ORDELL: Take the keys, man. Listen to music.
LOUIS: Which one is for the car?
(Ordell finds it. While he goes through the keys, Vicki comes back on the line.)
(Max speaks with her as he fills out his papers.)
ORDELL: (holding a key)
This one’s for the ignition…
(holding a little black box)
… but you gotta hit this thing to shut the alarm off and unlock the door.
LOUIS: What do I do?
ORDELL: You ain’t got to do nothing. Just point at it and push the button. You’ll hear the car go “bleep.” That means the alarm’s off and the doors are open.
ORDELL: Now play the volume as loud as you want but don’t touch my levels. I got them set just the way I want ’em.
(Louis nods and goes out.)
Is this Jackie Brown or is it Tripwire?
The reality is, it’s both. This is a powerful scene in Jackie Brown because it illustrates what Tripwire is all about in making sure that a golden image can be maintained via secure configuration management.
But how would you know if it was changed?
Introducing secure configuration management
The National Institute of Standards and Technology (NIST) in SP 800-128, defines security configuration management (SCM) as “The management and control of configurations for an information system to enable security and facilitate the management of risk.”
Assailants look for systems that have default locales that are susceptible. Once an attacker manipulates a structure, they start making changes.
SCM can help prevent this type of malicious activity. It can do so by not only detecting misconfigurations that make your practices susceptible but also by identifying “uncommon” changes to important files or registry keys.
This is why Ordell didn’t want Louis touching his dials…but how can he know for sure?
With new zero-day threats revealed almost daily, signature-based defenses are just not enough to detect sophisticated and advanced threats.
To detect a fissure at its inception, organizations need to not just understand what is changing on critical devices but also be able to identify “unwanted” modifications.
SCM tools allow companies to recognize exactly what is changing on their crucial resources “in time.”
Tripwire is able to do this by:
- Setting policy – Identifying which files on which devices need to be monitored.
- Baselining files – Ensures the files you assess are in a known good state.
- Monitoring and reconciling changes – You can see hundreds of file changes on a normal day on a single system. Knowing a good change from a bad one is essential.
- Alerting – When unauthorized changes are detected, focusing on the highest priority alerts and taking corrective action before more damage is done.
- Reporting – FIM is required for several areas of compliance and most other standards. Clear reports with the ability to drill-down are important both for operational processes and audit compliance.
SCM in a Nutshell
By setting a gold standard configuration for your systems and continuously monitoring for indicators of compromise, organizations can quickly identify a breach.
Early detection of a breach helps to mitigate the damages of an attack or multiple attacks.
Using SCM to implement a corporate hardening standard like CIS, NIST and ISO 27001 or a compliance standard like PCI, SOX or HIPAA provides the ability to continuously harden systems to reduce the attack surface.
And hardened systems, i.e. a secure baseline, provides more assurance against the bad guys to launch a successful attack.
With Tripwire, if those dials were changed, Ordell would have known sooner and would be able to take action on those changes in a positive way.