Tripwire Enterprise: Five ‘Other’ Things You Should Know
Network engineers and security analysts have a lot in common. Both require the ability to not only understand the problems at hand but to ascertain the moments leading to them. A typical scenario would include a request to help with a problem a customer has been experiencing. The person you are trying to assist is probably a member of the IT team in the organisation. During these situations, we must engage our highest analytical skills.
When something drifts from the expected behavior, the first question is always, “What has changed?” Then, the next question is, “What is the impact and severity of the problem.” In such cases, Tripwire Enterprise (TE) can quickly answer those questions because the changes are all documented for us.
Let’s look at five things that Tripwire Enterprise can do for your technology infrastructure and how it can recover your organization from a Priority 1 incident to business as usual.
1. IT is about more than just files and folders
Tripwire Enterprise makes the troubleshooting process easy and effective, moving you from a service-disrupted situation to a service-restored state a lot easier. Logging and SIEM systems are fantastic assets to have in your toolsets, but they only can tell you the effect of something. You need more depth to figure out what has changed to make things break.
Tripwire Enterprise can provide the ability to monitor a wide range of IT infrastructure in your on-premises, cloud, and hybrid environments. Because your IT environment is more than a Windows or Linux server providing file services, TE can monitor switches, routers, wireless controllers/apps, as well as firewalls. This monitoring can be as granular as required, which – in the case of a firewall – is to be notified of low-level changes to an access control list, or as high-level, as modifications to the running configuration.
Your IT infrastructure is more complicated than just files and folders. A core aspect of any business is the data, and storing data requires storage appliances. TE can also monitor your storage infrastructure, whether this is done using the TE Universal Device Kit (UDK) or by leveraging APIs to connect to vendor storage such as NetApp.
2. Full support for cloud environments
With the popularity of cloud computing, on-premises deployments have decreased significantly. This provided opportunities for cloud providers to capitalise on market share and increase their presence in the technology sector.
This is where Cloud Management Assessor (CMA) can help. Tripwire Cloud Management Assessor (CMA) is a product extension for Tripwire Enterprise. With CMA, TE users can evaluate the conformance of cloud services in their TE environment with policy standards defined by the Center for Internet Security (CIS). Each cloud service is associated with a single policy standard (see Table below).
3. My IT is actually OT
Tripwire has a foothold in a variety of markets including the conventional ones such as Banking, Finance, Science, and Corporate. We also understand that many businesses require their Operational Technologies to be secured for the success of their businesses. Tripwire ensures that we are also able to serve Manufacturing, Industrial, and Production customers. These sectors rely heavily on data loggers, supervision consoles, and Programmable Logic Controllers (PLCs) for tasks such as testing, measuring and automation.
Tripwire’s UDK enables you to connect to these devices using SSH or Telnet. This then allows for monitoring of the files and folders as well as monitoring any configuration changes being made to the devices. In addition to this, we can gain state information about these devices. For example, if there is a pre-run test that is conducted, TE can capture that output to monitor and document issues that occur thereafter. This can be crucial when the products you manufacture can be lethal if faulty, such as gas boilers.
4. Let’s all play nicely and integrate
Tripwire Enterprise integrates smoothly with third-party solutions, offering deep levels of coverage.
With Tripwire Enterprise, we understand that the ability to focus your threat-centric response hinges on the ability to view information within one pane of glass. This is something Tripwire Enterprise can do really well with its reports and dashboard functionality. TE then takes this a step further by allowing integration into a third-party SIEM tool. This allows organisations to gain a homogenous approach when discovering, understanding, and responding to threats in their environments. TE can provide a great depth of information to be sent to your SIEM applications, such as Splunk.
Integration isn’t all just about the response to threats; it’s the everyday issues. To be able to administer and manage TE means that your organisation can benefit from the simplified workflows available by closer integration to your IT Service Management (ITSM) applications. Tasks such as managing changes, reporting on changes, and defining change windows can allow for reduced and accurate monitoring from within the TE environment. TE provides a good level of integration with many ITSM applications, including Jira, SeviceNow, Remedy, and many others.
With the recent acquisitions made by Fortra, which includes some of the biggest names in cybersecurity, there is a drive to utilise all this intelligence to provide learning across our offerings in the future.
5. The printer is not working; anyone checked the paper?
Like most of my security colleagues, I like to stay informed about the threat landscape using all the conventional approaches, as well as vlogs, blogs, and podcasts.
An interesting case study caught my attention. It is a story about how a printer and one of the biggest bank heists in the world are connected. This heist went deeper than the traditional masked bandit approach and could have been prevented if someone paid attention to the printer. A printer “error” helped one of the targeted banks discover the heist.
International interbank transfers are managed through a special system known as SWIFT. The bank’s SWIFT systems are configured to automatically print out a record each time a money transfer request goes through. The printer is always online so that when workers arrive each morning, they check the output tray for transfers that got confirmed overnight. But, on the morning of the heist, the director of the bank found the printer tray empty. When bank workers tried to print the reports manually, they couldn’t. The software on the terminal that connects to the SWIFT network indicated that a critical system file was missing or had been altered. This error resulted in a multi-million-dollar loss.
The chain of events that shows us that the monitoring of something as insignificant as a printer can be the difference between a successful attack and a halted one. Tripwire Enterprise is the perfect tool to understand what has changed to lead to certain events, revealing the footprints left by criminal actors. If it’s important to you and your organisation, it’s important to Fortra Tripwire.
You can learn more about Tripwire Enterprise here: https://www.tripwire.com/products/tripwire-enterprise