tripwire file integrity monitoring white paper (1)

8/9/2019 Tripwire File Integrity Monitoring White Paper (1)

1/14

FILE INTEGRITY MONITORING

WHITE PAPERFIM

FILE INTEGRITY MONCOMPLIANCE AND SECURITY FO

AND PHYSICAL ENVIRO

IT SECURITY AND COMPLIANCE AUTOMATION SOLUT


2/14

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments2

EXECUTIVE SUMMARYTodays organ zat ons rely on numerous dev ces and appl cat ons nthe r phys cal and v rtual IT nfrastructure to carry out the r everydaybus ness When these dev ces are conf gured mproperly, whether

as a result of mal c ous hacker attacks or nadvertent employeemod f cat ons, the IT nfrastructure may be exposed to secur ty r skthat leads to serv ce outages and theft of sens t ve customer ororgan zat on data

As a means of combat ng ssues causedby mproper change, organ zat onsemploy f le ntegr ty mon tor ng FIMsolut ons to keep an eye on a var etyof f les assoc ated w th the IT nfra-structure, nclud ng conf gurat on f les,reg stry f les, executables, and moreMany of these solut ons f rst establ shan author zed basel ne conf gurat on,wh ch represents the known and trustedstate of a system The solut on thenmon tors these f les for any change thatd verges from the establ shed basel neconf gurat on and alerts IT when chang-es are detected IT can then determ ne

f the change s a good or undes rableand take any necessary correct vemeasures Some FIM solut ons can

automat cally reconc le changes aga nstpre-def ned parameters to help stream-l ne the change management process

At a m n mum, a FIM solut on shouldbe able to establ sh a basel ne, mon -tor for conf gurat on change relat veto the basel ne, determ ne f change

s planned or unplanned, alert whenunplanned change occurs, and prov dedeta led nformat on to help IT remed -ate any mproper changes Us ng a

deta led requ rements checkl st canhelp ensure youve chosen the solut onfor your IT nfrastructure

But FIM s only part of the conf gurat oncontrol story W thout f rst ver fy ng the

ntegr ty of the IT nfrastructure, thel kel hood that those changes w ll havea negat ve effect ncreases ompl ancepol cy management solut ons addressthe need to f rst get conf gurat ons ofthe IT nfrastructure nto a trusted stateby proact vely assess ng conf gurat onsett ngs aga nst nternal and externalpol c es These pol c es, based on

ndustry and expert-recommended bestpract ces and standards such as thePayment ard Industry Data Secur tyStandard (P I DSS), the enter forInternet Secur ty ( IS) benchmarks,or VMware Infrastructure Harden ng

u del nes, prov de v s b l ty nto the

state of your IT conf gurat ons and del v-er prescr pt ve remed at on gu danceto help ach eve a known and trustedstate When seamlessly comb ned w tha f le ntegr ty mon tor ng solut on,organ zat ons ga n control of the r IT

nfrastructure conf gurat ons and ma n-ta n ts trusted state

Tr pw re, the lead ng prov der of ITsecur ty and compl ance automat onsolut ons, helps organ zat ons ga n

cont nuous compl ance and take controlof secur ty and compl ance of the rIT nfrastructure Tr pw re secur tyand compl ance automat on solut ons

nclude Tr pw re Enterpr se, wh ch

comb nes f le ntegr ty mon tor ng,compl ance pol cy management, real-t me analys s of detected change andprescr pt ve remed at on gu dance tohelp IT organ zat ons ach eve and ma n-ta n the IT nfrastructure n a compl antand secure state Tr pw re also offersTr pw re Log enter a complete logand secur ty nformat on event manage-ment (SIEM) solut on that ntegratesw th Tr pw re Enterpr se to prov de evengreater control of the IT nfrastructureAnd Tr pw re ustomer Serv ces canhelp organ zat ons qu ckly max m ze thevalue of the r Tr pw re technology mple-mentat on Tr pw re solut ons del verv s b l ty across the ent re IT nfrastruc-ture, ntell gence to enable better andfaster dec s ons, and automat on thatreduces manual, repet t ve tasks

AN INCREASED NEED FOR VIINTO IT CONFIGURATIONSThe IT nfrastructure of an organ zat on,whether publ c, pr vate, or govern-mental, may have hundreds or eventhousands of servers, dev ces, appl ca-t ons, and other elements that support

ts everyday bus ness processes Andmore and more, organ zat ons arebeg nn ng to deploy v rtual env ron-

ments nto th s nfrastructure But forthe organ zat on to benef t from these

nfrastructure elements, whether phys -cal or v rtual, each must be conf guredproperly That s, the f les assoc atedw th each element must have set-t ngs that reduce the r sk of secur tybreaches, opt m ze operat ons, andhelp ach eve compl ance w th relevantregulat ons and standards F le ntegr tymon tor ng helps IT ensure the f lesassoc ated w th dev ces and appl cat ons

across the IT nfrastructure are secure,controlled, and compl ant by help ngIT dent fy mproper changes made tothese f les, whether made mal c ouslyor nadvertently


