BT

Proactively Monitor Configuration Changes with Tripwire

| by Jonathan Allen Follow 576 Followers on Oct 08, 2014. Estimated reading time: 2 minutes |

Most companies still manually track configuration changes using a wiki or spreadsheet. Only the most basic information such as IP addresses are included, as recording everything is just too tedious. Even knowing basic information such as who made the change is difficult and time consuming.

While this was never truly considered to be sufficient, recent incidents such as Snowden’s release of classified documents has made it clear that more proactive tools are necessary. This where products such as Tripwire come into play.

Logging

Tripwire uses a fairly typical information gathering plugin on each server, except in terms of scale. Not only is every configuration change that a user makes recorded, so is the way in which the change was made. This is especially important in stolen credential attacks.

Say for example a user’s account is compromised. One of the first things the attacker will do is start-changing configurations in order to make it easier to gain access to the machines in the future. While these changes may not look out of the ordinary in effect, if the attacker uses Notepad to edit files while the real user prefers an emacs clone, then the usual behavior can be detected.

Security Reviews

Out of the box, Tripwire contains templates with for standard security regulations and guidelines. When a configuration setting or event is at odds with these guidelines, that information is logged so that security and operations personnel can easily find the potentially compromised machine.

Each rule includes detailed information on why Tripwire thinks that it is a violation and what steps are needed to correct it. This can dramatically reduce the amount of time that ops spend trying to lookup that information, especially given that blogs often contain out-of-date or incorrect information.

Real-time Analytics

While these two features are enough to make for a solid security product, where Tripwire really shines is its integration into Splunk’s analytics engine. Using Splunk, users can quickly see what’s changing in their systems and at what rate.

For example, let us say that on a typical week a couple of new file shares are created. If all of a sudden the number of file shares being created jumps, that’s an indication that something usual like malware is active. Splunk’s data exploration tools makes it easy to see this kind of unusual behavior.

Once the behavior is detected, Tripwire can be used to drill into the details of the events and machines they relate to. You may discover that it is in fact a virus, or it may simply be a new file server being setup and tested. Since it only takes a few seconds to do this research, the cost for a false positive is very small.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Other ways to proactively monitor for breach activity by Mark Kedgley

As an alternative NNT Change Tracker provides a real-time File Integrity Monitoring capability to Tripwire Enterprise and CIS Benchmark based compliance checklists - www.newnettechnologies.com/file-integrity-monit...

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Educational Content

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT