Extending HBSS Information Assurance with Tripwire Enterprise

Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION

Extending HBSS Information Assurance with Tripwire Enterprise


Extending HBSS Information Assurance with Tripwire EnterpriseMike Namvar, CISSP, CAP, ITIL PractitionerDept of Defense | Account Team


Agenda

About Tripwire

What is HBSS

How Tripwire Enterprise compliments HBSS

Use Cases

Questions

Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATIONIT SECURITY & COMPLIANCE AUTOMATION

Tripwire, Inc.

Headquartered in Portland, Oregon Founded in 1997 Over 315 employees worldwide

9 consecutive years of revenue growth

Over 5,500 customers in 87 countries 43% of Fortune 500 rely on Tripwire Approximately 700 DOD customers

Award-winning, patented technology Industry leader in File Integrity Monitoring

Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION5

Sample of Government Customers - DOD

Defense Security Service - JPAS – FIM

Defense Manpower Data Center – FIM

Radiant Mercury – FIM

National Security Agency – FIM/baseline

Marine Corps Community/ Family Services – PCI

NAVSEA – SSDS program – FIM/baseline/config assess

DISA/NECC-APEX – FIM/baseline

DISA/Centrixs – FIM/baseline

DISA/Red Switch Network – FIM/baseline

Army – JLENS – FIM/baseline/change detection

Air Force – AEHF – FIM/baseline

Air Force – Directory Services (AFDS)- FIM/baseline/change detection

Missile Defense Agency – Crystal City/Huntsville; Colorado Springs – FIM/baseline/change detection/config support

Tri-care Management Activity – FIM/baseline/change detection

BUPERS – Millington – FIM/baseline/config assess

Army – IMCEN – Pentagon – FIM/change detection

Navy ERP – NAVAIR – FIM/baseline/change detection

FIM = File Integrity Monitoring

PCI = Payment Card Industry

Air Force – Personnel Command – change detection/baseline/FIM

Navy - PEO C4I & Space – PMW790 – FIM/baseline

Joint Strike Fighter – AF/Navy/MC – FIM/baseline/change detection

Veterans Affairs – Austin/Denver – FIM/baseline/config assess-FISMA

Army – PD ALTESS – FIM/baseline/change detection

Air Force – GPS-OCX – FIM/baseline/change detection

Naval Post Graduate School – FIM/baseline/change detection

Army Medical Command- USAMITC – FIM/baseline/change detection/config assess STIG

Army-Distributed Common Ground System – FIM/baseline/change detection-config support

Army Combat Readiness Center – FIM/baseline/change detection

Army Biometric Fusion Center – FIM/baseline/change detection

Navy – NIOC (Little Creek) – FIM/baseline/change detection

Don’t Take Chances. TAKE CONTROL. IT SECURITY & COMPLIANCE AUTOMATION6

Government Certifications

Common Criteria EAL 3+ (Validated Products list): Tripwire Enterprise, Tripwire for Servers, Tripwire Manager FIPS 140-2 (certified): Tripwire EnterpriseSCAP validated: Tripwire EnterpriseDADMSCON: Tripwire Enterprise


Tripwire Enterprise || Configuration Control

End-to-End Visibility Infrastructure-wide visibility of changes Protect sensitive data & configurations Visibility across platforms, servers, devices

Intelligent Change Assessment Understand the threats behind changes Mitigate the risk of configuration changes Gain broad understanding of all related

changes

Automated Policy Compliance Continuous compliance, easy & repeatable Simplified audit prep, streamlined compliance Built-in remediation advice and automation

Tripwire Enterprise

File Integrity Monitoring

Compliance Policy

Management

Security Configuration Management from Tripwire Enterprise


Tripwire Enterprise Architecture

8

AAATACACS+RADIUS

HTTP

NMSALERTS SNMPSNMP/

Syslog

Command Line Interface

Commands

SSL

SSH, Telnet

SCP, TFTP, SFTPNetwork Devices

Virtual Servers

AgentlessRouters, Switches, Firewalls, UNIX

VMware ESX

TE Application Server(Windows, Solaris, Linux)

TE Console

Database(MySQL, Oracle, MS SQL Server)

Look for RFC Match

Promote Matches

Create Exception Incident

Change Management

Tool

Enrich Incident w/ Change Data

Agents

File SystemsWindows, Solaris, AIX, HP-UX, Linux

SSL

Directory Services AD/LDAP

Applications Exchange, IIS, Oracle

Databases Oracle & MS SQL

ModulesLDAP, JDBC

SSL

Web Browsers

Reports & Dashboards

PDF, XML, HTML

Remediation Guidance

Change Reconciliation

Change Auditing Rules

ConfigurationAssessment

Policies

SecurityCIS || NIST || DISA

ESX || ISO

PerformanceEXCHANGE | IIS

ORACLE

CompliancePCI | SOX | FISMA

COBIT | FDCC

Meets Policy?(Internal, CIS, PCI etc.)