3/14

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

WHAT IS FILE INTEGRITY MONITORING?In an IT network, f les can range from s mple text f les toconf gurat on scr pts, and any ed t to such f les can comprom se ts

ntegr ty A change to a s ngle l ne tem n a 100-l ne scr pt could

prove detr mental to an ent re f le or operat ng system For example,ncorrectly ass gn ng the wrong IP address to a startup scr pt or a

newly nstalled network pr nter could d srupt the network Below aresome examples of the type of conf gurat on sett ngs a f le ntegr tymon tor ng solut on detects and mon tors

F le ntegr ty mon tor ng solut ons, alsocalled change aud t ng solut ons, ensurethe f le for a server, dev ce, hyperv sor,appl cat on, or other element n theIT nfrastructure rema ns n a knowngood state, even n the face of nev tablechanges to these f les Ideally FIM notonly detects any change to f les, but

also ncludes capab l t es that help ITmmed ately remed ate ssues caused bymproper change The follow ng sect ons

descr be the capab l t es often ava lablew th f le ntegr ty mon tor ng solut ons

ESTABLISHES A BASELINEWhen IT deploys a system/component

nto ts technology nfrastructure, t typ -cally does so w th the knowledge thatthe component s n t ally conf guredappropr ately A f le ntegr ty mon tor ngsolut on captures the known good stateof the ent re systems IT conf gurat onsett ngs when t s deployedor when thas been conf gured w th recommendedsett ngsand uses th s state as a base-l ne conf gurat on aga nst wh ch thesolut on can compare a later conf gura-t on Many t mes th s conf gurat on state

s referred to as a golden, compl ance,or conf gurat on basel ne A basel ne-to-current-conf gurat on compar son lets

the solut on mmed ately and automat -cally detect d screpanc es caused bychange

ven todays rap d deployment of v rtualmach nes, an deal f le ntegr ty mon -tor ng solut on would also nclude n thebasel ne the conf gurat ons of v rtualenv ronment elements These elements

nclude the phys cal server, hyperv sor,each guest OS, and any appl cat ons anddatabases runn ng on a guest OS

ALERTS AND NOTIFIES IT

When the solut on detects change,whether author zed or unauthor zed, ITneeds to determ ne whether or not the

ntegr ty of a f le has been comprom sed

and whether the change requ res mme-d ate attent on IT should have the ab l tyto spec fy wh ch dev ces and f les arecr t cal and therefore requ re h gh-level,

mmed ate attent on versus those thatdo not For example the conf gurat onf le of an e-commerce s te or a data-base populated w th sens t ve customerf nanc al or med cal data would warrant

mmed ate attent on, wh le conf gurat onchanges to non-cr t cal systems couldbe addressed as t me perm tted

Based on whether a system was v ewedas cr t cal or non-cr t cal, the solut onshould be able to send alerts and not f -cat ons us ng a var ety of methods to besure IT rece ves them For example, anema l alert s worthless f the detectedchange d srupted ema l serv ce Othermethods of not fy ng IT nclude analert n the system tray, SNMP, MD,SYSLO , page, or w th n the manage-ment console Early detect on enablesthe adm n strator to qu ckly make anynecessary correct ons

Registry Entries

Configuration files

.exe

File and directory permissions

Tables

Indexes

Stored procedures

Rules

ACLs

Adds/Deletes/Modifications

Auditing/logging

Access controls

System files

Web root

:. File integrity

monitoring solutions,also called changeauditing solutions,ensure the file fora server, device,hypervisor, application,or other element inthe IT infrastructureremains in a known goodstate, even in the face

of inevitable changes tothese files. :.


4/14


HELPS RE ON ILE AUTHORIZED

VERSUS UNAUTHORIZED HAN E

Many solut ons ntegrate w th changemanagement processes and changemanagement databases By compar ngauthor zed change t ckets w th detectedchanges, IT can mmed ately determ ne

f the change was planned or unplannedFIM solut ons can also create except on

nc dent t ckets w th n ex st ng changemanagement systems and enr ch ex st-

ng nc dent t ckets w th change dataSome solut ons add t onally can dent fywho made a change, allow ng organ -zat ons to enforce the recommendedzero tolerance pol cy for unauthor zedchange or to determ ne that the changeor g nated from an external sourceEven f an organ zat on does not have achange management system, but nsteadhas a l st of approved changes, an dealsolut on would be able to automat callyreconc le detected changes w th th s l st

