FIM

WHITE PAPER

FILE INTEGRITY MONITORING

COMPLIANCE AND SECURITY FOR VIRTUAL
AND PHYSICAL ENVIRONMENTS

CURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SE
Y BREACHES COBIT INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECUR
EACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI SECURITY BREACHES NERC FILE INTEGRITY MONITORING PCI REGULATORY VIO
NS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIO
27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASE
TEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYST
TAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES M
CURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECUR
EACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREA
COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES N
IDER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSID
REATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS
LED AUDITS PCI SECURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAG
ID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES G
CURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECUR
EACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACH
RC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSID
REATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THRE
FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAI
DITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA
IT SECURITY AND COMPLIANCE AUTOMATION SOLUTIONS

EXECUTIVE SUMMARY
Todays organizations rely on numerous devices and applications in
their physical and virtual IT infrastructure to carry out their everyday
business. When these devices are configured improperly, whether
as a result of malicious hacker attacks or inadvertent employee
modifications, the IT infrastructure may be exposed to security risk
that leads to service outages and theft of sensitive customer or
organization data.
As a means of combating issues caused
by improper change, organizations
employ file integrity monitoring FIM
solutions to keep an eye on a variety
of files associated with the IT infrastructure, including configuration files,
registry files, executables, and more.
Many of these solutions first establish
an authorized baseline configuration,
which represents the known and trusted
state of a system. The solution then
monitors these files for any change that
diverges from the established baseline
configuration and alerts IT when changes are detected. IT can then determine
if the change is a good or undesirable
and take any necessary corrective
measures. Some FIM solutions can
automatically reconcile changes against
pre-defined parameters to help streamline the change management process.
At a minimum, a FIM solution should
be able to establish a baseline, monitor for configuration change relative
to the baseline, determine if change
is planned or unplanned, alert when
unplanned change occurs, and provide
detailed information to help IT remediate any improper changes. Using a
detailed requirements checklist can
help ensure youve chosen the solution
for your IT infrastructure.

But FIM is only part of the configuration

control story. Without first verifying the
integrity of the IT infrastructure, the
likelihood that those changes will have
a negative effect increases. Compliance
policy management solutions address
the need to first get configurations of
the IT infrastructure into a trusted state
by proactively assessing configuration
settings against internal and external
policies. These policies, based on
industry and expert-recommended best
practices and standards such as the
Payment Card Industry Data Security
Standard (PCI DSS), the Center for
Internet Security (CIS) benchmarks,
or VMware Infrastructure Hardening
Guidelines, provide visibility into the
state of your IT configurations and deliver prescriptive remediation guidance
to help achieve a known and trusted
state. When seamlessly combined with
a file integrity monitoring solution,
organizations gain control of their IT
infrastructure configurations and maintain its trusted state.
Tripwire, the leading provider of IT
security and compliance automation
solutions, helps organizations gain
continuous compliance and take control
of security and compliance of their
IT infrastructure. Tripwire security
and compliance automation solutions
include Tripwire Enterprise, which

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

combines file integrity monitoring,

compliance policy management, realtime analysis of detected change and
prescriptive remediation guidance to
help IT organizations achieve and maintain the IT infrastructure in a compliant
and secure state. Tripwire also offers
Tripwire Log Center a complete log
and security information event management (SIEM) solution that integrates
with Tripwire Enterprise to provide even
greater control of the IT infrastructure.
And Tripwire Customer Services can
help organizations quickly maximize the
value of their Tripwire technology implementation. Tripwire solutions deliver
visibility across the entire IT infrastructure, intelligence to enable better and
faster decisions, and automation that
reduces manual, repetitive tasks.

AN INCREASED NEED FOR VISIBILITY

INTO IT CONFIGURATIONS
The IT infrastructure of an organization,
whether public, private, or governmental, may have hundreds or even
thousands of servers, devices, applications, and other elements that support
its everyday business processes. And
more and more, organizations are
beginning to deploy virtual environments into this infrastructure. But for
the organization to benefit from these
infrastructure elements, whether physical or virtual, each must be configured
properly. That is, the files associated
with each element must have settings that reduce the risk of security
breaches, optimize operations, and
help achieve compliance with relevant
regulations and standards. File integrity
monitoring helps IT ensure the files
associated with devices and applications
across the IT infrastructure are secure,
controlled, and compliant by helping
IT identify improper changes made to
these files, whether made maliciously
or inadvertently.

