Keeping sensitive data and assets safe is the goal of regulatory cybersecurity frameworks like NIST (National Institute of Standards and Technology). But for government agency security professionals, staying compliant can feel like a Sisyphean task due to the complexity of applying the controls themselves. It’s especially difficult to attempt to apply these controls without the right cybersecurity tools in place.
System Information and Integrity
The NIST 800-53 SI-7 control focuses on system information and integrity. As of 2017’s executive order on cybersecurity states, “Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk.” Let’s take a look at the components of the SI-7 control and the ways Tripwire solutions map to each part.
1. Perform Integrity Checks as Required
Tripwire directly provides SI-07(1) controls for software and hardware with real-time agent-based file integrity management and critical change control. Tripwire® Enterprise™ uses monitoring rules and hardening policies that cover all aspects of the file system—including services, ports, firmware and command-based configurations to keep your systems secure.
2. Automated Notification Upon Discovery of Discrepancy
In support of SI-07(2), Tripwire Enterprise and Tripwire Log Center™ offer a full suite of alerting and actionable event workflows should integrity violations occur.
3. Centrally-Managed Integrity Tools
Tripwire Enterprise and Tripwire Log Center support the enforcement of customer-defined requirements for SI-07(3) by providing centrally managed consoles which can be deployed to support on-premise, cloud-based and hybrid infrastructure models.
4. Automated Action Upon Discovery of Discrepancy
In support of SI-07(5), Tripwire Enterprise and Tripwire Log Center give you a full suite of alerting and actionable event workflows should integrity violations occur. Actionable workflows can be set to isolate or shut systems down in the event of a violation.
5. Cryptographic Protection
Tripwire Enterprise meets SI-07(6) controls by collecting and utilizing the MD5, SHA-1, SHA-256 or SHA-512 hash value(s) on all file system elements it monitors. It then alerts if a change occurs that reflects a deviation from the baselined hash value(s). Tripwire also provides fully encrypted communications to include FIPS-140-2 and TLS.
6. Track and Maintain Records of Unauthorized Changes for Incident Response
Tripwire solutions cover SI-07(7) controls for software and hardware with real-time agent-based FIM and critical change control. Tripwire Enterprise offers CyberCrime and MITRE ATT&CK dashboards that can monitor both security-relevant changes of interest to the agency, regardless of whether or not those changes trigger a change to policy compliance.
7. Auditing Capability for Significant Events
Tripwire Enterprise and Tripwire Log Center support the enforcement of customer-defined SI-07(8) control policies and procedures by monitoring all aspects of the file system. Tripwire provides a full suite of alerting and actionable event workflows should integrity violations occur, including all of the options offered in SI-07 (8). Actionable workflows can be set to isolate or shut systems down in the event of a violation.
8. Verify the Integrity of the Boot Process
Tripwire Enterprise and Tripwire Log Center help monitor items such as startup tasks, scheduled tasks, firmware changes and more. Tripwire Enterprise maintains a baseline of critical system components and will alert when any deviation from that baseline occurs.
9. Protection of Boot Firmware
Tripwire Enterprise supports SI-07(10) with firmware rules which can be used to identify, alert and take action against detected baselined firmware changes. Tripwire Log Center supports both aspects of event collection and alerting related to changes to firmware. It’s critical to note that Tripwire Enterprise will also alert when new binary files are added to your system for the purpose of malicious activity.
10. Confined Environments with Limited Privileges
Tripwire solutions will run with limited privileges, but their monitoring ability will also be limited by the privileges assigned. Tripwire also supports SI-07(11) by providing both rules and policy tests which can be used to collect all attributes related to limited privileges on file system components. Tripwire will alert when user-defined privileges change or are altered. Tripwire Enterprise and Tripwire Log Center function well in confined physical locations and in virtual environments.
11. Integrity Verification
Tripwire Enterprise supports this requirement by ensuring the primary components for installed software have not been modified from their baseline at installation. Once software is installed, Tripwire Enterprise can baseline, monitor, and alert in real-time if components of said software have been modified. This assists admins in ensuring software that is being utilized is valid and not compromised.
12. Code Execution in Protected Environments
Tripwire products support SI-07(13) with both rules and policy tests which can be used to monitor software components including configuration files and file attributes for software with limited or no warranty or from unknown sources. Tripwire will alert when changes to said software components occur.
13. Binary or Machine Executable Code
Though Tripwire Enterprise does prohibit the use of software from sources with limited or no warranty (without source code present). It will alert in real-time when software that is unauthorized is installed or executed. This is done by baselining services and or processes that are authorized on end-points and alert when new services or processes startup. Using our optional Tripwire Whitelist Profiler will also allow alerting when unauthorized software or services are installed or running.
14. Code Authentication
Tripwire Enterprise includes rules that validate trusted certificate authorities and policies that validate CA directory and file settings as well as root certificates, LSA authentication, and security packages.
15. Time Limit on Process Executive without Supervision
Tripwire Enterprise supports this by monitoring changes to task and cron schedulers. We do not set timers on software that is running, but can alert when software is started or stopped.