HELPS DETERMINE IF A HAN E TOOK

SYSTEMS OUT OF OMPLIAN E

W th the numerous compl ance man-dates organ zat ons face today, IT mustalso determ ne f a detected changeremoves a system from a compl antstate A f le ntegr ty mon tor ng system

can do th s by compar ng each detectedchange aga nst sett ngs conta ned n acompl ance pol cy Those changes thatdo not take the system out of compl -ance can be v ewed as lower pr or ty,wh le those that do mpact compl anceshould send alerts, so IT can take

mmed ate measures to return thesystem to a compl ant state

ANALYZES AND PRIORITIZES EA H

DETE TED HAN E

Depend ng on the s ze of an organ za-t on, the number of changes a f le

ntegr ty mon tor ng solut on may detectcan be tremendous Real st cally, ITcould never manually rev ew eachchange to see f t mpacted compl ance,secur ty or operat onal performanceand ava lab l ty To help IT focus onthe changes that really need attent on,they need compl ance pol cy manage-ment and reconc l at on w th author zedchanges, but they also must determ ne

f the type of change, the cond t onsunder wh ch a change was made, ora host of other cr ter a nd cate that ag ven change requ res mmed ate atten-t on In add t on, the solut on shouldbe able to auto-promote the rema n ngchangestyp cally ones that are both

ntent onal and benef c alrel ev ng ITof the need to manually rev ew them

PROVIDES ASSISTAN E

IN REMEDIATION

Although t may seem counter- ntu t ve,most system adm n strators, or other ITstaff, prefer to roll back cr t cal changesmanually What many want s nforma-t on that a change has been made along

w th step-by-step ass stance n recover-ng from changes they determ ne to be

undes rable A f le ntegr ty mon tor ngsystem should nclude h ghly prescr p-t ve nstruct ons to not only enable qu ckremed at on of mproper sett ngs, but toalso allow less-exper enced IT person-nel to correct problems they m ght nothave the exper ence or knowledge tocorrect on the r own

:. FIM is only part of theconfiguration controlstory. Without firstverifying the integrityof the IT infrastructure,

the likelihood thatthose changes willhave a negative effectincreases. Compliancepolicy managementsolutions addressthe need to first getconfigurations of theIT infrastructure into atrusted state. :.


5/14


WHATS BEING WATCHED?F le ntegr ty mon tor ng solut ons mon tor changes to f les assoc atedw th the servers, databases, routers, appl cat ons, and other dev cesand elements n the enterpr se IT nfrastructure F les mon tored may

nclude reg stry f les, conf gurat on f les, executables, f le and d rectoryperm ss ons, tables, ndexes, stored procedures, rulesand the l stgoes on In fact, the real ty s that todays IT nfrastructure, even forsmaller organ zat ons, s far too complex to be mon tored manually

The follow ng table prov des a sampl ng of the type of ITconf gurat ons these solut ons may mon tor

In add t on, these solut ons now mustpay attent on to the conf gurat ons ofcomponents of v rtual zed env ron-ments Depend ng on the v rtual zat onapproach used, these env ronmentsmay nclude the v rtual zed server, ahyperv sor, mult ple guest OSes, andany appl cat ons that run on top of eachguest OS In fact, a recent Z ff-Dav spubl cat on reported that 70 percent ofcompan es polled had already v rtual-

zed at the t me of the study, or hadplans to v rtual ze some t me n thecom ng year 1 And g ven that artnerant c pated that 60 percent of product onv rtual mach nes would be less securethan the r phys cal counterparts through2009, f le ntegr ty mon tor ng solut onsmust be capable of mon tor ng thesev rtual env ronments 2

F le ntegr ty mon tor ng solut ons offeran automated s ngle po nt of controlfor mon tor ng all dev ces n the IT

nfrastructure, nclud ng v rtual nfra-structure, avo d ng t me-consum ng,error-prone manual aud t ng

WINDOWS UNIX

Access time Access time

Creation time Change timeWrite time Modify time

Size Size

Package data Package data

Read-only ACL

DACL User

SACL Group

Group Permissions

Owner Growing

Growing MD5

MD5 SHA-1SHA-1

Hidden flag

Stream count

Stream MD5

Offline flag

System flag

Temp flag

Compressed flag

Archive flag

SERVER FILE SYSTEMS DATABASES NETWORK DEVICES DIRECTORY SERVICES HYPERVISORS

Registry entries Tables Routing tables Privileged group Permissions Web serv

Configuration files Indexes Firewall rules Group policy options Firewall settings Syste

