Most companies still manually track configuration changes using a wiki or spreadsheet. Only the most basic information such as IP addresses are included, as recording everything is just too tedious. Even knowing basic information such as who made the change is difficult and time consuming.
While this was never truly considered to be sufficient, recent incidents such as Snowden’s release of classified documents has made it clear that more proactive tools are necessary. This where products such as Tripwire come into play.
Logging
Tripwire uses a fairly typical information gathering plugin on each server, except in terms of scale. Not only is every configuration change that a user makes recorded, so is the way in which the change was made. This is especially important in stolen credential attacks.
Say for example a user’s account is compromised. One of the first things the attacker will do is start-changing configurations in order to make it easier to gain access to the machines in the future. While these changes may not look out of the ordinary in effect, if the attacker uses Notepad to edit files while the real user prefers an emacs clone, then the usual behavior can be detected.
Security Reviews
Out of the box, Tripwire contains templates with for standard security regulations and guidelines. When a configuration setting or event is at odds with these guidelines, that information is logged so that security and operations personnel can easily find the potentially compromised machine.
Each rule includes detailed information on why Tripwire thinks that it is a violation and what steps are needed to correct it. This can dramatically reduce the amount of time that ops spend trying to lookup that information, especially given that blogs often contain out-of-date or incorrect information.
Real-time Analytics
While these two features are enough to make for a solid security product, where Tripwire really shines is its integration into Splunk’s analytics engine. Using Splunk, users can quickly see what’s changing in their systems and at what rate.
For example, let us say that on a typical week a couple of new file shares are created. If all of a sudden the number of file shares being created jumps, that’s an indication that something usual like malware is active. Splunk’s data exploration tools makes it easy to see this kind of unusual behavior.
Once the behavior is detected, Tripwire can be used to drill into the details of the events and machines they relate to. You may discover that it is in fact a virus, or it may simply be a new file server being setup and tested. Since it only takes a few seconds to do this research, the cost for a false positive is very small.