TE Application ServerTE Database


About Host Based Security System (HBSS)

McAfee end point software solutions suitePurchased by DISA to prevent, detect, track, report, and remediate malicious computer-related activities and incidents across all Department of Defense networks and information systemsMost HBSS installations in production include the McAfee ePolicy Orchestrator (ePO) management engine, VirusScan, and Host Intrusion Prevention System (HIPS) moduleAside from McAfee ePO, VirusScan and HIPS virtually every HBSS deployment in DOD is unique


Conflicting Information about HBSS

Not a product but a suite of individual point products.Multiple versions of HBSS in various agencies – these various version of HBSS are often not compatibleHBSS is not referenced as a security solution outside of government


HBSS Include all McAfee end point software solutions?

HBSS only includes a tightly defined set of products from McAfeeAgencies must pay for access to the additional McAfee security modules


What does HBSS look like?

McAfee Universal Agent

The existing HBSS solution is composed of multiple individual software solutions acquired by McAfee over the years.

McAfee ePO provides a common dashboard and reporting for all individual HBSS componentsThe underlying code for each component managed by ePO is differentEach HBSS component has different platform requirements and acts independently


Common Questions

Does Tripwire work in conjunction with HBSS?

Yes. Each of our 700+ Tripwire DOD deployments work in conjunction with HBSS as it is mandated to be attached to each host server, desktop, and laptop in DOD.

Does Tripwire compete with HBSS?

No. Tripwire has limited functionality overlap within the HBSS suite

Overlap only occurs in McAfee solutions not covered by DOD HBSS agreement.


How does Tripwire compliment HBSS?

Expanded Unix Support

Consistent Platform Support

Enhanced change audit capability

Intelligent Workflow with Business Intelligence

Performance and Scalability

Tripwire Guarantee


Expanded Unix Support

HBSS was originally focused only on Windows systems

Just recently released some capability to manage some of the most common Unix systems

HBSS frequently requires additional scripting to be performed by the Unix system administrator to get the McAfee universal agent to perform as desired

Some HBSS modules (i.e., McAfee HIDS) do not support operating systems such as AIX and HPUX despite the existence of a universal agent for these operating systems

Tripwire was originally created to monitor Unix systems and as a result has significantly more platform coverage around all Unix variants including HPUX, CentOS, and AIX.


Consistent Platform Support

Each HBSS point solution supports different platforms despite the existence of a Universal Agent.

All Tripwire supported platforms are consistent in their capability


Example 1: Application Down!



HBSS will tell you that your file system has been modified

Tripwire takes it a step further and tells you exactly what change occurred


Example 2: We have a security problem… what is our exposure?


What else happened to our payroll data?



HBSS does not have the ability to track every change version associated with a file

You cannot compare what a file looked like six months ago versus a week ago


Example 3 (I own you!)

“Just try and terminate me … I own you”

“ Where do I start?”


Intelligent Workflow with Business Intelligence


Example 4


Tripwire Guarantee

Tripwire updates and publishes policy every 90 days


Performance and Scalability

Tripwire natively captures who made a chance without turning on OS monitoring on a server.

The HBSS universal agent has limitations

I can speak your language

McAfee Universal Agent

The McAfee agent has to work with multiple disparate security solutions that may or may not be deployed by a client. As a result the McAfee agent’s requirements will be consistent with other large software platforms of its kind.


HBSS is free…but the details matter

Many of the premium McAfee solutions are not part of the HBSS suite and require additional funding

Cost associated with deploying HBSS modules• Customization likely required to achieve the clients

desired result.

• Many of the HBSS modules were written using incompatible code

Requires significant staff investment

Most HBSS individual point products have limited deployment outside of government


www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5440Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980

Extending HBSS Information Assurance with Tripwire Enterprise

Technology

Transcript of Extending HBSS Information Assurance with Tripwire Enterprise