Tripwire File Integrity
Best of Breed File Integrity Monitoring
Assure System Integrity
Best of Breed File Integrity Monitoring
Change may be the way of the world, but it’s the sworn enemy of IT security. Compliance regulations like PCI DSS, NIST 800-53 and the SANS 20 Critical Security Controls require file integrity monitoring to pass ongoing audits.
It only takes one accidental, misguided, undocumented—or malicious—change to undermine the state of your IT infrastructure and turn integrity into uncertainty. Tripwire’s File Integrity Monitoring finds, assesses and acts on those changes as soon as they occur. It assures ongoing system integrity and automates detecting, auditing and reconciling changes—even the low profile, obscure ones that reveal advanced hacks and exploits.
Tripwire provides that most complete and comprehensive file integrity solution in the world. Tripwire File Integrity Monitoring is available as a standalone solution or as part of Tripwire’s Security Configuration Management suite. With Tripwire, you have continual assurance of the integrity of security configurations and complete visibility and control of all change for your continuous monitoring, change audit and compliance demands.
HIDS, All Grown Up
Tripwire started life as a host-based intrusion detection system that detected macro changes to files and folders. Years spent honing this ability has resulted in a solution that detects even the finest-grained changes—for example, to registry entries, configuration files, executables, and more in servers; to tables, indexes, and stored procedures in databases; to routing tables, firewall rules, configuration files, and ACLs in network devices; and to group policy options and global policies for directory services. Couple this with ChangeIQ™ intelligent change assessment and prioritization, and it’s easy to see why Tripwire Enterprise is considered “best-of-breed” file integrity monitoring.
Tripwire is smart about change. With thousands of changes occurring daily—even in mission-critical servers—you need active change intelligence to differentiate between “good” and “bad” change. ChangeIQ assesses and prioritizes changes using features like customizable severities and scoring to represent risk; different actions based on whether changes are to new, modified or deleted files; auto-reconciliation of detected changes to match change manifests, policies, or reference servers; and approval templates that make it easy to track the circumstances around changes. With ChangeIQ, you gain true change intelligence.
“Before and After” Views Make the Difference
There are dozens of log-based, simplified file integrity solutions on the market. Many try to provide security by showing that “something” changed without letting you know what changed. Not Tripwire. Detailed before-and-after views leverage continuous, versioned baselines to show whether detected changes were to content, hashing, permissions, general file attributes or any other parameter. Without this side-by-side view you’re left guessing the possible severity of every change.
The IT Security “Whodunit”
When investigating a file or configuration change to determine whether or not to sound an alarm, one of the most important data points to assess is “Who?”. Who made this change? Are they part of the CAB or on the change team? Do they normally have rights to this system, or are they an unexpected user? Knowing “who” details can put the spotlight on an insider threat, or quickly change an event’s status from emergency to business-as-usual.
File Integrity Manager provides real-time change monitoring and detection, as well as schedule-based checks and scans. This means you receive immediate, prioritized notifications when changes are made to critical files and configurations or to confidential folders and directories. This insures that you don’t fall victim to the breach-to-detection gap, which can run to months and lead to staggering data losses and severely impact your brand and credibility.
It’s All About the Agent
“File Integrity Manager provides agent and agentless based monitoring of your entire extended enterprise including servers, databases, network devices, firewalls, desktops, applications and legacy systems. Tripwire’s SCM Suite provides the most complete set of agent and agentless approaches to assure coverage and confidence across any and all systems. Tripwire Enterprise uses a robust, streamlined agent for most platform analysis to ensure quick, detailed, and accurate analysis of system integrity. Tripwire CCM utilizes a completely agentless approach to monitor the integrity of designated files. Whatever your needs and requirements are, you can turn to Tripwire’s leading SCM Suite for the answer.
Content that Helps You Focus on Changes that Matter
Some changes, such as to permissions and to critical configuration files, should never occur without proper planning and authorization. Still, not all changes are critical. How do you know the difference? Tripwire provides Critical Change Rules—pre-packaged sets of content—that monitor for the most serious changes and save you from having to reconcile hundreds of less important change events.
Change Ticketing Integration
Systems like BMC Remedy and other ITIL-based change management tools are excellent resources to understand if detected changes were planned. The File Integrity Manager in Tripwire enables integration with change ticketing systems to not only automate the reconciliation of detected changes, but to validate that planned changes have actually taken place.
FILE INTEGRITY MANAGER
Changes to configurations, files, and file attributes across the IT infrastructure are just part of everyday life in today’s enterprise organization. But hidden within the large volume of daily changes are the few that can impact file or configuration integrity. These include unexpected changes to a file’s credentials, privileges, or hash value, or changes that cause a configuration’s values, ranges and properties to fall out of alignment with security policy. To protect critical systems and data, you need to detect all change, capture details about each one, and use those details to determine if it introduces security risk or non-compliance. You also have to do that in real time to stop an attack from succeeding—or minimize the impact of a successful one.
