For most practical uses today, a combination of hardening and vulnerability detection is required to secure even the most basic digital environment.
In each area it is important to see the progress you’re making in these competencies so that you can improve and build on the work you and your team have done over time. But with so many assets in your digital environment, how do you score the effectiveness of these security measures?
In this article, I’d like to explain to you how Tripwire has approached this common need.
Let’s start with hardening and compliance.
There are many different security standards and benchmarks such as PCI, NIST, SOX, HIPAA and others, that each carry their own industry focus. Each standard or benchmark enforces the appropriate hardened setting for a digital environment based on countless hours of research. Each benchmark consists of a list of tests which tie to a specific setting that ensures the remote system is secure, enforcing the settings that are mandated is a way to harden the environment. How well your environment enforces the settings supplied by the security benchmark is what decides your compliance percentages. Choosing the appropriate standard and remediating the failures found in your own environment is key to ensuring you and your team are focused on securing the most important for the industry you reside in.
That being said, it’s always been a challenge to keep track of the compliance percentage across a wide range of assets and to know the specific details about the remaining work that’s needed to reach your compliance percentage goal. With an administrator just implementing hardened settings for each device, there is no way to validate the new setting and reflect this confirmation across the environment to see your overall and individual compliance percentage.
When Tripwire Enterprise scans your environment you gain visibility into each of your digital assets and whether they’re failing or passing the tests for the security benchmark you are using. For example, if you have a Windows Server and are using the PCI Security Benchmark, Tripwire will store the scores for each Windows Server under PCI. Once it detects that different settings have been implemented in the environment, Tripwire will then re-evaluate the tests, and if it finds that the appropriate hardened setting has been implemented, it will move the test failure to a passing result.
For each failed test under the security benchmark, Tripwire provides the exact remediation steps in order to harden the setting appropriate to the standard being used. It will then report this information where it can be visualized for the team responsible for making these adjustments. An extensive library that updates frequently exists for Tripwire customers that has all the standards mentioned here and more.
In order to get a status update of how well your environment is enforcing these standards, Tripwire provides a compliance percentage both for individual assets, the entire environment and any group you prefer. As a metaphor, I like to picture hardening as a plate of armor that you can enforce on your environment. This armor protects from outside threats, with each security benchmark acting as a different brand of armor. With Tripwire you know where you’re covered and where you’re not.
Vulnerability Detection and Management
For vulnerability detection, you need a piece of software reviewing your digital assets on a frequent basis as a way of looking for any available weaknesses. This could involve looking for old and vulnerable versions of applications or searching for new security issues that have exploited weaknesses in configurations and/or software.
In some areas, compliance and vulnerability detection overlap, but in most cases they do not. For example, a security compliance standard may enforce the best protections for Java to be on the system. However, having the latest java protections on the system does not account for old versions existing on the file system. With Vulnerability detection reviewing the entire system for flaws, any of the older versions that still exist will be flagged. The Tripwire vulnerability database is updated frequently and if any vulnerabilities are found with newer versions of software that will be reported to the user as well.
Keeping track and identifying the vulnerabilities in your environment, assigning a score/priority and resolving these issues is considered part of Vulnerability Management. Unlike compliance, the score you receive for vulnerabilities tell you how vulnerable the environment is.
Like many other vulnerability solutions, Tripwire provides CVSS scores for each vulnerability. Additional to this, Tripwire provides a proprietary vulnerability score that allows for a more granular explanation than just a rating of 1-10 score for the vulnerability. The factors that make up the score include the level of skill required to enact the vulnerability and the access it grants. This initial score of the vulnerability with these factors is given on a 1 – 65,000 range that will increase with the amount of time the issue exists on the system. A fix is provided with each vulnerability found as well.
Using the previous metaphor, we can think of vulnerability detection with Tripwire as a process for finding openings in our armor and protecting against those issues by using even more granular scores and details than most other vendors offer.
Tripwire Security Dashboard with Compliance and Vulnerability Scores
For compliance, we have an extensive library of standards that all can be used at your discretion to harden your environment. Our vulnerability solution is frequently updated to make sure you stay aware of the vulnerable areas in your environment. With Security Dashboard available at Tripwire, you have the ability to see your compliance percentage and vulnerability scores in one view for any of your digital environments.
With your compliance and vulnerability scores available at your fingertips, you are able to save time, money and resources as you secure your environment.
You can learn more about Tripwire’s cybersecurity and compliance solutions here.