During my time as a cybersecurity admin, I had the authority to decide what was going to be done, but I didn’t have the access to configure or install my own software. To make matters worse, despite having authority over the implementation, I was also held accountable for failures but again, without the necessary access to fix issues. This created a lot of tension between myself and the teams I relied upon to handle implementation details. At times, it was like two mountain goats butting heads to see which caved first. Unfortunately, I always ended up giving in and creating a change ticket that they asked for because I was more concerned about results than my ego.
This is not a unique story to other admins though—everyone must comply with business processes and rely on others to help accomplish tasks within the environment. It is well known that Tripwire Enterprise (TE) can scan a system for compliance and that it can run a remediation script to fix compliance issues. What is lesser known is that it can leverage the same capability for other operational purposes to run ad-hoc commands and scripts on one, or many, endpoints. When a need arises for the security or compliance teams to run a command on an endpoint, it can be done through Tripwire Enterprise. We have tons of customers that have adopted this capability. They use it to automate routine tasks for their admins on a non-scheduled basis. After writing some processes and a risk review, they get their scripts approved for use from TE, and voilà, on-demand automation scripts that can be leveraged by teams who only sometimes interact with endpoint systems.
Security or convenience… Why not both?
Endpoint teams are often limited to when they are allowed access to systems based on prior risk analysis. If there is an operational need such as restarting agents for one of their monitoring tools, these routine requests are usually forwarded through the sysadmin teams. Though this division of responsibility makes sense from a risk standpoint, the effect is that real situations arise where the slower response time is a worse result. Let me give you a real-world example.
A large financial institution is using Tripwire Enterprise to monitor thousands of servers for PCI/SOX compliance (SCM for Compliance) as well as a handful of critical files (FIM for Security). In working with our teams, they made a comment about the difficulty they were having with another tool. They had identified nearly two-dozen agents for this tool that would fall into a non-responsive state every day, and would subsequently stop checking into the central platform. The only solution was for them to restart the agent services, but this required the security team to file a ticket with the sysadmin team and wait up to four hours for a resolution. During this time, endpoint security monitoring was not operational on these systems.
After being shown how TE could assist in automating the restart of the agents, they wrote rules for our software and incorporated them into an operational playbook. Once approved, their endpoint security team had ad-hoc access to restart the agents without waiting hours. Later, they applied this action as a follow-up from real-time FIM monitoring in TE such that those agents would be restarted entirely automatically just seconds after entering the “no-op” condition. In effect, they used TE to ensure the availability of monitoring agents for another security endpoint monitoring tool.
The benefits of controlling your processes
When we talk about this Advanced Control capability in these terms, it’s apparent to everyone how powerful and useful it can be. There are many automation solutions, but Tripwire Enterprise is not trying to fulfill the need to automate software installs. Rather, this is about leveraging existing capabilities of TE for smaller and more time-sensitive purposes. One of the larger burdens that organizations struggle with in remaining secure and compliant is just the amount of institutional inertia they have moving in one direction. The moment someone points out that they need to pivot and move in another direction, it is a herculean undertaking to accomplish. Even small things such as restarting an endpoint agent or adjusting a configuration of security tools become a big task.
Remaining nimble and quick to adapt to operational needs is huge. The other benefit to this is that employees are freed up to focus on other tasks. It can help increase organizational efficiency and reduce the frustration that employees experience with restrictive processes. These benefits can be realized because admins are then empowered to:
- Update operating system or software configuration on numerous servers.
- Create customized and ad-hoc scripts that are easily deployed, run, and reported on.
- Manage an otherwise complex IT infrastructure more flexibly.
While I tend to place the utmost importance on confidentiality, the truth is that businesses rely more on availability and integrity. Like it or not, there isn’t much value to a failed business that was being run securely. Businesses tend to focus more on operational needs to keep things running, rather than ensuring everything is done securely. I always like to joke that the only secure server is one that isn’t plugged in. While true, it highlights why security is usually a second priority even though we all would like to give it equal focus. This is why it’s so important to enable the endpoint teams and administrators to respond quickly to business needs in a flexible, yet secure manner.
Secure your business with Tripwire
Tripwire Enterprise’s Integrity Monitoring solution can help you not only be compliant with industry-specific and international laws and regulations, but also safeguard your business. In addition, it can help you maintain control over your security and maintenance processes with speed, efficiency, consistency, and safety.
To discover the powerful use cases of the Tripwire Enterprise solution, watch this space or download this handy guide.
