Why choose NNT as an alternative to Tripwire (or Why Tripwire isn't the 'only game in town')

By: Mark Kedgley

There's no shortage of IT data security solutions to choose from but understanding which one is right for your environment and how the options stack up against other solutions is not always easy.
At NNT, we are often asked similar questions on a handful of topics as a means of comparing NNT with alternatives, including Tripwire. We have taken these questions and compiled a checklist of the main areas that should be catered for, so whichever route you decide to take, make sure the solution covers these. Each of the main topics below are covered in this article series.
? File Integrity Monitoring (FIM)
? Device Hardening/ Change & Configuration Management (CCM)
? Security Information and Event Log Management (SIEM)
File Integrity Monitoring (FIM) for system & configuration files is crucial for spotting potential security breaches
FIM should identify who made the change; the account name and process used to make that change and should deliver both real-time & scheduled reports, providing details of folder, file, configuration & registry changes for all devices such as: Windows, Linux, UNIX, Network Devices, and Firewalls.
Top tips for selecting a FIM solution
Real-Time Detection of File Changes is essential - Time is of the essence - data theft and system damage can begin from the instant the malware is introduced. Real-time FIM is essential - a once-daily check on file integrity will miss interim file changes and with polymorphous malware which can change its identity or even cloak itself completely once installed
Who Made the Change? Must be recorded - Unless your FIM solution is recording who made a change, you have no straightforward means of establishing this information. Mining logs will only tell you who was logged onto a server at the time of a change and this could run to tens or hundreds of users. Knowing who made a change allows you to corroborate this with the individual; otherwise all filechanges must be investigated equally as serious threats.
FIM must operate forensically - there are plenty of solutions that purport File Integrity Monitoring but close examination can often reveal just a basic check on the modification date and/or size of the file (this will not cut it from a Compliance standpoint). There has to be some checksum/hashing of the file to truly guarantee filesystem integrity, particularly if this is to serve a compliance mandate such as PCI DSS.
FIM isn't just for Servers - Firewalls, routers, appliances, switches all contribute to the security of your IT estate. Real-time monitoring of rule and configuration settings for these devices may prove to be the difference between stopping a breach before damage is done or not. Implement just one FIM solution for all Windows, Linux, Unix and network devices.
FIM should underpin and re-enforce Change Management - FIM changes are reported as either unplanned/unauthorized, or planned and authorized with the corresponding Change Authorization and detail available for cross reference ("what actually changed and does that correlate with the planned change record?"). Unplanned changes should always be investigated and reconciled with RFC details, even for emergency or unexpected changes.

Article Directory: http://www.articletrunk.com

| More

As with any solution, there will be a range of costs to asses, not least the costs of implementation, training and acclimatization to the new system, all of which need to be considered, particularly with a switch from one solution to another. The best alternatives will reduce your cost of ownership significantly to more than outweigh any license fees and costs associated with the migration to a new solution. As a case in point NNT solutions are typical a 3rd of the price of the main alternativ

Please Rate this Article


Not yet Rated

Click the XML Icon Above to Receive Software Articles Articles Via RSS!

Powered by Article Dashboard