WHAT IS FILE INTEGRITY MONITORING?

In an IT network, files can range from simple text files to
configuration scripts, and any edit to such files can compromise its
integrity. A change to a single line item in a 100-line script could
prove detrimental to an entire file or operating system. For example,
incorrectly assigning the wrong IP address to a startup script or a
newly installed network printer could disrupt the network. Below are
some examples of the type of configuration settings a file integrity
monitoring solution detects and monitors:
Registry Entries
Configuration files
.exe
File and directory permissions
Tables
Indexes
Stored procedures
Rules
ACLs
Adds/Deletes/Modifications
Auditing/logging
Access controls
System files
Web root

File integrity monitoring solutions, also

called change auditing solutions, ensure
the file for a server, device, hypervisor,
application, or other element in the
IT infrastructure remains in a known
good state, even in the face of inevitable
changes to these files. Ideally FIM not
only detects any change to files, but
also includes capabilities that help IT
immediately remediate issues caused by
improper change. The following sections
describe the capabilities often available
with file integrity monitoring solutions.

ESTABLISHES A BASELINE
When IT deploys a system/component
into its technology infrastructure, it typically does so with the knowledge that
the component is initially configured
appropriately. A file integrity monitoring
solution captures the known good state
of the entire systems IT configuration
settings when it is deployedor when it
has been configured with recommended
settingsand uses this state as a baseline configuration against which the
solution can compare a later configuration. Many times this configuration state
is referred to as a golden, compliance,
or configuration baseline. A baseline-tocurrent-configuration comparison lets
the solution immediately and automatically detect discrepancies caused by
change.
Given todays rapid deployment of virtual
machines, an ideal file integrity monitoring solution would also include in the
baseline the configurations of virtual
environment elements. These elements
include the physical server, hypervisor,
each guest OS, and any applications and
databases running on a guest OS.
ALERTS AND NOTIFIES IT
When the solution detects change,
whether authorized or unauthorized, IT
needs to determine whether or not the
integrity of a file has been compromised

and whether the change requires immediate attention. IT should have the ability
to specify which devices and files are
critical and therefore require high-level,
immediate attention versus those that
do not. For example the configuration
file of an e-commerce site or a database populated with sensitive customer
financial or medical data would warrant
immediate attention, while configuration
changes to non-critical systems could
be addressed as time permitted.
Based on whether a system was viewed
as critical or non-critical, the solution
should be able to send alerts and notifications using a variety of methods to be
sure IT receives them. For example, an
email alert is worthless if the detected
change disrupted email service. Other
methods of notifying IT include an
alert in the system tray, SNMP, CMD,
SYSLOG, page, or within the management console. Early detection enables
the administrator to quickly make any
necessary corrections.

..: File integrity

monitoring solutions,
also called change
auditing solutions,
ensure the file for
a server, device,
hypervisor, application,
or other element in
the IT infrastructure
remains in a known good
state, even in the face
of inevitable changes to
these files. :.

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

HELPS RECONCILE AUTHORIZED

VERSUS UNAUTHORIZED CHANGE
Many solutions integrate with change
management processes and change
management databases. By comparing
authorized change tickets with detected
changes, IT can immediately determine
if the change was planned or unplanned.
FIM solutions can also create exception
incident tickets within existing change
management systems and enrich existing incident tickets with change data.
Some solutions additionally can identify
who made a change, allowing organizations to enforce the recommended
zero tolerance policy for unauthorized
change or to determine that the change
originated from an external source.
Even if an organization does not have a
change management system, but instead
has a list of approved changes, an ideal
solution would be able to automatically
reconcile detected changes with this list.

