So, in the weeks following the Black Hat 2012 conference, I have been thinking a lot about security, my customers and where Tripwire fits into the overall scheme of things. When Gene Kim wrote the original academic version of Tripwire twenty years ago it was considered to be host based intrusion detection. According to the SANS institute its still held up as an example of a HIDS in several of their classes today but its very difficult to connect that value to the business.
While Tripwire Enterprise still retains the fundamental elements of the academic version’s file integrity management (FIM) it is so much more with its ability to monitor beyond Unix file systems.: Linux, Windows, network devices, databases, LDAP and so on…add in our Security Configuration Management and you have a whole lot of value beyond FIM especially to the businesses that IT and Security support.
So what is a Security Ninja to do with all of this power? Therein lies the rub. Tripwire Enterprise can detect a lot of change. I see this with my customers all of the time when I visit them to check up on them. How do you separate the wheat from the chaff? The Hacker Pirates from the Swabbies… How do they connect what they do with Tripwire to their business? In a word? Process…
In order to know what constitutes the difference between a good change and a bad change, the Security Ninja has to have a good inventory of what is on the network, what normal traffic is like and, here is the kicker, visibility into the change process.
Without visibility and knowledge of what assets are important to the business, Security Ninjas can’t understand which systems are at risk and which ones to prioritize.
Change Process is simple on the surface. What steps need to be followed before anyone makes a major change to a device or server. Typically you see a high level process such as: 1. Make a request for change. 2. Someone approves the change. 3. Make the change.
The key is in the documentation. The better each step is documented, the easier it is for the Security Ninja to reconcile the changes they see in Tripwire Enterprise to the expected changes in the environment.
Think of Tripwire Enterprise as your checkbook. If you do not have a baseline of how much money you started with and you don’t keep track of how much money goes in and out of the account…how will you know how much money you have at the end of the day or worse…whether or not someone has hacked your account and stolen any…
Process and documentation go hand and hand with Tripwire Enterprise. The better you are at these things, the easier it is to operate Tripwire Enterprise and unlock its true value and helps connect security to the business.