.exe Stored procedures Configuration files RSoP Auditing/logging Logs

File permissions Permission grants ACLs Access controls Registry se

F le attr butes be ng mon tored may nclude hostname, user-name, t cket number, date and t me stamp and operat on typeSpec f cally for server f le systems, the table below prov des anoverv ew of the type of attr butes these solut ons may mon tor


6/14


WHY DO ORGANIZATIONS NEED FILEINTEGRITY MONITORING?When h gh-prof le secur ty breaches h t the front page of popular

news s tes, the underly ng culpr t for the breach s often unauthor zedchange Accord ng to a recent study, N ne of 10 breaches nvolvedsome type of unknown nclud ng unknown systems, data, networkconnect ons and/or account user pr v leges Add t onally, 75 percentof breaches are d scovered by a th rd party rather than the v ct m zedorgan zat on and go undetected for a lengthy per od Most breachesresulted from a comb nat on of events rather than a s ngle act onS xty-two percent of breaches were attr buted to s gn f cant nternalerrors that e ther d rectly or nd rectly contr buted to a breach 3

F le ntegr ty mon tor ng solut ons mme-d ately detect and nform IT of changesthat ntroduce r sk, allow ng organ za-t ons to qu ckly address and recover fromsecur ty ssues rather than wa t ng for aflood of customer compla nts to real ze aproblem has occurred

FILES ARE OMMON TAR ETS

FOR ATTA K

Hackers access the enterpr se networkthrough back door mechan sms, sn ff ngout IP addresses, ph sh ng w th plaus ble

ema l requests for nformat on, andadd ng rootk ts to ga n undetected accessto the root of a system Inadvertent f lechanges often create the secur ty vulner-ab l t es hackers use n the r attacks Andw th todays v rtual zed env ronmentsthat nclude h ghly portable d sk mages,organ zat ons w ll l kely see more andmore nf ltrat on of the enterpr se net-work through an mage f le that hasbeen taken offs te, mod f ed to enablemal c ous act v ty, and then returned to

ts place n the network Because f lescan be eas ly comprom sed, t s cr t calto cont nually mon tor key f les If f lesare not mon tored and an outage orevent occurs, t m ght take days before

the problem can be tracked Dur ng thatt me, system ava lab l ty and secur tybecomes vulnerable

OR ANIZATIONS FA E

OMPLIAN E REQUIREMENTS

Over the past few years, severalregulatory compl ance acts have been

nst tuted, nclud ng Sarbanes-Oxley(SOX) and the ramm-Leach-Bl leyAct ( LBA), that target publ c compa-n es n an effort to rebu ld consumerconf dence follow ng several ma or

account ng scandals The Paymentard Industry Data Secur ty Standard

(P I DSS) was developed by the ma orcred t card compan es along w th otherstakeholders to address ongo ng ssuesw th theft of f nanc al data In add t on,federal government ent t es are sub ectto var ous regulat ons and standards,

nclud ng the Federal Informat onSecur ty Management Act (FISMA), stan-dards ssued by the Nat onal Inst tute ofStandards and Technology (NIST), and

others Not only s f le ntegr ty mpor-tant to the stab l ty and known state ofthe IT nfrastructure, t s also mportantfor comply ng w th regulat ons, stan-dards, and compl ance aud ts

Because IT plays a huge part n thef nanc al and reta l sectors, all theseregulatory acts have a technologycomponent to them Sect on 404 of SOXand sect on 501(b) of LBA address thesecur ty of technology systems n thef nanc al sector And sect on 11 5 of theP I DSS states that a company must

Deploy f le ntegr ty mon tor ng softwareto alert personnel to unauthor zedmod f cat ons of cr t cal system or con-tent f les, and conf gure the softwareto perform cr t cal f le compar sons atleast weekly

Sect on 10 5 5 of the P I DSS states thata company must

Ver fy the use of f le ntegr ty mon tor ngor change detect on software for logs byexam n ng system sett ngs and mon -tored f les and results from mon tor ngact v t es

F le ntegr ty mon tor ng helps orga-n zat ons detect changes to f les and

deally analyze those changes todeterm ne f they ncrease secur tyr sk or take systems out of compl anceand an operat onally opt mal state

These solut ons also prov de an aud ttra l and proof that appropr ate con-trols on technology have been put nplacecr t cal for eas ng the burdenof prov ng compl ance n an aud t By

ncreas ng v s b l ty nto change throughon-demand reports and alerts and not -f cat ons, and follow ng up w th expl c t

nstruct ons for return ng systems to aknown good state, organ zat ons avo dmany of the unfortunate consequencesof poorly conf gured systemssystem

outages, loss of e-commerce capab l -t es, stolen sens t ve customer data orntellectual property, and f nes from

non-compl ance


7/14


A CHECKLIST OF PRODUCT REQUIREMENTSWeve so far descr bed what f le ntegr ty mon tor ng s and why ts needed Youvealso learned what a f le ntegr ty solut on mon tors and some must-haves for thesolut on you choose Follow ng s a deta led checkl st for what you should look forwhen evaluat ng a f le ntegr ty mon tor ng solut on

INTEGRITY VERIFICATIONThe follow ng requ rements address how any f le ntegr ty mon tor ng solut on shouldver fy f le and attr bute ntegr ty

INTEGRITY VERIFICATION Y / N

Can automatically check for changes to file/directory contents.

