Achieving continuous compliance with Tripwire’s Security Configuration Manager
Security and compliance are often tightly intertwined. The main difference is that sometimes security can outpace compliance efforts. While it is easy to infer that a more secure system exceeds a compliance requirement, an auditor should not be expected to deduce the state of a system; the evidence needs to be clear.
There are many factors that can cause compliance shifts. Configurations are constantly changing because there are updates happening to the infrastructure, there are patches being applied, there are applications that are being updated, and these cause changes to the system that most probably changes the state of the compliance of a particular asset.
Most security tools run scans, and they’re usually baked in with vulnerability management tools, but they have to be scheduled. Usually, these scans are either done once a year, or close to an audit date, and the organization then has to work on their remediation steps and get themselves into a compliance state prior to the audit. This is a very static approach.
Continuous Compliance is Possible
The trend is going towards a more continuous compliance monitoring state. That can only be achieved with a tool that has compliance monitoring coupled with File Integrity Monitoring (FIM). This is where Tripwire shines, providing secure management assessment, and policy management in connection with FIM. That means that after a baseline is established, as soon as a change occurs in your system, you will be immediately notified. This level of monitoring provides visibility of a continuous compliance state.
As an example, if someone needs to test a product which requires an authorized change to a system, but they don’t set the system back to its original configuration after the test is concluded, Tripwire will detect this change in the state of the asset. From a FIM perspective, it’s going to reveal this change. It will also tie it with the policy rule, showing that a system was not returned to a compliant state. This gives the prompt ability for the security team to apply the appropriate remediation measures.
More Than Just Compliance
Compliance is usually managed for the purposes of adhering to a mandated regulation. However, more companies are seeing the value of compliance beyond the perspective of a burden. The goal of most compliance standards and regulations is to create a more secure environment. Organizations are gaining a better understanding that compliance can provide more than just the ability to pass an audit. The ability to perform a risk-based configuration assessment equips an organization with a proactive security posture, reducing vulnerabilities.
Integration With Automated Tools
If Tripwire identifies an asset that falls out of compliance for a particular policy or for a particular policy test, it can trigger a workflow where an automated tool, such as Chef or Puppet to bring the asset back into compliance. The integration with an automated process can remediate the problem, bringing the organization back to a compliant state, reducing the time in which the organization is noncompliant.
Pick Your Policy
Tripwire provides multiple policy rules that can be used to test compliance. Whether it’s guidance, such as that offered by NIST or CIS, or if it is regulatory, such as PCI DSS or HIPAA, policy rules are provided for each of these. The policies can also be customized. For example, if you are testing against a regulation that requires a minimum 12-character passphrase, but your organization’s internal policy calls for a longer passphrase, the rule can be customized.
The Tripwire Difference
Tripwire can provide continuous compliance monitoring because of its direct intertwining with FIM. Many other compliance products are tied to vulnerability management, but that lacks the real-time ability to alert of an immediate change. Tripwire enables the creation of a custom policy that an application can be checked against. If it falls out of compliance quote of your golden configuration, it will issue an alert. This, along with the customizable rules offers incredible flexibility.
The ability to achieve compliance can be difficult for many organizations. Once the goal is met, many companies find that they have slipped out of compliance for various reasons. The continuous monitoring capabilities offered by Tripwire and FIM can help to ease the compliance challenge. To find out more, contact us here.