Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION Extending HBSS Information Assurance with Tripwire Enterprise
Aug 20, 2015
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Extending HBSS Information Assurance with Tripwire Enterprise
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Extending HBSS Information Assurance with Tripwire EnterpriseMike Namvar, CISSP, CAP, ITIL PractitionerDept of Defense | Account Team
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Agenda
About Tripwire
What is HBSS
How Tripwire Enterprise compliments HBSS
Use Cases
Questions
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATIONIT SECURITY & COMPLIANCE AUTOMATION
Tripwire, Inc.
Headquartered in Portland, Oregon Founded in 1997 Over 315 employees worldwide
9 consecutive years of revenue growth
Over 5,500 customers in 87 countries 43% of Fortune 500 rely on Tripwire Approximately 700 DOD customers
Award-winning, patented technology Industry leader in File Integrity Monitoring
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION5
Sample of Government Customers - DOD
Defense Security Service - JPAS – FIM
Defense Manpower Data Center – FIM
Radiant Mercury – FIM
National Security Agency – FIM/baseline
Marine Corps Community/ Family Services – PCI
NAVSEA – SSDS program – FIM/baseline/config assess
DISA/NECC-APEX – FIM/baseline
DISA/Centrixs – FIM/baseline
DISA/Red Switch Network – FIM/baseline
Army – JLENS – FIM/baseline/change detection
Air Force – AEHF – FIM/baseline
Air Force – Directory Services (AFDS)- FIM/baseline/change detection
Missile Defense Agency – Crystal City/Huntsville; Colorado Springs – FIM/baseline/change detection/config support
Tri-care Management Activity – FIM/baseline/change detection
BUPERS – Millington – FIM/baseline/config assess
Army – IMCEN – Pentagon – FIM/change detection
Navy ERP – NAVAIR – FIM/baseline/change detection
FIM = File Integrity Monitoring
PCI = Payment Card Industry
Air Force – Personnel Command – change detection/baseline/FIM
Navy - PEO C4I & Space – PMW790 – FIM/baseline
Joint Strike Fighter – AF/Navy/MC – FIM/baseline/change detection
Veterans Affairs – Austin/Denver – FIM/baseline/config assess-FISMA
Army – PD ALTESS – FIM/baseline/change detection
Air Force – GPS-OCX – FIM/baseline/change detection
Naval Post Graduate School – FIM/baseline/change detection
Army Medical Command- USAMITC – FIM/baseline/change detection/config assess STIG
Army-Distributed Common Ground System – FIM/baseline/change detection-config support
Army Combat Readiness Center – FIM/baseline/change detection
Army Biometric Fusion Center – FIM/baseline/change detection
Navy – NIOC (Little Creek) – FIM/baseline/change detection
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION6
Government Certifications
Common Criteria EAL 3+ (Validated Products list): Tripwire Enterprise, Tripwire for Servers, Tripwire Manager FIPS 140-2 (certified): Tripwire EnterpriseSCAP validated: Tripwire EnterpriseDADMSCON: Tripwire Enterprise
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Tripwire Enterprise || Configuration Control
End-to-End Visibility Infrastructure-wide visibility of changes Protect sensitive data & configurations Visibility across platforms, servers, devices
Intelligent Change Assessment Understand the threats behind changes Mitigate the risk of configuration changes Gain broad understanding of all related
changes
Automated Policy Compliance Continuous compliance, easy & repeatable Simplified audit prep, streamlined compliance Built-in remediation advice and automation
Tripwire Enterprise
File Integrity Monitoring
Compliance Policy
Management
Security Configuration Management from Tripwire Enterprise
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATIONIT SECURITY & COMPLIANCE AUTOMATION
Tripwire Enterprise Architecture
8
AAATACACS+RADIUS
HTTP
NMSALERTS SNMPSNMP/
Syslog
Command Line Interface
Commands
SSL
SSH, Telnet
SCP, TFTP, SFTPNetwork Devices
Virtual Servers
AgentlessRouters, Switches, Firewalls, UNIX
VMware ESX
TE Application Server(Windows, Solaris, Linux)
TE Console
Database(MySQL, Oracle, MS SQL Server)
Look for RFC Match
Promote Matches
Create Exception Incident
Change Management
Tool
Enrich Incident w/ Change Data
Agents
File SystemsWindows, Solaris, AIX, HP-UX, Linux
SSL
Directory Services AD/LDAP
Applications Exchange, IIS, Oracle
Databases Oracle & MS SQL
ModulesLDAP, JDBC
SSL
Web Browsers
Reports & Dashboards
PDF, XML, HTML
Remediation Guidance
Change Reconciliation
Change Auditing Rules
ConfigurationAssessment
Policies
SecurityCIS || NIST || DISA
ESX || ISO
PerformanceEXCHANGE | IIS
ORACLE
CompliancePCI | SOX | FISMA
COBIT | FDCC
Meets Policy?(Internal, CIS, PCI etc.)