ANALYZES AND PRIORITIZES EACH

DETECTED CHANGE
Depending on the size of an organization, the number of changes a file
integrity monitoring solution may detect
can be tremendous. Realistically, IT
could never manually review each
change to see if it impacted compliance,
security or operational performance
and availability. To help IT focus on
the changes that really need attention,
they need compliance policy management and reconciliation with authorized
changes, but they also must determine
if the type of change, the conditions
under which a change was made, or
a host of other criteria indicate that a
given change requires immediate attention. In addition, the solution should
be able to auto-promote the remaining
changestypically ones that are both
intentional and beneficialrelieving IT
of the need to manually review them.

HELPS DETERMINE IF A CHANGE TOOK

SYSTEMS OUT OF COMPLIANCE
With the numerous compliance mandates organizations face today, IT must
also determine if a detected change
removes a system from a compliant
state. A file integrity monitoring system
can do this by comparing each detected
change against settings contained in a
compliance policy. Those changes that
do not take the system out of compliance can be viewed as lower priority,
while those that do impact compliance
should send alerts, so IT can take
immediate measures to return the
system to a compliant state.

PROVIDES ASSISTANCE
IN REMEDIATION
Although it may seem counter-intuitive,
most system administrators, or other IT
staff, prefer to roll back critical changes
manually. What many want is information that a change has been made along
with step-by-step assistance in recovering from changes they determine to be
undesirable. A file integrity monitoring
system should include highly prescriptive instructions to not only enable quick
remediation of improper settings, but to
also allow less-experienced IT personnel to correct problems they might not
have the experience or knowledge to
correct on their own.

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

..: FIM is only part of the

configuration control
story. Without first
verifying the integrity
of the IT infrastructure,
the likelihood that
those changes will
have a negative effect
increases. Compliance
policy management
solutions address
the need to first get
configurations of the
IT infrastructure into a
trusted state. :.

WHATS BEING WATCHED?

File integrity monitoring solutions monitor changes to files associated
with the servers, databases, routers, applications, and other devices
and elements in the enterprise IT infrastructure. Files monitored may
include registry files, configuration files, executables, file and directory
permissions, tables, indexes, stored procedures, rulesand the list
goes on. In fact, the reality is that todays IT infrastructure, even for
smaller organizations, is far too complex to be monitored manually.
The following table provides a sampling of the type of IT
configurations these solutions may monitor:
WINDOWS

UNIX

Access time

Access time

Creation time

Change time

Write time

Modify time

Size

Size

Package data

Package data

Read-only

ACL

DACL

User

SACL

Group

Group

Permissions

Owner

Growing

Growing

MD5

MD5

SHA-1

In addition, these solutions now must

pay attention to the configurations of
components of virtualized environments. Depending on the virtualization
approach used, these environments
may include the virtualized server, a
hypervisor, multiple guest OSes, and
any applications that run on top of each
guest OS. In fact, a recent Ziff-Davis
publication reported that 70 percent of
companies polled had already virtualized at the time of the study, or had
plans to virtualize some time in the
coming year.1 And given that Gartner
anticipated that 60 percent of production
virtual machines would be less secure
than their physical counterparts through
2009, file integrity monitoring solutions
must be capable of monitoring these
virtual environments.2
File integrity monitoring solutions offer
an automated single point of control
for monitoring all devices in the IT
infrastructure, including virtual infrastructure, avoiding time-consuming,
error-prone manual auditing.

SHA-1
Hidden flag
Stream count
Stream MD5
Offline flag
System flag
File attributes being monitored may include hostname, username, ticket number, date and time stamp and operation type.
Specifically for server file systems, the table below provides an
overview of the type of attributes these solutions may monitor:

