Tim Erlin has been building connections with Tripwire customers for more than 20 years. As the VP of Strategy, his role is to understand the connections between customers, the cybersecurity market, and Tripwire solutions. As one of the latest additions to the HelpSystems portfolio, Tripwire adds integrity monitoring to an already broad set of capabilities offered. Here is Tim’s explanation of integrity monitoring and how it helps customers.
Tell us about Tripwire’s technology, what does File Integrity Monitoring do?
There’s a phrase that you might hear from many Tripwire folks: “Every incident begins with a change.” It’s one of my favorite phrases because it succinctly describes the value that Tripwire brings to customers. Changes might be internal to an organization, such as a change in a configuration file. They might be external, such as a newly discovered vulnerability, or even a change in the resources to which an attacker has access. In the end, every incident can be traced back to some kind of change.
Tripwire effectively invented File Integrity Monitoring (FIM) more than 20 years ago. It started out as a process for monitoring file changes on Unix-based systems using cryptographic hashes. The first iteration of FIM was focused solely on files and identifying any time a file changed. It provided system administrators with the ability to see when critical files were being changed, in real-time, providing previously unavailable visibility into potentially malicious activity.
Since then, Tripwire has evolved FIM into a broader capability for monitoring the integrity of many objects, though the name “File Integrity Monitoring” has stuck. FIM is no longer just about files, but includes detecting changes in other objects, such as configurations, databases, cloud accounts, and more. FIM isn’t just about detecting changes either. It also provides detailed information about what changed, who made the change, and reconciling those changes against a known trusted state or against a planned change.
A couple of examples might be helpful here.
A classic example is a change in a configuration file that impacts access control. That could be changing access control lists or configuring an application to allow previously prohibited access. A change in a configuration file might be malicious or accidental, but either way, the ability to detect that change, see the detail of what changed, and identify who made the change is important.
Another example is the installation of a new application on an asset. That new application might change the risk profile or compliance requirements for that asset, requiring additional actions to properly secure and monitor it.
A final example is a change in the users included in an administrative group. Changing the permissions that a specific user has may be business as usual or may be activity linked to malicious privilege escalation activity.
Given just these examples, it’s clear that detecting and understanding how your environment is changing is highly valuable.
What problems does it solve?
We’ve touched on the problems Tripwire solves in the previous question, but let’s put a finer point on them. First, integrity monitoring is required by most security standards like PCI, NIST, HIPAA, and others. Many organizations approach integrity monitoring from the basic need to meet a compliance requirement, but there’s a reason that it’s such a common requirement across standards. Integrity monitoring is a basic security control, and when implemented well, helps to achieve several security objectives:
Identifying malicious activity missed by other tools; The fact is, attackers continue to be successful in compromising organizations. While security tools continue to mature, it remains nearly impossible to effectively compromise an asset or organization without any detectible change to the environment. Integrity monitoring, when coupled with a change reconciliation process, provides visibility into the kinds of changes an attacker makes as they initially compromise and laterally move inside an organization.
Identifying unauthorized changes in the environment; Not all changes with a negative consequence are the result of malicious behavior. There’s plenty of room for unintended human error to result in incidents and outages. A closed-loop change process that includes comprehensive integrity monitoring, will ultimately reduce unplanned change and unplanned work.
Maintaining secure configurations; detection is a necessary part of cybersecurity, but prevention is always preferred when possible. The Center for Internet Security has published the Community Defense Model, which demonstrates “that establishing and maintaining a secure configuration process (CIS Safeguard 4.1) is a linchpin Safeguard for all five attack types, which reinforces the importance of configurations.” Building and deploying systems that are securely configured is the most effective security safeguard you can employ. Configurations aren’t static, however, and monitoring the integrity of your configurations is key to ensuring that securely configured systems remain securely configured.
I’d be remiss not to mention faster time to resolution. While it doesn’t fall into the category of a security control by itself, it’s easy to see how a comprehensive record of what’s changed across an environment can lead to much faster resolution of all kinds of incidents.
How is Tripwire differentiated in the market?
Tripwire is really the pioneer of integrity monitoring, and that history matters to customers. It’s that history, and experience in the market over more than 20 years, that has produced a robust and mature product. Tripwire can address the use cases that customers care about, especially larger customers with complex compliance requirements. Over the last few years, we’ve conducted hundreds of interviews with customers to understand what they value about Tripwire. While there are many individual technical differentiators, our ability to help customers achieve and maintain compliance overwhelmingly floats to the top. The continuous compliance approach provided by integrity monitoring allows customers to spend less time preparing for and conducting audits and decreases the number of audit findings they have to address.
What type of company or industry typically needs Tripwire’s technology?
The common attribute that the majority of Tripwire customers share is the need for compliance. Compliance doesn’t fall strictly along the definitions of company size, but some industries are more heavily regulated than others. Tripwire has many customers in a variety of finance industries, followed by government, retail, and technology. The largest single industry using Tripwire is the utility industry, where electric utilities are subject to NERC CIP compliance.
While compliance is most often the budget driver, customers across industries also get the value of integrity monitoring that I described earlier: better security, fewer incidents, and faster time to resolution.
What other products and services does Tripwire offer?
Tripwire’s flagship product is Tripwire Enterprise, which provides integrity monitoring, secure configuration assessment, and policy compliance. Tripwire also offers these capabilities in a cloud-hosted, co-managed service called ExpertOps, which allows customers to really focus on the value and let Tripwire worry about the operational aspects.
Tripwire’s portfolio further includes:
• IP360 for vulnerability management
• Tripwire Log Center for log management
• Tripwire Industrial Visibility for industrial cybersecurity
Explain the synergy between HelpSystems and Tripwire? What are you looking forward to?
There is tremendous opportunity to deliver value to customers in the combined product portfolio. At Tripwire, we’ve always felt that integrity monitoring is a foundational security control, but the universe of necessary security controls is broader. HelpSystems, in combination with Tripwire, is in a position to provide more cybersecurity capabilities to more customers with less complexity.
The breadth of the portfolio isn’t the only benefit. Integration across the portfolio has the potential to drive innovation within Tripwire’s core capability as well. I’m especially looking forward to seeing how these two organizations integrate to deliver something truly innovative, and extremely valuable to customers.
If customers want to learn more about Tripwire, what resources would you recommend?
Tripwire also has a fantastic blog, which covers a variety of industry issues and news.
Finally, the Tripwire Cybersecurity Podcast is a great way to hear engaging conversations with industry experts on a variety of cybersecurity topics. I may be a little biased about this, since I get the fantastic job of hosting it.