TE Application ServerTE Database
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
About Host Based Security System (HBSS)
McAfee end point software solutions suitePurchased by DISA to prevent, detect, track, report, and remediate malicious computer-related activities and incidents across all Department of Defense networks and information systemsMost HBSS installations in production include the McAfee ePolicy Orchestrator (ePO) management engine, VirusScan, and Host Intrusion Prevention System (HIPS) moduleAside from McAfee ePO, VirusScan and HIPS virtually every HBSS deployment in DOD is unique
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Conflicting Information about HBSS
Not a product but a suite of individual point products.Multiple versions of HBSS in various agencies – these various version of HBSS are often not compatibleHBSS is not referenced as a security solution outside of government
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
HBSS Include all McAfee end point software solutions?
HBSS only includes a tightly defined set of products from McAfeeAgencies must pay for access to the additional McAfee security modules
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATIONIT SECURITY & COMPLIANCE AUTOMATION
What does HBSS look like?
McAfee Universal Agent
The existing HBSS solution is composed of multiple individual software solutions acquired by McAfee over the years.
McAfee ePO provides a common dashboard and reporting for all individual HBSS componentsThe underlying code for each component managed by ePO is differentEach HBSS component has different platform requirements and acts independently
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Common Questions
Does Tripwire work in conjunction with HBSS?
Yes. Each of our 700+ Tripwire DOD deployments work in conjunction with HBSS as it is mandated to be attached to each host server, desktop, and laptop in DOD.
Does Tripwire compete with HBSS?
No. Tripwire has limited functionality overlap within the HBSS suite
Overlap only occurs in McAfee solutions not covered by DOD HBSS agreement.
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
How does Tripwire compliment HBSS?
Expanded Unix Support
Consistent Platform Support
Enhanced change audit capability
Intelligent Workflow with Business Intelligence
Performance and Scalability
Tripwire Guarantee
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Expanded Unix Support
HBSS was originally focused only on Windows systems
Just recently released some capability to manage some of the most common Unix systems
HBSS frequently requires additional scripting to be performed by the Unix system administrator to get the McAfee universal agent to perform as desired
Some HBSS modules (i.e., McAfee HIDS) do not support operating systems such as AIX and HPUX despite the existence of a universal agent for these operating systems
Tripwire was originally created to monitor Unix systems and as a result has significantly more platform coverage around all Unix variants including HPUX, CentOS, and AIX.
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Consistent Platform Support
Each HBSS point solution supports different platforms despite the existence of a Universal Agent.
All Tripwire supported platforms are consistent in their capability
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATIONIT SECURITY & COMPLIANCE AUTOMATION
Example 1: Application Down!
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Enhanced change audit capability
HBSS will tell you that your file system has been modified
Tripwire takes it a step further and tells you exactly what change occurred
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATIONIT SECURITY & COMPLIANCE AUTOMATION
Example 2: We have a security problem… what is our exposure?
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATIONIT SECURITY & COMPLIANCE AUTOMATION
What else happened to our payroll data?
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Enhanced change audit capability
HBSS does not have the ability to track every change version associated with a file
You cannot compare what a file looked like six months ago versus a week ago
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATIONIT SECURITY & COMPLIANCE AUTOMATION
Example 3 (I own you!)
“Just try and terminate me … I own you”
“ Where do I start?”
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Intelligent Workflow with Business Intelligence
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATIONIT SECURITY & COMPLIANCE AUTOMATION
Example 4
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Tripwire Guarantee
Tripwire updates and publishes policy every 90 days
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
Performance and Scalability
Tripwire natively captures who made a chance without turning on OS monitoring on a server.
The HBSS universal agent has limitations
I can speak your language
McAfee Universal Agent
The McAfee agent has to work with multiple disparate security solutions that may or may not be deployed by a client. As a result the McAfee agent’s requirements will be consistent with other large software platforms of its kind.
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
HBSS is free…but the details matter
Many of the premium McAfee solutions are not part of the HBSS suite and require additional funding
Cost associated with deploying HBSS modules• Customization likely required to achieve the clients
desired result.
• Many of the HBSS modules were written using incompatible code
Requires significant staff investment
Most HBSS individual point products have limited deployment outside of government
Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION
www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5440Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980