Temp flag
Compressed flag
Archive flag
SERVER FILE SYSTEMS

DATABASES

NETWORK DEVICES

DIRECTORY SERVICES

HYPERVISORS

APPLICATIONS

Registry entries

Tables

Routing tables

Privileged group

Permissions

Web server keys

Configuration files

Indexes

Firewall rules

Group policy options

Firewall settings

System files

.exe

Stored procedures

Configuration files

RSoP

Auditing/logging

Logs

File permissions

Permission grants

ACLs

Access controls

Registry settings

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

WHY DO ORGANIZATIONS NEED FILE

INTEGRITY MONITORING?
When high-profile security breaches hit the front page of popular
news sites, the underlying culprit for the breach is often unauthorized
change. According to a recent study, Nine of 10 breaches involved
some type of unknown including unknown systems, data, network
connections and/or account user privileges. Additionally, 75 percent
of breaches are discovered by a third party rather than the victimized
organization and go undetected for a lengthy period. Most breaches
resulted from a combination of events rather than a single action.
Sixty-two percent of breaches were attributed to significant internal
errors that either directly or indirectly contributed to a breach.3
File integrity monitoring solutions immediately detect and inform IT of changes
that introduce risk, allowing organizations to quickly address and recover from
security issues rather than waiting for a
flood of customer complaints to realize a
problem has occurred.
FILES ARE COMMON TARGETS
FOR ATTACK
Hackers access the enterprise network
through back door mechanisms, sniffing
out IP addresses, phishing with plausible
email requests for information, and
adding rootkits to gain undetected access
to the root of a system. Inadvertent file
changes often create the security vulnerabilities hackers use in their attacks. And
with todays virtualized environments
that include highly portable disk images,
organizations will likely see more and
more infiltration of the enterprise network through an image file that has
been taken offsite, modified to enable
malicious activity, and then returned to
its place in the network. Because files
can be easily compromised, it is critical
to continually monitor key files. If files
are not monitored and an outage or
event occurs, it might take days before

the problem can be tracked. During that

time, system availability and security
becomes vulnerable.
ORGANIZATIONS FACE
COMPLIANCE REQUIREMENTS
Over the past few years, several
regulatory compliance acts have been
instituted, including Sarbanes-Oxley
(SOX) and the Gramm-Leach-Bliley
Act (GLBA), that target public companies in an effort to rebuild consumer
confidence following several major
accounting scandals. The Payment
Card Industry Data Security Standard
(PCI DSS) was developed by the major
credit card companies along with other
stakeholders to address ongoing issues
with theft of financial data. In addition,
federal government entities are subject
to various regulations and standards,
including the Federal Information
Security Management Act (FISMA), standards issued by the National Institute of
Standards and Technology (NIST), and
others. Not only is file integrity important to the stability and known state of
the IT infrastructure, it is also important
for complying with regulations, standards, and compliance audits.

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

Because IT plays a huge part in the

financial and retail sectors, all these
regulatory acts have a technology
component to them. Section 404 of SOX
and section 501(b) of GLBA address the
security of technology systems in the
financial sector. And section 11.5 of the
PCI DSS states that a company must:
Deploy file integrity monitoring software
to alert personnel to unauthorized
modifications of critical system or content files, and configure the software
to perform critical file comparisons at
least weekly.
Section 10.5.5 of the PCI DSS states that
a company must:
Verify the use of file integrity monitoring
or change detection software for logs by
examining system settings and monitored files and results from monitoring
activities.
File integrity monitoring helps organizations detect changes to files and
ideally analyze those changes to
determine if they increase security
risk or take systems out of compliance
and an operationally optimal state.
These solutions also provide an audit
trail and proof that appropriate controls on technology have been put in
placecritical for easing the burden
of proving compliance in an audit. By
increasing visibility into change through
on-demand reports and alerts and notifications, and following up with explicit
instructions for returning systems to a
known good state, organizations avoid
many of the unfortunate consequences
of poorly configured systemssystem
outages, loss of e-commerce capabilities, stolen sensitive customer data or
intellectual property, and fines from
non-compliance.

A CHECKLIST OF PRODUCT REQUIREMENTS

Weve so far described what file integrity monitoring is and why its needed. Youve
also learned what a file integrity solution monitors and some must-haves for the
solution you choose. Following is a detailed checklist for what you should look for
when evaluating a file integrity monitoring solution:

INTEGRITY VERIFICATION
The following requirements address how any file integrity monitoring solution should
verify file and attribute integrity.
INTEGRITY VERIFICATION

Y/N

Can automatically check for changes to file/directory contents.

Can automatically check for changes to file/directory permissions.
Can automatically check for changes to file/directory time/date stamps.
Can automatically check for changes to file/directory names.
Can automatically check for changes to file/directory ownership.
Can automatically check for additions/modifications/deletions to Windows registry keys.
Can check for file content changes using cyclic redundancy checking and/or digital signature checking.
Supports multiple hashing algorithms (e.g. MD5, SHA).
Can automatically detect changes to access control lists.
Can monitor security identifier and descriptor.
Ability to correlate event audit logs to determine which user made a change.
Ability to detect changes to server file systems.
Ability to detect changes to databases.
Ability to detect changes to network devices.
Ability to detect changes to directory services file systems.
Ability to detect changes to hypervisor file systems.
Ability to detect changes to virtual workloads.
Ability to detect changes to virtual network devices (vSwitches).
Ability to detect changes to application file systems.
Ability to archive new versions of configurations as changes are detected and baseline configurations evolve.
Examines parts of configuration file that apply to a compliance policy (internal and external) and compares the
actual to the expected.
Ability to reconcile detected changes with change tickets in a Change Management System (CMS) or a list of
approved changes.
Ability to analyze changes in real time to determine if they impact file integrity based on conditions under which
change was made, type of change made and user-specified severity of a change.

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

OPERATIONAL REQUIREMENTS
The following requirements address how any file integrity monitoring solution is
managed and supported from a user perspective.
OPERATIONAL REQUIREMENTS
Ability to generate a baseline of a server(s) so that integrity is based on a known good state.
Ability to create a single baseline that can be distributed to a group of servers to verify differences from baseline (i.e. configuration verification).
Execution of commands based on integrity violations.
Policy files can be remotely distributed via a console to one or more machines.
Policy templates are available from vendor.
Files and directories can be grouped together in policy template (rule blocks).
Specify severity level to individual files and/or directories.
Supports file directory recursion.
Console can view status of machines.
Console can group agents.
Ability to have monitoring (view-only) only consoles available for defined users.
Templates can utilize wildcards or variables (to encompass minor differences in file system contents between systems).
Can operate through firewall (ports opened).
Works well in low bandwidth connections.
Can update snapshot database from console.
Ability to easily and quickly update multiple baselines at once, in cases where routine maintenance and/or changes cause integrity violations.
Ability to automatically promote baseline.
Ability to auto-promote changes when real-time analysis of change indicates they are inconsequential or beneficial.
Management console that is cross platform (i.e. Windows and Unix).
Management console can detect status of agents.
Allows users to quickly compare two versions and quickly isolate changes or differences between versions.
Agents operate on Windows , Linux and Unix.
Can change agent passphrases from console.
Transfer only delta change information for each scan (after the first), not all configuration data each time
Scalability to address requirements of both individual departments and entire enterprise worldwide.
Ability to provide users access from anywhere to a single location which allows them to view, search, and compare configurations.
Provides immediate access to detailed change information.
Arrange and manage monitored components in a number of ways including by location, device type, and responsibility.
Enables explanations, descriptions, or labels to be annotated to any version by users.
Provides authorized users the ability to establish one specific version as a trusted configuration for each system.
Provides standard sets of defaults and templates for each operating environment

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

Y/N

POLICY MANAGEMENT REQUIREMENTS

Superior file integrity monitoring requires not only the detection and reporting of
unauthorized changes, specific types of changes, changes made under certain conditions, and user-specified severity of changes. It must also perform an assessment of
how an existingor just changedconfiguration compares with established organizational and regulatory guidelines. Such a capability should include:
POLICY MANAGEMENT