Can automatically check for changes to file/directory permissions.

Can automatically check for changes to file/directory time/date stamps.

Can automatically check for changes to file/directory names.

Can automatically check for changes to file/directory ownership.

Can automatically check for additions/modifications/deletions to Windows registry keys.

Can check for file content changes using cyclic redundancy checking and/or digital signature checking.

Supports multiple hashing algorithms (e.g. MD5, SHA).

Can automatically detect changes to access control lists.

Can monitor security identifier and descriptor.

Ability to correlate event audit logs to determine which user made a change.

Ability to detect changes to server file systems.

Ability to detect changes to databases.Ability to detect changes to network devices.

Ability to detect changes to directory services file systems.

Ability to detect changes to hypervisor file systems.

Ability to detect changes to virtual workloads.

Ability to detect changes to virtual network devices (vSwitches).

Ability to detect changes to application file systems.

Ability to archive new versions of configurations as changes are detected and baseline configurations evolve.

Examines parts of configuration file that apply to a compliance policy (internal and external) and compares the

actual to the expected.Ability to reconcile detected changes with change tickets in a Change Management System (CMS) or a list ofapproved changes.

Ability to analyze changes in real time to determine if they impact file integrity based on conditions under whichchange was made, type of change made and user-specified severity of a change.


8/14


OPERATIONAL REQUIREMENTSThe follow ng requ rements address how any f le ntegr ty mon tor ng solut on smanaged and supported from a user perspect ve

OPERATIONAL REQUIREMENTS Y /

Ability to generate a baseline of a server(s) so that integrity is based on a known good state.

Ability to create a single baseline that can be distributed to a group of servers to verify differences from baseline (i.e. configuration ve

Execution of commands based on integrity violations.

Policy files can be remotely distributed via a console to one or more machines.

Policy templates are available from vendor.

Files and directories can be grouped together in policy template (rule blocks).

Specify severity level to individual files and/or directories.

Supports file directory recursion.

Console can view status of machines.

Console can group agents.Ability to have monitoring (view-only) only consoles available for defined users.

Templates can utilize wildcards or variables (to encompass minor differences in file system contents between systems).

Can operate through firewall (ports opened).

Works well in low bandwidth connections.

Can update snapshot database from console.

Ability to easily and quickly update multiple baselines at once, in cases where routine maintenance and/or changes cause integrity viola

Ability to automatically promote baseline.

Ability to auto-promote changes when real-time analysis of change indicates they are inconsequential or beneficial.

Management console that is cross platform (i.e. Windows and Unix).

Management console can detect status of agents.

Allows users to quickly compare two versions and quickly isolate changes or differences between versions.

Agents operate on Windows , Linux and Unix.

Can change agent passphrases from console.

Transfer only delta change information for each scan (after the first), not all configuration data each time

Scalability to address requirements of both individual departments and entire enterprise worldwide.

Ability to provide users access from anywhere to a single location which allows them to view, search, and compare configurations.

Provides immediate access to detailed change information.Arrange and manage monitored components in a number of ways including by location, device type, and responsibility.

Enables explanations, descriptions, or labels to be annotated to any version by users.

Provides authorized users the ability to establish one specific version as a trusted configuration for each system.

Provides standard sets of defaults and templates for each operating environment


9/14


POLICY MANAGEMENT REQUIREMENTSSuper or f le ntegr ty mon tor ng requ res not only the detect on and report ng ofunauthor zed changes, spec f c types of changes, changes made under certa n cond -t ons, and user-spec f ed sever ty of changes It must also perform an assessment ofhow an ex st ngor ust changedconf gurat on compares w th establ shed organ -zat onal and regulatory gu del nes Such a capab l ty should nclude

POLICY MANAGEMENT Y / N

Ability to compare an assets configuration state against a pre-defined policy to determinewhether or not the configuration is compliant.

Seamlessly integrates with file integrity monitoring data to immediately reassess upondetected changes (continuous compliance).

Vendor supplied policy templates.

Supports Center for Internet Security (CIS) benchmarks out-of-the-box.

Supports security standards (NIST, DISA, VMware, ISO 27001) out-of-the-box.

