s best threat intelligence partner integrations, Tripwire helps customers detect, analyze and verify zero-day and advanced persistent threats. Changes to systems can be automatically compared against known IOC or suspicious files can be automatically uploaded and “detonated” in a sandbox, (as provided by CheckPoint, Cisco, LastLine and Palo Alto Networks), to identify previously unknown malware. For confirmation and investigation of security incidents, all changes from the known good system state can be highlighted, and the state of any system can be compared to any other system to clearly identify differences in order to quickly isolate a compromise. Advanced search functions, including hash search, can help determine the scope of a breach and identify all endpoints impacted.

    PROACTIVE DISCOVERY

    Continuously Discover and Protect Assets and Applications

    The agentless Tripwire Asset Discovery Appliance continuously monitors the network to discover all assets and applications. Security analysts can automatically classify the assets or applications based on a known set of attributes, scan the assets for vulnerabilities, deploy a Tripwire agent and apply the appropriate policy to continuously monitor and protect the assets.

    ADAPTIVE SECURITY

    Event-based Adaptive Monitoring

    Tripwire supports both on-host and off-host event triggers for adaptive security. For example, Tripwire might detect new files created by a user that is not normally authorized to create them. Tripwire can respond by harvesting the files and checking them against integrated threat feeds. An example of an off-host event that can change data collection triggers would be Tripwire IP360 determining that a host has a remotely exploitable Apache vulnerability. In response, Tripwire can increase log levels and notify an administrator if indicators of compromise matching the exploit appeared on the host.

    THREAT MONITORING AND VERIFICATION BASED ON IOC

    Leverage Industry Threat Intelligence and ISAC

    Automated threat monitoring proactively identifies indicators of advanced threats and targeted attacks or commonly called Indicators of Compromise (IOCs). With Tripwire, customers can consume peer and community-sourced IOC—leveraging STIX and TAXII standards— as well as tailored high-end commercial threat intelligence services. These IOCs are automatically downloaded to Tripwire Enterprise, and an automatic search will determine if this indicator has been seen before or if it is a new one. Tripwire Enterprise will then start monitoring for this indicator in all new system changes. Customers can now continuously reduce their attack surface with this asymmetric information advantage over cyber attackers.

    ENDPOINT DETECTION AND RESPONSE (EDR) FAQS

    WHAT IS ENDPOINT DETECTION AND RESPONSE (EDR)?

    Endpoint security means much more than protecting and hardening devices, proactively and reactively. To protect themselves, organizations need to be able to include continuous endpoint discovery, monitoring, assessment, and prioritization to proactively reduce attack surfaces. In addition, endpoint security should include solutions that leverage threat, vulnerability and intelligence data to better analyze and respond to attacks that do get through defenses. The endgame is proactive defense that improves the organization’s overall resilience.

    Endpoint Detection and Response (EDR) solutions must include following four primary capabilities:

    • Detect security incidents
    • Contain the incident at the endpoint
    • Investigate security incidents
    • Remediate endpoints

    WHAT IS ENDPOINT? HOW HAS IT EVOLVED IN CONTEXT OF CYBER THREAT PROTECTION?

    While effective information security relies on multi-layer defense strategy with the goal of infrastructure resilience, it is important to recognize that the endpoint is the primary target of cyber attacks. Unfortunately, the classic definition of endpoint—something with which a user interacts, such as a desktop, laptop, tablet or phone—is insufficient for developing a security strategy today. This definition must expand to include employee-owned devices, virtual machines, point-of-sale terminals, IoT devices and even servers. In short, anything that can be targeted in an attack or used as a conduit to a device that can be attacked must be included in coordinating overall defenses.

    HOW DOES TRIPWIRE HELP ANALYZE AND ANSWER KEY QUESTIONS RELATED TO ENDPOINT SECURITY INCIDENTS?

    With the escalating threat landscape, it is critical to be able to quickly detect a breach, identify when it happened and determine how long you have been exposed.  Tripwire helps analyze and answer these questions through a comprehensive threat lifecycle framework that we call the “Cyber Threat Gap”.

    The Detection Gap indicates the amount of time it takes to discover a compromise and identify its scope.

    Industry data tells us most organizations do not identify their own breaches, and the latest Mandiant study said the average time to detect an advanced persistent threat on a corporate network is currently 205 days (still high, but an improvement from 229 days the prior year).