Y/N

Ability to compare an assets configuration state against a pre-defined policy to determine

whether or not the configuration is compliant.
Seamlessly integrates with file integrity monitoring data to immediately reassess upon
detected changes (continuous compliance).
Vendor supplied policy templates.
Supports Center for Internet Security (CIS) benchmarks out-of-the-box.
Supports security standards (NIST, DISA, VMware, ISO 27001) out-of-the-box.
Supports regulatory requirements (PCI, SOX, FISMA, FDCC, NERC, COBIT) out-of-the-box.
Supports operational/performance policies out-of-the-box for business-critical applications.
Ability to easily modify standard policies to conform to unique organizational needs.
Capture and automate own organizational (internal) policies.
Ability to assess all the same platforms on which you are tracking changes, i.e. operating
systems, network devices, data bases, directory servers, etc.
Provides out-of-the-box remediation guidance to help fix non-compliant configurations.
Ability to systematically waive policy tests to seamlessly integrate into compliance processes
and requirements.
Ability to detect and ignore files that are in a policy, but are not on the monitored system.
Ability to run assess configurations against existing data without requiring a rescan.
Ability to use same scan data in multiple, different policy checks without requiring a rescan.
Provides proof to management that various departments are in compliance with set security
policies.
Ability to report policy scorecards to summarize the compliance status of a device.
Ability to assign different weights to different tests that comprise a policy scorecard.
Ability to ignore certain tests for certain periods of time (i.e. support for policy waivers).
Ability to report on current policy waivers in effect and their expiration dates.

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

SECURITY AND CONTROL REQUIREMENTS

The following requirements address security requirements that any file integrity
monitoring solution should include.
SECURITY AND CONTROL

Y/N

Establish levels of access and control for specific groups of users.

Assigns established access and control to particular groups of devices.
Provides secure communication between devices and database.
Increases ability to audit the network by placing relevant change information in one central
repository
Informs authorized persons of when, how and who made changes.
Provides proof to management that various departments are in compliance with set security
policies.
Enables compliance with security and regulatory requirements (e.g. CIS, PCI, ISO, SOX,
FISMA, FDCC, FFIEC, NERC, HIPAA, JSOX, GLBA, etc.)
Reports devices that dont meet established operational or regulatory policies.
Analyzes changes in real time to determine if they introduce risk based on conditions under
which change was made, type of change made and user-specified severity of a change.
Default policy templates to automatically check detected changes against internal or external policies.
Console has auditing facilities.
Communication link between agent and console is secure (SSL).
Ability to verify agent security and pass phrases.

ENTERPRISE MANAGEMENT INTEGRATION REQUIREMENTS

The following requirements address integration requirements that any file integrity
monitoring solution should include.
INTEGRATION

Y/N

Command line interfaces and or API to allow for custom integration.

Launch in context commands to provide the ability to launch and take actions from other
EMS systems.
Interface launch commands (toolbar actions) to provide one click actions.
Integration or links to change ticketing systems (e.g. HP OpenView, BMC Remedy, Peregrine,
Tivoli) to correlate and match requested change tickets to actual changes.
Integrates with security information and event management (SIEM) solutions to provide
log management capabilities and correlate change and compliance status information with
security event information from a single point of control.
Ability to create tickets and/or incidents in change management system based upon integrity
violations.
Integration into virtual management console to keep inventory information consistent and
help secure virtual environments.

10

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

REPORTING AND ALERTING REQUIREMENTS

POLICY COMPLIANCE MANAGEMENT:

BEYOND FILE INTEGRITY MONITORING

The following requirements address reporting and alerting functionality that any file
integrity monitoring solution should include.

In early 2008, a hacker broke into the

database of a Montana-based financial
services company, stealing 226,000 current and form client records, including
their social security numbers, account
balances, and account numbers. And in
March of the same year, a well-known
auto parts retailer experienced a network intrusion that exposed over 56,000
customer records, including their financial data.

REPORTING AND ALERTING

Y/N

Product has multiple levels of reporting.

