One of the only things that is constant in life is change. It’s the same with cybersecurity. There are different types of changes to consider.
- Changes that we accept
- Changes that are good
- Changes that are bad
A lot of changes in our everyday life are out of our control. It can be hard to discover, monitor and even react to change. However, when it comes to change in the world of cybersecurity, it’s possible we can manage that change in a way that can have a positive impact on our business.
Change is a leading indicator of your systems becoming vulnerable to being exploited; therefore, monitoring change of your systems is critical. But where do organizations start, and how do they know what is important?
In a recent blog, my colleague Chris Orr lists six things that your change management system should have in place:
- An easily understood series of steps. A recipe. A playbook. Call it what you want, but it needs to be repeatable and not overly complicated. Make sure to build in an emergency break/fix plan, as well.
- An effective system of record that is accessible. Something automated is preferable, but again, a spreadsheet on a SharePoint server is better than nothing at all. It also certainly beats shouting across the cubicles: “HEY, I’M ABOUT TO MAKE SOME CHANGES TO THAT SERVER!”
- Identify who the stakeholders are. There should be a mix of technical and non-technical folks involved who have a vested interest in the process. Segregation of duties will be a key component here. The folks making the changes should not be the ones approving them.
- Reporting is a huge issue. Not just deep detailed byte-level changes, mind you. No business unit owner will understand that. This is why service-level reporting is also critical. If three servers and a database make up a critical application, have reporting that allows you to drill down to the individual servers but present higher-level reports around the service itself to which the business owner can relate.
- Methods to detect change and map them back to the process. Auditors love automation. Anything that saves and lowers the chances for mistakes. This is usually why scripts and/or relying on logging to detect changes does not scale beyond a few servers very well. Purpose-built applications that integrate directly with your change process software reduces the opportunity for errors.
- Understand that authorized change is not necessarily good change. Just because an employee has an authorized change request to install and enable telnet on a server doesn’t make it a good change. You might as well plug the server into the wall at the local Starbucks with the password taped to the monitor.
This is where Tripwire comes in. Tripwire Enterprise (TE) gives you the visibility you need in order to track all file changes so that you know exactly where, when, and how all changes occur. As you go through your change management reconciliation process, you may discover files that you’re not familiar with and therefore don’t understand how they will behave.
Now, you can now extend TE’s capabilities even further and reap the benefits of advanced file analysis to learn the behavior of files and executables using Tripwire File Analyzer.
Tripwire File Analyzer
When a new file or executable appears on the systems monitored with Tripwire Enterprise, Tripwire File Analyzer can immediately inspect it to identify its behavior and assign it a score from 1–100, flagging it as benign, nuisance or malicious. It analyzes several common file types, including:
- File hashes
Tripwire File Analyzer inspects files in a quarantined sandbox environment in the cloud, keeping your systems safe. A comprehensive PDF report is then provided within the Tripwire Enterprise console. It automatically provides behavioral information about files and executables, including (but not limited to) the following examples:
- Libraries loaded
- I/O: Console I/O, Device I/O
- File system activity
- Registry activity
- Process interactions and operations
- Network activity
- Threat potential
Key Benefits of Tripwire File Analyzer
An integration to Tripwire Enterprise, Tripwire File Analyzer supplements its core file integrity monitoring (FIM), security configuration management (SCM), and foundational controls enforcement. Get detailed behavioral reports on files and executables in minutes straight from your Tripwire Enterprise console.
Tripwire File Analyzer:
- Keeps environments safe using a quarantined sandbox area for analysis
- Offers behavioral visibility into files and executables across all monitored systems
- Supports all of the same platforms as Tripwire Enterprise
- Automates time-consuming manual file and executable analysis efforts
- Delivers immediate notifications within the Tripwire Enterprise console
Used in conjunction with Tripwire Enterprise, Tripwire File Analyzer can automatically analyze and report on the behavior of files and executables. For more information see https://www.tripwire.com/solutions/tripwire-file-analyzer/.