Is your security tool an island? Does it do its singular task with little more to offer than what it says on the package? Too many security offerings behave as singular entities, forcing you to constantly perform task switching to complete a job. If you are using a robust tool, then you may not be taking full advantage of its capabilities. Many capabilities of a good tool can be broadened with the use of an Application Programming Interface (API)
“Application Programming Interface” sounds like it’s going to be an ominously complicated topic, but it’s something you should take notice of when you’re evaluating what technology toolset you implement. APIs open up a wide range of opportunities for expanding and integrating your information sources.
Perhaps the simplest description of an API is, a method of data access or functionality using scripts or software. In the world of cybersecurity, data access might include listing the vulnerabilities detected within your infrastructure, or details about new files detected during a patch deployment. Whilst you might find functionality including the ability to perform the scans of a particular machine or network.
What Can an API Do for You?
With a good API, you can automate many of your team’s day-to-day tasks and reduce the amount of manual effort required to analyse data and respond to alerts.
An API can also offer new options for bringing together different products in your toolkit, granting you better insight into the relationships between one data point and another. Tripwire’s product suite has a number of APIs you can use. Tripwire Enterprise (TE) has a powerful API that you can leverage in your business-as-usual workflows to check for changes, classify your monitored estate, or extract data to use with other tools in your organisation.
Tripwire IP360 similarly offers a robust API to help you do more with your vulnerability data. For example, rather than having a vulnerability score relating to detected vulnerabilities on a system in isolation, you can automatically extract the score and put it alongside other technical information in your environment to help drive your decisions about what to prioritize when planning upgrades or patching. For example, you can have visibility about items such as when the machine was last backed up, or when it was last patched.
Adding a full awareness of what’s going on in the rest of your environment lets you act with greater confidence and is the first step towards automating the resolution and even verifying the fix. Used in combination with your change and incident management tools, your silo of security data can be integrated into your business’ single pane of glass and workflows, improving response times and taking the guess work out of how to respond to issues.
A Single-Line of Code Can Reveal the State of the Environment
If this sounds like it’s a time-consuming activity, thanks to the state of Windows PowerShell and Python libraries on Linux, you can actually start leveraging almost of all this functionality in a few lines of code. In fact, when working with a large inventory of machines, a small script can be written to interact with the Tripwire API to accelerate the process. A number of powerful uses for the TE API can be achieved in a single line of code that also delivers insight into the rich data stream available from its File Integrity Monitoring change history.
As a Tripwire consultant, I’ve long held a belief in “show, don’t tell” – so let’s look at a one-line example written in PowerShell that will extract your TE node list which have “Critical” (a severity greater than 99,999 by default) changes currently and outputs the results it into a table ready to review:
Invoke-RestMethod -Method Get -Uri "https://yourTEserver/api/v1/nodes" -Credential (Get-Credential) | where-object{$_.maxSeverity -gt 99999} | Format-Table -AutoSize -Property name,make,model,maxSeverity
If you are a bit apprehensive about getting into the code, there are still ways to leverage API’s and automate without having to learn a whole programming language. Tripwire’s TE Commander, and IP360 Commander command line tools wrap up our API’s into standard command line tools you can easily use for various purposes; whether that’s for onboarding new networks and scan configurations into IP360, or extracting information for a routine audit from TE, there are plenty of options and detailed documentation that can help you get started.
When I talk about APIs, I’m often reminded of the phrase “no person is an island.” With a solid API, your security software tools need not be islands anymore, either.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