Provides executive level summary reports/dashboards.
Reports can be sent via email.
Reports can be sent as a SNMP trap.
Reports can be sent to syslog.
Reports can be printed.
Reports can be archived locally.
Reports clearly denote severity levels of integrity violations.
Reports can be filtered and searchable.
Reports can be exported to other applications (CSV, xml or html format).
Reports can be created on demand.
Reports can easily be customized.
Sends alerts to a Web Console, Network Consoles, email and pagers whenever a high-priority
file, content or configuration change is detected.
Alerts users when configurations change and introduce risk or non-compliance, and provides
details on what change was made and who made the change.
Alerts can be based on complex combinations of events using Boolean algebra (i.e. criteria
sets)
Provides a single source of change information.
Specifies the relative significance of a change according to the monitoring rules for a system
component.
Enables searches of configuration histories and audit logs for specified content using a variety
of search criteria and filters.
Allows searching to be predefined or saved for future use by all users.
Identifies all devices whose configurations differ from their designated baselines, or either
contain or are missing specified configuration settings.
Audit logging that provides a change control record for all change activity by recording
detected changes, added and deleted devices, modified user accounts, etc.
Console can send alert when agent connections are lost.
Can differentiate authorized vs. unauthorized changes based on change window, who made the
change, what the change was, etc.
Provides a role-based and customizable user interface.

Stories like these are emerging more

frequently. In response, many organizations have deployed file integrity
monitoring solutionsan important part
of the configuration control equation
because it allows an organization to
detect and remediate improper changes
when they occur. However, theres
another part of the equationcompliance policy managementthat helps
organizations proactively assess and
validate systems according to internal
operational and security policy and in
compliance with external regulations
and standards.
Compliance policy management ensures
the integrity of your IT configurations
by proactively comparing them against
internal policies or external policies
for standards, regulations and security
best practices. By proactively identifying
misconfiguration risks and providing
prescriptive remediation guidance, policy
compliance management enables a rapid
return to a known and trusted state.
Combined, compliance policy management and file integrity monitoring give
complete configuration control and continuous complianceinitial confidence
that systems are configured in a known
and trusted state, and confidence that
theyll maintain that state by monitoring
for and detecting any improper change.

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

11

TRIPWIRE
COMPLETE CONFIGURATION CONTROL
Tripwire Enterprise software is the only solution that effectively
combines powerful compliance policy management with file integrity
monitoring to get the IT infrastructure into a known and trusted
state and keep it there. It does this by immediately detecting file and
configuration changes through continuous file integrity monitoring
and assessing those changes in real-time against a host of criteria
called ChangeIQ capabilities to identify changes that introduce risk
or take systems out of compliance. Tripwire Enterprise then provides
remediation advice for undesirable changes so IT can immediately
fix issues, and auto-promotes all other changes so IT doesnt have
to spend time manually reviewing a tremendous number of probably
intentional and beneficial changes.
MORE POLICIES AND PLATFORMS
Tripwire Enterprise offers file integrity
monitoring and policy compliance management and ships with coverage for
nearly 40 platforms across a broad range
of core business applications, servers,
file systems, directory services, virtualization, network devices, databases and
middleware. Tripwire provides over 100
out-of-the-box policies to assess and
validate configurations against known
standards such as CIS, PCI, SOX, NIST,
COBIT, FISMA, FDCC, VMware, etc., as
well as operational policies tuned for
performance and reliability. With numerous out-of-the-box compliance policies,
Tripwire helps organizations gain control
over the configuration of their businesscritical systems.
Tripwire additionally offers PCI for
Retailers and PCI for Hospitality at an
affordable, fixed-price-per-store or
hotel pricing scheme. These offerings
allow retail businesses and those in
the hospitality industry to ensure that
customer data is secure not only in the
corporate IT infrastructure, but also

12

at the registers and other point of sale

(POS) devices located in the retail store
or hotel. For organizations with virtualized environments, Tripwire even has a
policy for VMware ESX 3.5 that combines
CIS policies for virtual environments with
recommendations developed by VMware
for securing ESX servers.
ADDITIONAL VALUABLE FEATURES
Organizations often spend time and
money hiring consultants to develop
optimal configurations for security and
operational efficiency. When the consultant leaves or IT staff turnover occurs,
theres typically little or no documentation that enables the organization to
recreate or fix these configurations.
Tripwire ensures that organizations
retain this knowledge by allowing them
to capture configuration settings as a
golden policy they can re-apply to
servers, applications, or devices being
released into production to ensure consistency across their IT environments.
Tripwires flexible, easy-to-use compliance policy manager also sets it apart

