We want more of the CIA Triad. No, this has nothing to do with the US government agency. It stands for “confidentiality, integrity, and availability.” What it alludes to is the idea of protecting access to privileged information (confidentiality), asserting that the information hasn’t been tampered with (integrity), and that the information can be reliably accessed (availability). One of the most common frameworks for achieving and maintaining these goals is the CIS Top 20 Controls. Many folks will be familiar, at least in passing, with the CIS Top 20 Critical Security Controls (CSCs). The first five CIS controls are designed to be the best bang-for-buck when it comes to eliminating a large potential attack surface in an organization. The remaining controls round out a list of capabilities that will help protect critical assets by ensuring that protection, monitoring and recovery infrastructure is in place. Tripwire’s integrated solution suite addresses the first six CIS controls and provides help with an additional eight, providing protection from 85 percent of threats. Let's look at these six controls in more detail.
CSC 1 – Inventory of Authorized and Unauthorized Devices
In other words, know what you have on your network. Tripwire IP360 is the primary solution covering this control, as it has the ability to discover and fingerprint assets throughout the environment, as well as keep an inventory of what has been discovered and when regardless of device type. Tripwire IP360’s capability is enhanced with the addition of Tripwire Enterprise to cover this control even more thoroughly.
CSC 2 – Inventory or Authorized and Unauthorized Software
Once again, Tripwire IP360 is the primary solution for discovering and taking inventory of what software is deployed throughout the environment. This time, however, Tripwire's allowlisting capabilties provides another crucial feature: the ability to see which applications are on an approved whitelist and which ones may be unapproved.
CSC 3 – Secure Configurations for Hardware and Software
For this control, Tripwire Enterprise absolutely shines. With Tripwire Enterprise, you can detect changes to critical system or application files (File Integrity Monitoring, or FIM), as well as compare the configuration of an asset against a hardening benchmark or policy. Tripwire provides pre-built policies for configuration hardening, mapping to everything from CIS’ own benchmark to PCI v3.2, ISO 27001, NIST 800-53, HIPAA, SOX, and many more. Not only can you detect and alert on changes, but you can also see where the configuration may have drifted from one asset to another, how it got there, and how to remedy it.
CSC 4 – Continuous Vulnerability Assessment and Remediation
This is another area where Tripwire IP360 comes into its own with support from Tripwire Enterprise and Tripwire Log Center. Tripwire IP360 can, of course, run vulnerability scans and report on what may exist in the environment, but it also helps prioritize vulnerabilities based on the exploitability and potential impact of that vulnerability as well as its age. Aside from that, IP360 can also provide instructions on how to remediate the vulnerabilities or how to mitigate their effects if remediation isn’t immediately possible.
CSC 5 – Controlled Use of Administrative Privileges
Here, Tripwire Enterprise and Log Center are the go-to tools. Tripwire Enterprise can inventory administrative accounts and verify that default passwords have been changed, among other configuration hardening standards. Tripwire Log Center can correlate log events showing addition or removal of accounts, successful or unsuccessful logins to admin accounts, instances of privilege elevation, etc.
CSC 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Our solutions for this control will be primarily Tripwire Log Center, with some assistance from Tripwire Enterprise. Tripwire Log Center can aggregate logs from multiple sources and correlate events of interest both from an operational and security point of view. Tripwire Enterprise can confirm the logging configuration of assets in the environment, such as log level and log destination.
Conclusion
The rest of the Top 20 controls build on the foundation provided by these six. Tripwire solutions can assist with an additional eight controls not already listed here. Some controls are administrative or operational in nature, such as documenting and publishing standard procedures, or conducting Red Team exercises. No one solution will get you 100% coverage of the CIS Top 20, but Tripwire’s integrated solutions will get you farther. To find out more about how Tripwire solutions more than any other vendor's map to the CIS Top 20 Controls including the essential "First Four", click here. Interested in learning 10 reasons why Tripwire’s solutions outperform other companies’ products? Click here.
