Have you ever stood in the airport security line when the agents bring the dog out to inspect everyone’s luggage? I’m always so fascinated watching the dog go down the line and do her work. Wow she’s so smart! How does she know what to look for? My own dog has talents of her own, but she would not get hired for this job. She has a good functioning nose, but she’s not trained to detect these things and wouldn’t be able to tell me when she finds something troublesome. That difference is kind of how I see the difference between a security solution that is backed by good content and one that is not. A dog’s nose has up to 300 million olfactory sensors (a lot), but it needs a reference for differentiating illegal substances from the allowable travel essentials. To explain more on what that means from a security solution standpoint, I sat down with principal security researcher Travis Smith, who heads up a lot of the content development at Tripwire. Here’s our discussion: Ray Lapena: What does “content” mean in the context of our tools? Travis Smith: Content for Tripwire Enterprise is really the data leveraged by Tripwire Enterprise that customers can use. So, content comes in the form of either policies – things like PCI or hardening like CIS – or in the form of something like policy rules which feed in to allow us to actually score these policy tests. But we also have our change detection rules that are monitoring for change on the endpoint. https://www.youtube.com/watch?v=rCa-BtE_EWM RL: So, why is content an important aspect to consider when looking at a security solution? How do you differentiate what a solution’s functionalities are versus the content and how do those things work together? TS: If we look at the different kinds of markets, we have FIM or file integrity monitoring looking specifically for change, and we also have SCM for configuration management of your different assets. The content is really telling one of those solutions what to do. A big driver is something like compliance. That's really the driver behind that and which makes SCM content valuable. We don't want to monitor everything on an asset that's changing. If we're looking at things like files and registry and services and ports and processes, all these things, all that stuff changes very frequently on endpoints. So, having content to focus that down to what we expect are important changes.
Gauging Various Levels of Security Content
RL: If you're looking at a FIM solution or an SCM solution, how do you differentiate one that has good content versus one that has not as great content? TS: A couple of different things that you would want to assess if you're looking for “good content” for SCM or FIM solutions. Two of the main drivers is really platform support and policy coverage.
So, you want to have a solution that's going to be able to cover as many of your assets that you're under, that your organization has deployed, as possible if not all of them. So not only your Windows and your Linux type servers but your applications and databases and network devices like your firewalls and switches and those types of things. So, something that can cover all of those and have content for them.
If you want to have PCI compliance, you need to have every one of your computing components, your file servers and your databases and even the networking components that are processing credit cards and transferring that data back and forth. All those are in scope. You want something that's going to be able to do that. https://www.youtube.com/watch?v=PaC7GrqviqY The second component is you want to be able to have the actual content for those things. Going with the PCI example, say your different assets are split between 70% host-based platforms such as Windows or Linux and 30% network devices. That minority of devices might not have coverage under a given PCI product, which means that's not going to be as valuable to you. You're not going to get as much value out of that product as another one that would have the PCI coverage for all of those different platforms and types of devices. RL: Does content go out of date? Is it an issue for people when they're buying a solution? TS: Content can go out of date. It is possible. There are updates to compliance frameworks. So that needs to continue to be updated if you're using actual security content. From the change management side, things are constantly getting updated to reflect what we want to be monitoring on those systems. So, there's things that are noisy and changing that aren't very important. Looking at new files or new features, new services that are on endpoints or network devices that are changing, we want to be able to make sure we have insight into that.
Why a Content Team is Important to a Security Vendor
RL: What does it mean to have a content team at Tripwire or for any vendor for that matter? TS: The importance of having an actual content team that's dedicated to creating this content as specifically that this content is continually changing, and they need to be continually updating. Here at Tripwire, we have a dedicated team that is updating this content every couple of weeks. RL: How does having that team play into the competitiveness or differentiation for our SCM and FIM products? TS: The differentiation for Tripwire specifically is that we have support for over 30 plus frameworks that we have actual content for. And we have well over three thousand policies available across those different 30 frameworks. That is the biggest differentiator that we have—the most broad scope of coverage that's going to cover the most assets across the most number of policies. Any kind of compliance need that a customer would have, Tripwire is going to have content for it. If we don't, the content team that I'm responsible for will release new versions, or if there's a policy framework that just came out that a customer finds very important, they can send those requests to myself and my team, and we will release that content and get that available for customers as soon as possible. Every month, we're releasing about 50 pieces of new content with each month’s release. We're releasing well over 30 to 40 policies each month. So that could be either content that customers have requested from us, or we are actually keeping up and looking at all of the updates that are coming out. RL: It seems like a lot to track. How is content prioritized? TS: Across everything that is coming out, Tripwire will look at the content that our customers are already using. We're looking at what platforms customers are using most frequently, most often. So, things like Windows or Red Hat are very high priority for us. But it could also be driven by the new compliance frameworks that are coming out. RL: How do people handle this if they don't have Tripwire? TS: So, there are different maturity models. When we're looking at something like SCM, the less mature organizations are going to be doing things very manually like looking at the CIS website to see if there's any updates. And if there is something with that or if it is time for your PCI audit, to manually go through an audit the machines and find the machines, check the settings and create the report is not only just a lot of work. It costs a lot of money, and it's not very fun.
If you're using something like a Tripwire, you can automate a lot of that for you. You can automate the ability to then say, “Okay, there's new content available.” We can then put that in there. We're just going to continually scan our system for PCI. So, once a week or once a month, whatever your scheduling cadence would want to be, you have that historical picture of what your PCI compliance looks like for all of your different assets you have under and within scope of that specific compliance framework. When the auditor comes around, you just pass them the report from Tripwire Enterprise. And instead of it being this long lengthy drawn-out process, you've already hit the ground running instead of hitting the ground crawling.
The Advantages of Having The Right Content
Travis and the content team work hard to build and maintain a comprehensive content library. The depth and breadth of the content is what makes Tripwire solutions so effective at covering environments so comprehensively – across the wide variety of platforms, frameworks, and policies. It also allows us to provide support across industries. With policy coverage for PCI, Tripwire works for retailers; with NERC we’re supporting energy companies; and with HIPAA, our solution operates in healthcare. With the right content, our solutions are trained to find the right things across all these environments. Kind of like the airport dog sniffing through different kinds of luggage, just not as cute. To learn more about how Tripwire’s solutions use this comprehensive content library, click here.