The Tripwire Product Suite is capable of collecting a treasure trove of information. These stored pieces of data can change from useful information to an exhaustive record of every activity, something which can easily overwhelm your IT staff. We are going to focus on FIM
information today to help eliminate the noise and focus in on delivering actionable data to the appropriate audience(s).
One of the most, if not the most, important person using a product is the administrator(s). The product administrator also typically consumes information that the organization at large may not care about. This could include any changes to nodes, logins to the product, ACL settings, monitoring settings, or node health status. Having a single place that the administrator can go with a full view of the instance health can help eliminate time spent reviewing the product, effort which turns doing additional configurations or other time-consuming tasks.
A change management solution may look at authorized changes, rate of change, and/or a quick high-level view of how many nodes have changed to make sure the changes coming across are reconciled to the change management process. The key here is splitting up the data in a way that makes sense for your internal structure. Is your environment segregated by operating system, application, department, or a combination of everything? No problem! Splitting up the data can ease the load of reviewing changes. For example, application owners can look at just their applications changes and then approve them instead of having someone try to figure out whether an update to Java was authorized.
Have you ever had a production service go down due to an unexpected change? Tracking changes will allow you to know exactly what happened before it went down to help speed up the recovery. Real-time alerts can kick out notifications based upon any changes made by privileged logins or track hardware changes to virtual machines, like dropping 12GB of RAM down to 2GB before seeing performance instability. SCM can also be used to track adherence to any custom requirements, like whether the environment has any certificates expiring in 30 days or network shares all meet a certain standard of permissions.
Another important perspective is security, which looks for malicious, suspicious, or risky changes. A user may be authorized from a change management view, but then from the security side it could be seen as a risk to give user Bob access to PCI and the SOX environment. Organizations taking a proactive approach to security may be interested in Indicators of Compromise
, such as changes to DNS servers, installed software, or new executables. Integrating FIM data into a threat intelligence service, such as WildFire or ThreadGrid, can yield powerful alerts by allowing the threat intelligence feed to put the context on whether a change is malicious.
We will finish up on compliance, focusing in on the SCM information such as PCI, CIS, NIST, NERC, and SOX. Trending data can be assessed to gauge the month-over-month progress for executives to ensure they are hitting any applicable KPIs or metrics. The team in charge of remediation would be more interested in what is currently passing or failing and how to fix it. The data can be broken up by compliance requirements (Ex. PCI Requirement 1, requirement 2, etc) rather than trying to tackle it all at once. Using role-based access, a QSA/ISA could have a customized view that only shows the compliance information needed.
In summary, we covered how the same data can be used differently depending on the department. Once you ensure the right data makes it to the right audience, then you can have confidence that the information provided is actionable rather than noise.
You can watch a webcast on "Right Data, Right Audience" in the context of Tripwire Enterprise reporting below:
Also, if you are interested in learning how to create reports within Tripwire Enterprise, click here