Tripwire is, undoubtedly, the great-grandfather of integrity monitoring. Since it started shipping its product as a freeware tool in 1992 it has pretty much dominated that market. It has been a favorite of ours for many years. It is perfectly logical that a file integrity tool would spawn a next-generation risk and policy management tool. However, this not just any such tool. It focuses on managing change.
While the obvious example of change is a compromise that is not, really, the most important one. The critical view of change is the view of the changes to files, configurations, permissions, etc. that allowed the compromise in the first place. To do this Tripwire integrates with over 100 technology partners to capture and analyze relevant data in your enterprise.
Typically, tools such as this evolve to keep pace with the threatscape and Tripwire is no exception. This year we saw a bit of evolution - without losing the core of its success - in that there is an increased focus on foundational tasks that help prevent a threat from being successful. These tasks include such things as privilege management, vulnerability management, change control (Tripwire's forte) centralized log management and incident response (the "last resort").
This year we looked at Enterprise and, by extension, ExpertOps. Enterprise really is a configuration management tool on steroids. It handles policy and configuration management, integrity monitoring and automated remediation workflows. If you decide to add ExpertOps, you add deployment services, consulting SaaS+ (you also get help from Tripwire's experts) and cloud infrastructure. With the ExpertOps service, a baseline for every object is set and each one tracks its own baseline.
There is a two-way ticketing system that integrates with third-party tools and tracks changes and approvals. It also can go to authoritative patch sources. All of this is tracked in a database with a complete change workflow. Platforms include such things as file systems, network devices, databases, hypervisors, and applications. There are 1,500 out of the box policies and platforms but you can modify these or create new ones if what you need is not in the package. Tripwire treats policies as a collection of tests so the entire process is logical and straightforward.
You can create custom rule sets called "policy kits" for specific tasks. For example, you could create a "cybercrime policy kit" that looks for indicators indicative of a cybercrime attack attempt. This would ensure that those elements of your enterprise were hardened and tested to ward off such an attack.
Some devices require agents and some do not. When an agent must be deployed it is done by standard application deployment tools and is silent. We were especially impressed with the variety of dashboards - but not a proliferation of screens that require confusing navigation to work with. The drill-downs on these provide a rich assortment of reports and analysis detail. An example is the malware detection dashboard. This provides a good assortment of useful, global information that has drill-downs into very good details. It also gives a good view of the overall changes in the enterprise relative to malware infection attempts.
All Tripwire support is fee-based and its prices individually based upon the customer's deployment. The web customer portal is quite complete and the documentation is what we expected from Tripwire having watched them over the years. Pricing, though a bit complicated, is very reasonable.