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

from other configuration control solutions. Many configuration changes are

actually beneficial to the organization; in
such cases, being able to easily update
a policy to reflect the desirable change
is a huge convenience to IT. Tripwires
management console makes it easy for
IT to update policies.
FLEXIBLE, MULTI-LEVEL REPORTING
Tripwires reports and dashboards allow
users to see as much information as
they need without deluging them with
unnecessary details or leaving them
needing more information. CISOs can
see high-level dashboard reports, while
system administrators and technicians
receive detailed information that lets
them immediately fix improper settings.
Tripwire includes a comprehensive
library of reports that can be tailored
to any environment and need and ships
with 30 out-of-the-box reports.
EXPERIENCED CONSULTING FOR
IMMEDIATE VALUE
With Tripwires years of experience
helping thousands of customers worldwide, from mid-sized organizations
to Fortune 1000, meet and achieve
compliance with the PCI DSS and other
regulations and standards, customers
can rapidly attain compliance, mitigate
security risks and increase operational efficiency with relevant policies by
taking advantage of the deep expertise
of Tripwire Customer Services.

TRIPWIRE
THE KEY TO COMPLETE COVERAGE
The need for file integrity monitoring of systems throughout virtual
and physical infrastructures would be difficult to dispute. Without a
solution to detect and reconcile improper change, organizations are
subject to any number of negative consequencesstolen data and
information, system outages, diminished reputation, and lost revenue
and productivity. However, choosing a file integrity monitoring solution
requires knowledge of desirable features that solution should
include. In addition to having comprehensive and reliable file integrity
monitoring capabilities, the ideal solution should include policy
compliance management capabilities that enable proactive validation
of the state of the IT infrastructure against internal and external best
practices and policies. This policy-based approach helps organization
achieve a known and trusted state. The solution should also include
the ability to analyze changes as they are detected to determine if
they introduce risk or move systems into a non-compliant state and
provide easy access to remediation guidance, so IT can immediately
fix undesirable change. And to ensure IT isnt overwhelmed by the
huge number of detected changes, the solution should have the
ability to auto-promote desirable changes.
Tripwire, the leading provider of IT
security and compliance automation
solutions, combines powerful policy
compliance management, file integrity
monitoring, real-time analysis of change
and optional automated remediation in
a single solution: Tripwire Enterprise.
With Tripwire Enterprise, organizations
achieve and maintain configuration
control and ensure compliance with
important standards and regulations,
generate evidence of compliance for
easier and less costly audits, reduce
security risks, and increase confidence in
the delivery of services and information
to the organization and its customers.

In addition, Tripwire Enterprise integrates with Tripwire Log Center, a log

and event management solution that
provides everything you need to meet log
compliance requirements with ultra-efficient log management and sophisticated
event management in a single, easy-todeploy solution. Combine Tripwire Log
Center with Tripwire Enterprise as part
of the Tripwire VIA platform to broaden
compliance coverage and reduce security
risk by increasing visibility, intelligence
and automation.

TRIPWIRE VIA SOLUTIONS

TRIPWIRE ENTERPRISE
Continuous file integrity
monitoring
Compliance policy
management
Real-time analysis
of change for risk or
non-compliance
On-demand, automated
remediation of
undesirable change

TRIPWIRE LOG CENTER

Log capture/storage of
tens of thousands of
events per second
Google-like searches of
log activity for forensic
analysis
Flexible collection of
logs from almost any
source
Detection of and alerting
to suspicious events

File Integrity Monitoring: Compliance and Security for Virtual and Physical Environments

13

..:

Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses,

government agencies, and service providers take control of their physical, virtual, and cloud infrastructure. Thousands
of customers rely on Tripwires integrated solutions to help protect sensitive data, prove compliance and prevent
outages. Tripwire VIA, the integrated compliance and security software platform, delivers best-of-breed file integrity,
policy compliance and log and event management solutions, paving the way for organizations to proactively achieve
continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. :.
LEARN MORE AT WWW.TRIPWIRE.COM AND @TRIPWIREINC ON TWITTER.
2011 Tripwire, Inc. Tripwire, VIA and ChangeIQ are trademarks of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.
WPFIM3n 201001