    The Response Gap indicates the amount of time it takes to respond, contain and limit the damage. A recent Ponemon study highlighted that it typically takes companies over four months (123 days) to resolve a breach.

    The Prevention Gap is the measure of time it takes to avoid repeated or similar attacks.

    To limit the damage from cyber threats, organizations need to be able to answer three key security questions:

    • Have we been breached?
    • How bad is it?
    • How can we avoid a recurrence?

    WHAT ARE THE DIFFERENT METHODS THAT TRIPWIRE USES TO DETECT SECURITY INCIDENTS?

    Tripwire leverages a range of detection methods for comprehensive endpoint threat detection:

    • IOC Detection—All system state changes observed by Tripwire can be compared to internal indicators of compromise (IOC) or sent to a threat intelligence service for evaluation.
    • Anomaly Detection—Changes in the system from the known good base configuration.
    • Behavior Detection—Identifying "bad" behavior on the system.  (e.g. Why did the apache user start creating files in the system directory? Or, why did the Apache user start logging in remotely?)
    • Policy Violations—System changes made outside of approved configuration windows (new software installed, new users added, etc.)

    WHAT ARE THE COMPONENTS OF TRIPWIRE ENDPOINT DETECTION AND RESPONSE SOLUTION?

    Tripwire offers an integrated suite of solutions to provide enterprise detection and response technologies.

    • Tripwire Enterprise—The industry standard in endpoint asset state change detection.
    • Tripwire Log Center—Agent and agentless log and event collection, storage and analysis.
    • Tripwire IP360—Proactive profiling and vulnerability assessment of all the devices.
    • Tripwire Asset Discovery—Proactive scanning and inventory of devices present and added to an enterprise network.
    • Tripwire Connect—Long term storage, reporting and visualization of data collected by all Tripwire products.

    WHAT ARE THE THIRD-PARTY INTEGRATIONS THAT ARE RELEVANT TO THE EDR SOLUTION?

    Tripwire has the following integration partnerships that are highly relevant to the EDR solution:

    • Network firewalls—Palo Alto Networks, Cisco and Check Point
    • Network IPS—Cisco/Sourcefire, and Palo Alto Networks
    • Endpoint Protection—threat intelligence integrations with Lastline, PAN /Wildfire, Cisco/ Threatgrid, BlueCoat, Checkpoint Threat Emulation, iSight Partners, CrowdStrike, Soltra and ThreatStream

    WHAT ARE THE VARIOUS MODULES IN TRIPWIRE ENTERPRISE FOR COLLECTING ENDPOINT INTELLIGENCE?

    Tripwire Enterprise has multiple modules based on the type of device the module monitors. Major information harvested is detailed below.  Additionally, Tripwire provides an API to harvest any information not on this list.

    Endpoint Module

    • File change information: ACL, Access, Archive  Flag Set, Compressed, Change, Group, Growing, Hidden, Offline Flag Set, MD5, Modified, Package Data, Permissions, SHA-1, SHA-256, SHA-512, Size, Stream Count, System Flag Set, Temp Flag Set, User, Write.
    • Registry information: Data Type, Group, MD5, Owner, Package Data, Size, Write.
    • Process information: hash, path, change from baseline, etc.
    • Port information: open, new open, new closed, change from baseline, etc.

    Database Module
    Clusters, Database Roles, DML Triggers, Functions, Indices, Libraries, Roles, Schemas Stored Procedures, Tables, Users, Views, User Defined Types, and any other information that can be gathered with a standard SQL Query. Information collected varies by database provider.

    Virtual Infrastructure Module
    Auto discovery of new guests created in hypervisor, and all changes to guests in hypervisor.

    Network Device Module
    Configuration changes, status check.

    Directory Servers Module
    User add, user remove, user change permissions, user change group, etc.

    Our experience using it has proven Tripwire VIA to be the right choice. It's a powerful tool. There are so many possibilities and so much it can do. We want to take full advantage of it.

    KOREY KOTTKE, VP AND CTO, COMMUNITY BANK

    With Tripwire, we achieved more security and compliance without taxing our resources. We're now looking at other areas in our system where we can put the change management capabilities in Tripwire Enterprise to use. I'm sure the list will be long.

    Justin Webb, Information Security Officer, Marquette University