But with constant changes to files and configurations occurring, how do you tell the difference between “good” and “bad” ones? Or in a more pragmatic sense, between businessas- usual changes and the ones that spell trouble? That’s what file integrity monitoring (FIM), a critical security control, is supposed to do. Unfortunately, most FIM solutions determine that a change occurred and stop right there. Only a few capture change in real time and with enough detail to show you who made it. Fewer still provide the option to automatically remediate an undesirable configuration change. Organizations need “true” FIM—file integrity monitoring that detects each change as it occurs and uses change intelligence to determine if a change introduces risk or non-compliance. File Integrity Manager, a core component of Tripwire® Enterprise, offers exactly this by combining Tripwire’s industry-leading change detection with ChangeIQ™ change intelligence and automated remediation.
File integrity monitoring was invented by Tripwire. But that’s only one reason why so many consider “Tripwire” synonymous with this critical security control. Tripwire Enterprise has taken FIM far beyond basic change auditing. It not only collects highly detailed change data in real-time, it also adds change intelligence and automated remediation and then integrates this data with the other critical security controls found in the Tripwire VIA™ platform.
CHANGE DATA IN REAL TIME WITH AGENT-BASED FIM
One of the big differentiators between File Integrity Manager and other FIM solutions is Tripwire’s use of agents to continuously capture detailed who, what and when change details in real time, with little impact on systems. Tripwire’s lightweight, easy-to-manage agents mean you don’t miss the changes that occur between scans that can leave systems and data exposed. While some solutions claim to be agentless, they actually install and uninstall an agent each and every time they collect change data, which increases overhead and risk. And the truly agentless solutions only collect a subset of the change data that File Integrity Manager collects, which reduces your knowledge of system states as well as your overall security posture. Other solutions rely on periodic megascans to collect detailed change data, but due to the impact these scans impose on systems, they’re usually only scheduled to occur weekly, monthly or even quarterly.
CHANGE INTELLIGENCE WITH ChangeIQ
In addition to capturing highly-detailed change data in real time, File Integrity Manager uses ChangeIQ change intelligence to differentiate between “good” change and “bad” change, or at least between expected changes versus undesired and potentially harmful ones.
- Determines if changes takes configurations out of policy
- Reconciles changes against change tickets or a list of approved changes in a text file or spreadsheet
- Automates responses to specific types of changes—for example, flag the appearance of a DLL file (high-risk) but auto-promote a simple modification to a DLL file (low-risk)
- Triggers a user-tailored response when one or more specific changes reaches a severity level threshold that one change alone wouldn’t trigger—for example, a minor content change accompanied by a permission change that was done outside change window hours
In short, ChangeIQ turns raw change “noise” into actionable information.
AUTOMATION HELPS ORGANIZATIONS KEEP UP WITH THE WORKLOAD
Most IT organizations have too much to do and not enough time or staff to do it. Automation is essential to keep up with the workload. File Integrity Manager uses automation to detect all changes and to remediate those that take a configuration out of policy. At the same time, ChangeIQ auto-promotes countless business-as-usual changes, so IT has more time to investigate changes that may truly impact security and introduce risk.
BENEFITS OF TRIPWIRE ENTERPRISE FILE INTEGRITY MANAGER
- Captures change data with greater granularity and specificity than other FIM solutions, including who, what, when and even how details
- Continuous, real-time change detection across the enterprise infrastructure—virtual, physical and hosted—to detect and respond to malware
- Provides a reliable host-based intrusion detection system that safeguards against exploits and breaches
- Offers broad support for almost any IT asset—servers, platforms, devices, applications, and more
- ChangeIQ capabilities that help determine if a change is business-as-usual or introduces risk or non-compliance
- Provides automated remediation of changes that cause non-compliance with any Tripwire security policy or a custom, internal policy.
- Captures highly-detailed change data in real time without notable impact on systems.
FILE INTEGRITY MANAGER AND THE TRIPWIRE VIA PLATFORM
The Tripwire VIA platform lets you integrate File Integrity Manager with all your Tripwire security controls—security configuration management (SCM), log management and SIEM. It also adds components that combine and manage the data from these controls more intuitively and in ways that protect data and infrastructure better than before. For example, the VIA Event Integration Framework (EIF) adds valuable change data from File Integrity Manager to Tripwire Log Center or almost any other SIEM. With EIF and other Tripwire VIA components and capabilities, you can easily and effectively manage the security of your modern IT enterprise.
Download the Tripwire Enterprise File Integrity Monitoring Datasheet (PDF).
- Pricing and product availability subject to change without notice.