SOLUTION BRIEFBUSINESS INTELLIGENCECONFIDENCE:SECURED

ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE

The National Cyber Security Centre (NCSC, formerly CESG), the Information Security arm of Government Communication Head Quarters (GCHQ), and the National Technical Authority for Information Assurance documented 35 Good Practice Guides to help public sector organisations within the UK manage risk.

GPG number 13 describes the require-ments for good practice and a set of IT controls for the security of Information Technology systems. Specifically, GPG13 describes 12 Protective Monitoring Controls (PMC) which is

comprised of tasks such as event log management and use of intrusion detec-tion and prevention systems. Public sector local authorities are required to conform to GPG13 in order to prevent accidental or malicious data loss.

PSN CODE OF CONNECTIONGPG13 COMPLIANCE

uuUK Public Sector organisations are mandated to comply with certain regulations and standards before connecting to the Government’s Secure Extranet. One of those compliance requirements is the Code of Connection (CoCo), which was established in 2009. u

environment quickly. Tripwire Log Center efficiently collects and stores tens of thousands of events per second from any readable audit, accounting or operational log. Upon capture, Tripwire Log Center automatically indexes files, allowing instant searching and report-ing against all collected log data, even previously unseen log formats, without the need for customisation. This allows for the processing of customised log files out-of-the-box, leading to the ability to process 100 percent of collected logs.

THE TRIPWIRE VALUE FOR GPG13 COMPLIANCE

» Shortens time and minimises resources to gain compliance » Reduces cycles in detecting threats from days to hours with integration with other critical security solutions » Offers comprehensive context and content awareness to determine the risk level » Provides an easy to use Correlation Rule builder that does not require professional services to use » Highly experienced Tripwire Professional Services with a range of compliance expertise including GPG13 requirements

and endpoint intelligence integration for quick response to new advanced threats. Integration between Tripwire IP360 and Tripwire Enterprise provides automated endpoint monitoring based on the changing threat landscape, continuous analysis of an organiza-tion’s attack surface, adjusts system monitoring based on vulnerability risk, and automatically monitors hosts with specific vulnerabilities for change.

Leading technology partner products are integrated with Tripwire Enterprise and Tripwire IP360 and Tripwire Log Center to deliver a wide variety of high-value, differentiated solutions. Each vendor has core competencies in different areas (analytics, network security, threat intelligence, Security Incident & Event Management (SIEM), Integrated Access Management (IAM) in the information security space. Integrating these competencies helps solve more of the PMC 12.

TRIPWIRE LOG CENTERTripwire Log Center® brings real-time cyberthreat intelligence to machine data—with security analytics and forensics for rapid incident detection and response. Tripwire Log Center provides integration with your existing infrastructure and includes a growing library of available correlation rules, empowering your team to start monitor-ing, managing and controlling your

Tripwire can support your efforts to comply with GPG13 12 Protective Monitoring Controls (PMC) in a timely manner. Guidelines for Incident Response include respond-ing in a certain timeframe depending on the severity service level agree-ments as outlined in Fig 1.

Tripwire has a number of solutions that can assist with the management of logs, real-time breach detection and secure configuration management.

TRIPWIRE ENTERPRISE Tripwire® Enterprise is an industry-leading configuration control solution that monitors, detects and reports changes to physical and virtual environ-ments, and documents all changes in a single verifiable audit trail. Because every change introduces the potential for vulnerability, Tripwire Enterprise automates change detection, analysis, remediation and reporting, providing support for compliance with regulation or industry standards such as GCSX CoCo and ISO/IEC 27001. By detect-ing and analyzing the changes that happen throughout your environment in real time—whether desired or unde-sired—Tripwire Enterprise enables you to achieve, maintain and report on your known and trusted state.

TRIPWIRE IP360Tripwire IP360™ is an enterprise-class vulnerability management solution that enables cost-effective reduction of cyberthreat risk by focusing remediation efforts on the highest risks and most critical assets. Tripwire IP360 provides complete visibility into the enterprise network including all networked devices and associated operating systems, applications and vulnerabilities. The solution is built upon a scalable archi-tecture, including the industry’s most comprehensive vulnerability scoring

SEGMENT (RISK LEVEL) PRELIMINARY RESPONSE ANALYSIS

Aware (medium) Less than 1 day No Guidance

Deter (medium-high) Less than 4 hours Within 2 days

Detect/Resist (high) Less than 1 hour Within 1 day

Defend (very high) Less than 30 minutes Within 4 hours

uuFig. 1 Severity service level agreements

12 PROTECTIVE MONITORING CONTROLS (PMC)Number Description Asset Tripwire Value Product Benefit

PMC1 Accurate time in logs

General Tripwire records data from logging sources using Tripwire Log Center as well as monitored hosts to an accurate time source. Tripwire can also detect configuration deviation using Tripwire Enterprise of hosts to ensure clocks are systematically configured to true and accurate time servers.

