Zero Trust seems to no longer command the volume of articles that once set it up as a trend that promised a bright new future for security. This is in part because security is a journey. Rushed implementations and low returns often result in burnout with new technology, and generally the real work happens in the quiet stages when analysts and consultants are putting together the tooling and playbooks that deliver true value and not just a “checkbox outcome.”
I think about this journey often when it comes to Tripwire Enterprise (TE) and File Integrity Monitoring (FIM) in general, as it’s something that’s hard to capture in the initial setup state of deployments. It is often where the most interesting discussions happen once people start thinking about how to leverage a tool that’s already in place. With that in mind, let’s explore a simple example of maturing and exploring the security vistas of a FIM program.
Day 1 – Setting off with basic detection
You’ve got your Tripwire Enterprise installation in place, and if you’re using our out-of-the-box critical change audit rules, you’ve already got a wealth of data collected from each of the monitored devices within your estate. More than just a list of files and registry keys, you’ve got detailed information about the software that’s running on each of your systems. For many, this is a useful starting place for change compliance. Putting aside individual files and prioritising where you see new applications being installed offers a quick way to identify common goals for Change Management, including ensuring that only approved applications get installed and they get installed only when an associated and approved change request is in place.
Keeping your installed application list small and monitored delivers instant benefits. Enforcing alerts about software installations can help you:
- Avoid out of date application versions, since out-of-date software is a key attack vector.
- Avoid unapproved applications, reducing your security assessment surface area.
- Validate that your change control processes are being followed, with changes only occurring within approved change windows, carried out by approved system admins, and only in association with a valid change request.
Day 2 – Notifying the right way
It’s easy at this stage to get excited about sending out emails and reports based on detecting new application installations, but that won’t necessarily make it the right way for every situation. For some, a weekly report on newly installed applications might be the better approach. Better yet, if you have a list of applications that are pre-approved by the organisation, perhaps consider using Tripwire’s policy assessment tooling to compare whether the applications are in your list, and, if not, only then send a report out. Policy test evaluations like these are quick and easy to setup, and since they are flexible and easy to maintain, you can quickly add new applications or add alerting for applications that are not permitted in the organisation.
Day 3 – Automating responses
Triggering a useful email alert when an application is deployed is a good starting place, but you can quickly build on such activities by automating based on some of the use cases noted above. If you’re looking at enforcing good change control process follow-through, then using Tripwire Enterprise’s Integration Framework to reconcile changes against your Change Management System means you don’t even need to cross-reference change requests yourself. Tripwire can check and label changes tied to valid change requests, and it can raise incidents for unexpected application deployments.
Day 4 – Expanding your insights
Perhaps by now you’ve got your change management workflows and alerts in place for unexpected applications, but what do you know about those newly deployed applications? Tripwire will already be collecting a wealth of data about hosts where a new application is being detected, but how about using a new software installation as a trigger to assess the host further, perhaps gathering data to assess whether the new deployment results in increased security risk exposure. Tripwire can automatically assess the machine against MITRE’s ATT&CK framework, and can generate reports if the MITRE ATT&CK assessment results in a change in your security compliance.
Even if doing a security assessment isn’t in your team’s purview (if you’re separating duties between your change audit and your security configuration assessments), this approach can be easily tweaked to make sure you’re keeping coverage of your environment accurate. One way to do this is by setting up an action-based response to trigger Tripwire Enterprise’s agent to gather new baseline data about how a newly installed database instance or web server is configured. This can be done in a few clicks.
Day 5 – Show them how well you’re doing
As you get further along on your journey, you’ll likely want to show off a little! Telling the business how well you’re doing is key to ensuring people remain invested in security and change control. You might start thinking of how to show trend data from your change management and compliance checks to highlight important facts such as:
- The number of devices with unapproved software, and your plan to remediate them.
- The times change control processes were circumvented, and your actions to close those gaps.
- How much your security surface area has increased by virtue of new application deployments, and how the added overhead can impact the organization.
Fortunately, Tripwire again keeps most of this simple with built in report templates that can answer these questions.
Bringing in a bit of Lord of the Rings (I can’t resist a geeky reference!) with “Not all those who wander are lost” to this journey, I’m hoping this post has helped you see how those small, initial steps with FIM can lead to many opportunities along the way that can help your change audit and security processes and encourage you to explore more.
Contact us to learn more about how Tripwire can help you on your security journey.