Supports regulatory requirements (PCI, SOX, FISMA, FDCC, NERC, COBIT) out-of-the-box.

Supports operational/performance policies out-of-the-box for business-critical applications.

Ability to easily modify standard policies to conform to unique organizational needs.

Capture and automate own organizational (internal) policies.

Ability to assess all the same platforms on which you are tracking changes, i.e. operatingsystems, network devices, data bases, directory servers, etc.

Provides out-of-the-box remediation guidance to help fix non-compliant configurations.

Ability to systematically waive policy tests to seamlessly integrate into compliance processesand requirements.

Ability to detect and ignore files that are in a policy, but are not on the monitored system.

Ability to run assess configurations against existing data without requiring a rescan.

Ability to use same scan data in multiple, different policy checks without requiring a rescan.

Provides proof to management that various departments are in compliance with set securitypolicies.

Ability to report policy scorecards to summarize the compliance status of a device.

Ability to assign different weights to different tests that comprise a policy scorecard.

Ability to ignore certain tests for certain periods of time (i.e. support for policy waivers).

Ability to report on current policy waivers in effect and their expiration dates.


10/14


SECURITY AND CONTROL REQUIREMENTSThe follow ng requ rements address secur ty requ rements that any f le ntegr tymon tor ng solut on should nclude

ENTERPRISE MANAGEMENT INTEGRATION REQUIREMENTSThe follow ng requ rements address ntegrat on requ rements that any f le ntegr tymon tor ng solut on should nclude

SECURITY AND CONTROL Y / N

Establish levels of access and control for specific groups of users.

Assigns established access and control to particular groups of devices.Provides secure communication between devices and database.

Increases ability to audit the network by placing relevant change information in one centralrepository

Informs authorized persons of when, how and who made changes.

Provides proof to management that various departments are in compliance with set securitypolicies.

Enables compliance with security and regulatory requirements (e.g. CIS, PCI, ISO, SOX,FISMA, FDCC, FFIEC, NERC, HIPAA, JSOX, GLBA, etc.)

Reports devices that dont meet established operational or regulatory policies.

Analyzes changes in real time to determine if they introduce risk based on conditions underwhich change was made, type of change made and user-specified severity of a change.

Default policy templates to automatically check detected changes against internal or exter-nal policies.

Console has auditing facilities.

Communication link between agent and console is secure (SSL).

Ability to verify agent security and pass phrases.

INTEGRATION Y / N

Command line interfaces and or API to allow for custom integration.

Launch in context commands to provide the ability to launch and take actions from otherEMS systems.

Interface launch commands (toolbar actions) to provide one click actions.

Integration or links to change ticketing systems (e.g. HP OpenView, BMC Remedy, Peregrine,Tivoli) to correlate and match requested change tickets to actual changes.

Integrates with security information and event management (SIEM) solutions to providelog management capabilities and correlate change and compliance status information withsecurity event information from a single point of control.

Ability to create tickets and/or incidents in change management system based upon integrityviolations.

Integration into virtual management console to keep inventory information consistent andhelp secure virtual environments.


11/14


REPORTING AND ALERTING REQUIREMENTS

The follow ng requ rements address report ng and alert ng funct onal ty that any f lentegr ty mon tor ng solut on should nclude

POLICY COMPLIANCE MANABEYOND FILE INTEGRITY MOIn early 2008, a hacker broke nto thedatabase of a Montana-based f nanc alserv ces company, steal ng 226,000 cur-rent and form cl ent records, nclud ngthe r soc al secur ty numbers, accountbalances, and account numbers And nMarch of the same year, a well-knownauto parts reta ler exper enced a net-work ntrus on that exposed over 56,000customer records, nclud ng the r f nan-c al data

Stor es l ke these are emerg ng morefrequently In response, many orga-n zat ons have deployed f le ntegr tymon tor ng solut onsan mportant partof the conf gurat on control equat onbecause t allows an organ zat on todetect and remed ate mproper changeswhen they occur However, theresanother part of the equat oncompl -ance pol cy managementthat helpsorgan zat ons proact vely assess andval date systems accord ng to nternaloperat onal and secur ty pol cy and ncompl ance w th external regulat onsand standards

ompl ance pol cy management ensures

the ntegr ty of your IT conf gurat onsby proact vely compar ng them aga nst

nternal pol c es or external pol c esfor standards, regulat ons and secur tybest pract ces By proact vely dent fy ngm sconf gurat on r sks and prov d ngprescr pt ve remed at on gu dance, pol cycompl ance management enables a rap dreturn to a known and trusted state

omb ned, compl ance pol cy manage-ment and f le ntegr ty mon tor ng g ve

complete conf gurat on control and con-t nuous compl ance n t al conf dencethat systems are conf gured n a knownand trusted state, and conf dence thattheyll ma nta n that state by mon tor ngfor and detect ng any mproper change

REPORTING AND ALERTING Y / N

Product has multiple levels of reporting.Provides executive level summary reports/dashboards.