Tripwire Enterprise and Tripwire Log Center

By ensuring that the critical components and configurations are monitored, this will assist with forensic diagnostics.

Tripwire Enterprise can be used to validate that systems that contribute logs are synchro-nized with a valid time server.

PMC2 Recording of business traffic crossing a boundary

Firewall + any boundary network

Utilizing Tripwire Log Center network events can be recorded and alerts or reports gener-ated based on suspicious activity.

Tripwire Log Center and Tripwire Enterprise

By correlating multiple data sources, events can be tied together to detect malicious activity.

Tripwire Enterprise can be used to validate that other systems recording traffic are configured to do so correctly.

PMC3 Recording relating to suspicious activity at the boundary

Firewall + any boundary network

Utilizing Tripwire Log Center network events can be recorded and alerts or reports gener-ated based on suspicious activity.

Tripwire Log Center By correlating multiple data sources, events can be tied together to detect malicious activity.

PMC4 Recording on internal workstation, server or device status

Desktop, Laptop, Server

Workstation, server and other network device infor-mation can be collected using Tripwire Log Center. With Tripwire Enterprise, suspicious configuration changes, privileged access to files by user account, unexpected software installation, critical system files and compliance against known good standards can also be monitored in real time. Tripwire IP360 identifies and prioritizes vulnerabilities.

Tripwire Log Center, Tripwire Enterprise and Tripwire IP360

Security events can be detected more effectively when record-ing and auditing user account activity using Tripwire tools.

PMC5 Recording relating to suspicious internal network activity

Internal network device

Tripwire can monitor the behavior of user activity as well as network data to detect suspicious and malicious activity.

Tripwire Enterprise Security events can be detected more easily when recording and auditing user account activity using Tripwire tools. Activity that spans multiple hosts or events can be detected when logs and other data are correlated.

PMC6 Recording relating to network connections

Remote access VPN or WiFi

Tripwire Log Center can securely and reliably collect and analyse logs from diverse systems such as authentication systems, networks services (DNS, DHCP, WINS), firewalls, databases and network traffic.

Tripwire Enteprise can detect changes in network configurations and state to identify suspicious activity.

Tripwire Log Center and Tripwire Enterprise

Utilising the Tripwire Log Center agent, logs can be trans-ported without any concerns about reliability or that they are tampered with or read in transit. If network connections change in suspicious ways, Tripwire Enterprise can detect it.

PMC7 Recording on session activity by user and workstation

Endpoint device and user

Users within Active Directory, LDAP and databases can be monitored for suspicious activity. Changes of critical configuration or application files can also be monitored in real time utilizing Tripwire Enterprise. Logs can be securely collected and analyzed or collated, normalised and sent to another SIEM for analysis using Tripwire Log Center.

Tripwire Log Center and Tripwire Enterprise

When combining log capture with change audit and real-time analysis of both change data and logged data, IT can see the complete user activity picture.

(Continues on next page)

PMC8 Recording on data backup status

Disaster Recovery

Configuration of backups can be monitored to ensure they are correctly configured using Tripwire Enterprise as well as backup logs securely and reliably transported to Tripwire Log Center for analysis or to another SIEM.

Tripwire Log Center and Tripwire Enterprise

Reduces the potential configuration mistakes that lead to lost backups.

PMC9 Alerting critical events

General Critical alerts can be issued immediately within the Tripwire tools or sent over to other manage-ment tools. Tripwire Log Center can alert on combined events based on correlation rules.

Tripwire Log Center, Tripwire Enterprise and Tripwire IP360

Faster threat detection

PMC10 Reporting on the status of audit system

General A comprehensive audit and report-ing system is available within Tripwire Log Center and Tripwire Enterprise.

Tripwire Log Center and Tripwire Enterprise

Be audit-ready

PMC11 Production of sanitized and statistical management reports

General Tripwire provides high-level reports and dashboards out of the box for both Tripwire Log Center and Tripwire Enterprise. Report data can be exported to PDF, XML, CSV and HTML. For customized reporting, Tripwire Connect allows for modification of report templates.

Tripwire Log Center, Tripwire Enterprise and Tripwire Connect

Provides actionable intelligence to enhance decision making

PMC12 Providing a legal framework for protective monitoring activities

General Collected logs are normalised for management and auditing purposes by Tripwire Log Center. In addition, logs are stored and retained in original/raw format for forensics and legal requirements.

Tripwire Log Center Be confident that you have the necessary evidence

12 PROTECTIVE MONITORING CONTROLS (PMC)Number Description Asset Tripwire Value Product Benefit

u Tripwire is a leading provider of security, compliance and IT operation solutions for enterprises, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vulnerability manage-ment, log management, and reporting and analytics. Learn more at tripwire.com. u

SECURITY NEWS, TRENDS AND INSIGHTS AT TRIPWIRE.COM/BLOG u FOLLOW US @TRIPWIREINC ON TWITTER

©2016 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc.All other product and company names are property of their respective owners. All rights reserved. SBGPG131b 201612