Gauging Various Levels of Security ContentRL: If you're looking at a FIM solution or an SCM solution, how do you differentiate one that has good content versus one that has not as great content? TS: A couple of different things that you would want to assess if you're looking for “good content” for SCM or FIM solutions. Two of the main drivers is really platform support and policy coverage.
So, you want to have a solution that's going to be able to cover as many of your assets that you're under, that your organization has deployed, as possible if not all of them. So not only your Windows and your Linux type servers but your applications and databases and network devices like your firewalls and switches and those types of things. So, something that can cover all of those and have content for them.If you want to have PCI compliance, you need to have every one of your computing components, your file servers and your databases and even the networking components that are processing credit cards and transferring that data back and forth. All those are in scope. You want something that's going to be able to do that. https://www.youtube.com/watch?v=PaC7GrqviqY The second component is you want to be able to have the actual content for those things. Going with the PCI example, say your different assets are split between 70% host-based platforms such as Windows or Linux and 30% network devices. That minority of devices might not have coverage under a given PCI product, which means that's not going to be as valuable to you. You're not going to get as much value out of that product as another one that would have the PCI coverage for all of those different platforms and types of devices. RL: Does content go out of date? Is it an issue for people when they're buying a solution? TS: Content can go out of date. It is possible. There are updates to compliance frameworks. So that needs to continue to be updated if you're using actual security content. From the change management side, things are constantly getting updated to reflect what we want to be monitoring on those systems. So, there's things that are noisy and changing that aren't very important. Looking at new files or new features, new services that are on endpoints or network devices that are changing, we want to be able to make sure we have insight into that.
Why a Content Team is Important to a Security VendorRL: What does it mean to have a content team at Tripwire or for any vendor for that matter? TS: The importance of having an actual content team that's dedicated to creating this content as specifically that this content is continually changing, and they need to be continually updating. Here at Tripwire, we have a dedicated team that is updating this content every couple of weeks. RL: How does having that team play into the competitiveness or differentiation for our SCM and FIM products? TS: The differentiation for Tripwire specifically is that we have support for over 30 plus frameworks that we have actual content for. And we have well over three thousand policies available across those different 30 frameworks. That is the biggest differentiator that we have—the most broad scope of coverage that's going to cover the most assets across the most number of policies. Any kind of compliance need that a customer would have, Tripwire is going to have content for it. If we don't, the content team that I'm responsible for will release new versions, or if there's a policy framework that just came out that a customer finds very important, they can send those requests to myself and my team, and we will release that content and get that available for customers as soon as possible. Every month, we're releasing about 50 pieces of new content with each month’s release. We're releasing well over 30 to 40 policies each month. So that could be either content that customers have requested from us, or we are actually keeping up and looking at all of the updates that are coming out. RL: It seems like a lot to track. How is content prioritized? TS: Across everything that is coming out, Tripwire will look at the content that our customers are already using. We're looking at what platforms customers are using most frequently, most often. So, things like Windows or Red Hat are very high priority for us. But it could also be driven by the new compliance frameworks that are coming out. RL: How do people handle this if they don't have Tripwire? TS: So, there are different maturity models. When we're looking at something like SCM, the less mature organizations are going to be doing things very manually like looking at the CIS website to see if there's any updates. And if there is something with that or if it is time for your PCI audit, to manually go through an audit the machines and find the machines, check the settings and create the report is not only just a lot of work. It costs a lot of money, and it's not very fun.
If you're using something like a Tripwire, you can automate a lot of that for you. You can automate the ability to then say, “Okay, there's new content available.” We can then put that in there. We're just going to continually scan our system for PCI. So, once a week or once a month, whatever your scheduling cadence would want to be, you have that historical picture of what your PCI compliance looks like for all of your different assets you have under and within scope of that specific compliance framework. When the auditor comes around, you just pass them the report from Tripwire Enterprise. And instead of it being this long lengthy drawn-out process, you've already hit the ground running instead of hitting the ground crawling.