Reports can be sent via email.

Reports can be sent as a SNMP trap.

Reports can be sent to syslog.

Reports can be printed.

Reports can be archived locally.

Reports clearly denote severity levels of integrity violations.

Reports can be filtered and searchable.

Reports can be exported to other applications (CSV, xml or html format).

Reports can be created on demand.

Reports can easily be customized.

Sends alerts to a Web Console, Network Consoles, email and pagers whenever a high-priorityfile, content or configuration change is detected.

Alerts users when configurations change and introduce risk or non-compliance, and providesdetails on what change was made and who made the change.

Alerts can be based on complex combinations of events using Boolean algebra (i.e. criteriasets)

Provides a single source of change information.

Specifies the relative significance of a change according to the monitoring rules for a systemcomponent.

Enables searches of configuration histories and audit logs for specified content using a varietyof search criteria and filters.

Allows searching to be predefined or saved for future use by all users.

Identifies all devices whose configurations differ from their designated baselines, or eithercontain or are missing specified configuration settings.

Audit logging that provides a change control record for all change activity by recordingdetected changes, added and deleted devices, modified user accounts, etc.

Console can send alert when agent connections are lost.

Can differentiate authorized vs. unauthorized changes based on change window, who made thechange, what the change was, etc.

Provides a role-based and customizable user interface.


12/14


TRIPWIRECOMPLETE CONFIGURATION CONTROLTr pw re Enterpr se software s the only solut on that effect vely

comb nes powerful compl ance pol cy management w th f le ntegr tymon tor ng to get the IT nfrastructure nto a known and trustedstate and keep t there It does th s by mmed ately detect ng f le andconf gurat on changes through cont nuous f le ntegr ty mon tor ngand assess ng those changes n real-t me aga nst a host of cr ter acalled hangeIQ capab l t es to dent fy changes that ntroduce r skor take systems out of compl ance Tr pw re Enterpr se then prov desremed at on adv ce for undes rable changes so IT can mmed atelyf x ssues, and auto-promotes all other changes so IT doesnt haveto spend t me manually rev ew ng a tremendous number of probably

ntent onal and benef c al changes

MORE POLI IES AND PLATFORMS

Tr pw re Enterpr se offers f le ntegr tymon tor ng and pol cy compl ance man-agement and sh ps w th coverage fornearly 40 platforms across a broad rangeof core bus ness appl cat ons, servers,f le systems, d rectory serv ces, v rtual-

zat on, network dev ces, databases andm ddleware Tr pw re prov des over 100out-of-the-box pol c es to assess and

val date conf gurat ons aga nst knownstandards such as IS, P I, SOX, NIST,

OBIT, FISMA, FD , VMware, etc , aswell as operat onal pol c es tuned forperformance and rel ab l ty W th numer-ous out-of-the-box compl ance pol c es,Tr pw re helps organ zat ons ga n controlover the conf gurat on of the r bus ness-cr t cal systems

Tr pw re add t onally offers P I forReta lers and P I for Hosp tal ty at an

affordable, f xed-pr ce-per-store orhotel pr c ng scheme These offer ngsallow reta l bus nesses and those nthe hosp tal ty ndustry to ensure thatcustomer data s secure not only n thecorporate IT nfrastructure, but also

at the reg sters and other po nt of sale(POS) dev ces located n the reta l storeor hotel For organ zat ons w th v rtual-

zed env ronments, Tr pw re even has apol cy for VMware ESX 3 5 that comb nes

IS pol c es for v rtual env ronments w threcommendat ons developed by VMwarefor secur ng ESX servers

ADDITIONAL VALUABLE FEATURES

Organ zat ons often spend t me andmoney h r ng consultants to developopt mal conf gurat ons for secur ty andoperat onal eff c ency When the consul-tant leaves or IT staff turnover occurs,theres typ cally l ttle or no documenta-t on that enables the organ zat on torecreate or f x these conf gurat onsTr pw re ensures that organ zat onsreta n th s knowledge by allow ng themto capture conf gurat on sett ngs as agolden pol cy they can re-apply to

servers, appl cat ons, or dev ces be ngreleased nto product on to ensure con-s stency across the r IT env ronments

Tr pw res flex ble, easy-to-use compl -ance pol cy manager also sets t apart

from other conf gurat on control solu-t ons Many conf gurat on changes areactually benef c al to the organ zat on nsuch cases, be ng able to eas ly updatea pol cy to reflect the des rable change

s a huge conven ence to IT Tr pw resmanagement console makes t easy forIT to update pol c es

