Remember a Polaroid? Why Tripwire Keeps this Tradition Alive

We’re going to talk about state versus change. For the purposes of our discussion, you need to know that Tripwire Enterprise offers something called TE Commander.

Many enterprise applications lack a native command line interface. This can be a challenge if you want to automate and integrate basic operations, which is a necessary function in most enterprise IT environments. Tripwire® Enterprise (TE) Commander is a cross-platform CLI (Command Line Interface) for Tripwire Enterprise that allows unlimited integration and workflow possibilities. It offers a consistent, flexible, and reliable way to retrieve rich information from Tripwire Enterprise.

So, let’s get back to the state versus change. This came up because we were talking about the different types of reports you can generate in TE and TE Commander. When you run a report in TE, for instance, you can run a report for a week but not necessarily see any results. Then you could run the same report using TE commander, and it would let you see what the configuration, elements, or whatever you’re researching for what an asset is like on that day.

The reason is this whole concept of state versus change. Let’s define those terms now.

Working Definitions of State and Change

We’ll begin by defining state. State relates to running a report through TE Commander.  When it scans a system, whether that’s scanning configuration items by running your command or whether it’s scanning actual files on the server, it’s kind of like taking a Polaroid. You’re taking a picture of the server, and you’re taking a snapshot of it at this date currently. You’re saying “Here’s what I have” for files, dates, times, the content, whatever the hash of the file is, and who has permissions on it. All that good stuff. So, we can capture all the normal things you would expect from a file system, about a file, including the contents. Up to a certain size, we can even archive the contents of the file itself into Tripwire Enterprise.

Another way to think of state would be backing up all the files on a server to a backup system. That backup image would represent the state of the machine at the time it was backed up. Likewise, when TE scans a system, the captured data about those files is also representing the state of the machine at that time.

Knowing what we now know about state, change is any deviation from the last known state. Change is the modifications that happen between two states. If you scan a system every week, you know what the state was when it was scanned. The change represents anything that was modified between the scans.

Why This Difference Is Important for Security

State represents the files on a machine, yes, but those files represent business data and configuration items. If a server is supposed to be configured to do XYZ, then the analyst is interested in ensuring the configuration files cause XYZ to occur. Seeing that the scanned state of a machine is correct for that purpose is compliance monitoring or security configuration management (SCM).

When something no longer matches the security standards and the machine is no longer configured to do XYZ, knowing what changed is important to the analyst in determining the extent of what was changed and the potential impact of those changes. For example, if a server should require 12-character passwords, the state includes a file that enforces 12-character passwords. If the next scan state shows that changes occurred on that file, the analyst can look at the changes to see if the updates make the server more secure (now 15 characters) or less secure (only 6 characters).

Security by Tracking State AND Change

Any ideal security monitoring posture will include monitoring the state through SCM and for changes through file integrity monitoring (FIM). Once changes are identified, they will be compared to approved change requests in the environment for validation that the changes are good or bad. Good changes get approved to become a new baseline state against which all future scan states are compared (for detection of changes), whereas the bad changes get remediated.

Now, you can do this for monitoring your operating system. But certainly, your servers are doing something other than just running Linux or Windows. You know that that’s why they exist. Using a rule to monitor web server directories, for instance, you will know that if they do updates to the website on Tuesdays at 8pm and changes come in Tuesday at 8pm on those web server directories, that’s normal traffic that’s considered good behavior. But if they’ve been scanned and it’s clear that someone modified one of those files at a different time, that’s the kind of thing that they need to be concerned about.

Where Tripwire Enterprise Comes in

That’s where the value of Tripwire Enterprise truly stands out. It’s in the ability to sit there and run those routine scans, not to mention the real-time scanning on our agents that we can enable. You can get visibility into all file changes that are occurring. That lets you have a clearer picture of, “Here’s exactly what had happened to that server.” You still must do some forensic analysis, but knowing what those exact snapshots of the server in the files looked like at different times (as well as the detailed comparisons Tripwire Enterprise provides) does give you extra visibility and clarity.

Learn more about how Tripwire Enterprise can help you monitor state and change.

With a strong background in the financial services industry, I have a breadth of experience in networking and secure systems communications. I have spent 6 years working closely with, or on, teams handling the development of software used in both the Financial Services and IT Security industries. I am currently focusing on my segment of the IT Security industry and how it relates to audit and regulatory oversight.

Editor Note: This blog was co-authored by David Bruce and Mitchell Parker of Tripwire.