SIEMs are the incident detection tool of choice, but as organizations broadly deploy them throughout large distributed networks, IT security teams face a growing challenge: isolating the real threats from the volumes of noise generated by the IT infrastructure. Industry research and practitioners say the best way to reduce that noise is by comparing security events to other trusted sources of security data—specifically, change and configuration data. This added context quickly knocks away volumes of false positives, and helps security teams focus on the events that matter the most. Tripwire® Enterprise, an industry leading security configuration management solution, provides end to end configuration assessment and file integrity monitoring. It’s also widely used as the “definitive source of truth” for highly detailed file change and configuration state data. We’re talking about changes to key items like configuration files, ports, servers, binaries and executables—the types of changes that tell you if a system can be trusted.
Now that Tripwire Enterprise is an ArcSight CEFcertified solution, you can combine its highly detailed change and configuration data with security event information in ArcSight ESM using a standard communication format. The payoff? Reduced noise and false positives and greatly improved incident detection.
Pre-Processed Data Maximizes ArcSight ESM Capabilities
Tripwire Enterprise pre-processes its change and configuration data with internal rules and data correlation. This pre-processing allows Tripwire Enterprise to include leading indicators and key metadata in the security data it sends to ArcSight—for example, severities, asset and test based risk scoring, and alert information. Plus, you can link back to Tripwire Enterprise from the ArcSight ESM and perform detailed, side by side analysis of changes to files and configuration items. This added context lets you maximize the capabilities of ArcSight ESM, giving you a jumpstart on distinguishing between data noise and serious threats. The Event Integration Framework, a workflow component, serves as an ArcSight Connector between Tripwire Enterprise and ArcSight ESM.
The Event Integration Framework:
- Leverages Tripwire Enterprise’s trusted agent, system state visibility, and configuration policy analysis capabilities;
- Provides critical state change information as a new, defining variable in ArcSight’s SIEM correlation rules; and
- Augments security events with context from change and configuration data (like new services opened, new users added, suspiciously elevated privileges), and even attribution information—the “who” data of altered critical system elements.
Adding this detailed change and configuration data from Tripwire Enterprise to ArcSight ESM events shows you not just that “something happened,” but exactly what happened. The cross-linking capability between the two systems even shows users detailed, side by side comparisons of detected changes and configuration alterations, allowing them to determine root cause or risk.
How the Integration Works
- Tripwire Enterprise detects a file state change, or identifies a test failure or score change related to a configuration policy.
- Tripwire Enterprise processes that data using the Event Integration Framework.
- Event Integration Framework compiles the data, generates a richly detailed security event message—a “super event”—and sends to ArcSight ESM via Syslog.
- ArcSight ESM normalizes the message and then applies correlation rules to determine the next course of action.
- If the results indicate the need for investigation by the Tripwire Enterprise administrator, details can be incorporated back into Tripwire Enterprise reports and homepages.
Powerful Pair for Incident Detection
ArcSight ESM is the premier SIEM solution for a world of ever increasing threats. Tripwire Enterprise is the authority on achieving and maintaining the “known and trusted” state for information security systems, across all platforms and physical and virtual infrastructures. The integration of the two, using the ArcSight CEF and the Tripwire Event Integration Framework, creates the best of both worlds: an intelligent, scalable, and manageable solution for enterprise wide information security.