FLEXIBLE, MULTI LEVEL REPORTIN

Tr pw res reports and dashboards allowusers to see as much nformat on asthey need w thout delug ng them w thunnecessary deta ls or leav ng themneed ng more nformat on ISOs cansee h gh-level dashboard reports, wh lesystem adm n strators and techn c ansrece ve deta led nformat on that letsthem mmed ately f x mproper sett ngsTr pw re ncludes a comprehens vel brary of reports that can be ta loredto any env ronment and need and sh psw th 30 out-of-the-box reports

EXPERIEN ED ONSULTIN FOR

IMMEDIATE VALUE

W th Tr pw res years of exper encehelp ng thousands of customers world-w de, from m d-s zed organ zat onsto Fortune 1000, meet and ach evecompl ance w th the P I DSS and other

regulat ons and standards, customerscan rap dly atta n compl ance, m t gatesecur ty r sks and ncrease opera-t onal eff c ency w th relevant pol c es bytak ng advantage of the deep expert seof Tr pw re ustomer Serv ces


13/14


TRIPWIRETHE KEY TO COMPLETE COVERAGEThe need for f le ntegr ty mon tor ng of systems throughout v rtual

and phys cal nfrastructures would be d ff cult to d spute W thout asolut on to detect and reconc le mproper change, organ zat ons aresub ect to any number of negat ve consequencesstolen data and

nformat on, system outages, d m n shed reputat on, and lost revenueand product v ty However, choos ng a f le ntegr ty mon tor ng solut onrequ res knowledge of des rable features that solut on should

nclude In add t on to hav ng comprehens ve and rel able f le ntegr tymon tor ng capab l t es, the deal solut on should nclude pol cycompl ance management capab l t es that enable proact ve val dat onof the state of the IT nfrastructure aga nst nternal and external best

pract ces and pol c es Th s pol cy-based approach helps organ zat onach eve a known and trusted state The solut on should also ncludethe ab l ty to analyze changes as they are detected to determ ne fthey ntroduce r sk or move systems nto a non-compl ant state andprov de easy access to remed at on gu dance, so IT can mmed atelyf x undes rable change And to ensure IT snt overwhelmed by thehuge number of detected changes, the solut on should have theab l ty to auto-promote des rable changes

Tr pw re, the lead ng prov der of IT

secur ty and compl ance automat onsolut ons, comb nes powerful pol cycompl ance management, f le ntegr tymon tor ng, real-t me analys s of changeand opt onal automated remed at on na s ngle solut on Tr pw re Enterpr seW th Tr pw re Enterpr se, organ zat onsach eve and ma nta n conf gurat oncontrol and ensure compl ance w th

mportant standards and regulat ons,generate ev dence of compl ance foreas er and less costly aud ts, reduce

secur ty r sks, and ncrease conf dence nthe del very of serv ces and nformat onto the organ zat on and ts customers

In add t on, Tr pw re Enterpr se nte-

grates w th Tr pw re Log enter, a logand event management solut on thatprov des everyth ng you need to meet logcompl ance requ rements w th ultra-eff -c ent log management and soph st catedevent management n a s ngle, easy-to-deploy solut on omb ne Tr pw re Log

enter w th Tr pw re Enterpr se as partof the Tr pw re VIA platform to broadencompl ance coverage and reduce secur tyr sk by ncreas ng v s b l ty, ntell genceand automat on

TRIPWIRE VIA SOLUTIONS

TRIPWIRE ENTERPRISE Continuous le integritymonitoring

Compliance policymanagement

Real-time analysisof change for risk ornon-compliance

On-demand, automatedremediation ofundesirable change

TRIPWIRE LOG CENTE Log capture/storage oftens of thousands ofevents per second

Google-like searches oflog activity for forensicanalysis

Flexible collection oflogs from almost anysource

Detection of and alertingto suspicious events


14/14

:. Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses,government agencies, and service providers take control of their physical, virtual, and cloud infrastructure. Thousandsof customers rely on Tripwires integrated solutions to help protect sensitive data, prove compliance and preventoutages. Tripwire VIA, the integrated compliance and security software platform, delivers best-of-breed file integrity,policy compliance and log and event management solutions, paving the way for organizations to proactively achievecontinuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. :.

LEARN MORE AT WWW.TRIPWIRE.COM AND TRIPWIREINC ON TWITTER.

2011 Tripwire, Inc. Tripwire, VIA and ChangeIQ are trademarks of Tripwire, Inc. All other product and company names are property of the

tripwire file integrity monitoring white paper (1)

Documents