Data and Networking Integrity Solutions

1
Foundation for Data Security Control Over Your IT
Infrastructure October 19, 2001 John Ludchen,
Regional Account Manager
2
Tripwire Company Fast Facts

• Tripwire, Inc., Founded in May 1997
• First generation technology developed at Purdue
  University in 1992
• Most widely deployed data and networking
  integrity solution
• First commercial product available in 1998
• 1800 Customers, adding 300 clients per quarter
• Headquartered in Portland, Oregon
• Offices in Japan, France and Germany
• Principal Investors

Advanced Technology Ventures Bessemer Venture
Partners Sun Microsystems Deutsche Banc Alex.
Brown
3
Tripwire for Servers Summary

• Monitors for, detects and reports on all file
  changes
• Originated from outside or within the network
• Malicious or accidental or intentional changes
• Notifies users if, when and how files were
  changed modified, added or deleted
• Identifies changes to system attributes,
  including file size, access flags, write time,
  and more
• Flexible, robust and easy to use scalable to
  networks of any size, the console was designed
  for this
• Violations can be prioritized by severity level
  and reported in various formats
• Most comprehensive NT registry monitoring
  available

4
The Issue of Integrity Drift

• Confidence degrades the minute you go live or
  plug in
• Trust erodes after
• Applications are installed
• Patches are applied
• Machines are subjected to constant use, change
  and routine maintenance
• Recovery means reformatting and rebuilding from
  scratch
• Potential loss is unbounded (and often unknown)

Confidence
Time
5
Tripwire Prevents Integrity Drift

• Confidence is maintained even as your system
  changes
• Remediation is as simple as restoring systems to
  the last known good state

Confidence
Time
6
Perimeter defenses miss 70 of threats!
30 of threats occur from outside an organization
System Files
70 of threats occur from inside the organization
"Any organization's biggest security risk is the
misuse of information by those who already have
access to information."
7
Forces Against Integrity
Threats
Damage
8
How Does Tripwire Work?
1. Take digital snapshot of existing files
2. Take a second digital snapshot later in time
to compare
3. Any integrity violations are reported in
various formats
SSL
9
Built On Strong Security Technology

• Tripwire Protects Itself
• El Gamal 1024-bit asymmetric cryptography
• Four message-digest algorithms used to insure
  data integrity
• MD5
• Haval
• SHA/SHS
• CRC 32
• Authentication and Encryption Between Manager and
  Server
• All data transmission uses SSL (Secure Socket
  Layer)
• 168 Triple DES Encryption

10
Supported Platforms

• Tripwire Manager
• Solaris 7 8
• Microsoft Windows NT 4.0 - Workstation, Server,
  Enterprise Server
• Windows 2000 -Professional, Server and Advanced
  Server
• Linux Various distributions, kernel 2.2 and 2.4
• Tripwire for Servers
• Solaris 2.6-7, 8
• Microsoft Windows NT 4.0 - Workstation, Serer,
  Enterprise Server
• Windows 2000 -Professional, Server and Advanced
  Server
• HP-UX 11.0, 10.20
• Compaq Tru64 Unix 4.0 5.1
• IBM AIX 4.3
• FreeBSD 4.3
• Linux Various distributions, kernel 2.2 and 2.4

11
What does Tripwire Monitor?
Windows NT/2000 File System

• Archive flag
• Read only flag
• Hidden flag
• Offline flag
• Temporary flag
• System flag
• Directory flag
• Last access time
• Last write time
• Create time
• File size

• MS-DOS 8.3 name
• NTFS Compressed flag
• NTFS Owner SID
• NTFS Group SID
• NTFS DACL
• NTFS SACL
• Security descriptor control
• Size of security descriptor for this object
• 0 to 4 hashes of the default data stream
• Number of NTFS data streams
• 0 to 4 hashes of non-default data streams

12
What does Tripwire Monitor?
Windows NT/2000 Registry

• Registry type key or value
• Owner SID
• Group SID
• DACL
• SACL
• Name of class
• Number of subkeys
• Maximum length of subkey name
• Maximum length of classname
• Number of values
• Maximum length of the value name

• Maximum length of data for any value in the key
• Security descriptor control
• Size of security descriptor
• Last write time
• Registry type key or value
• Type of value data
• Length of value data
• CRC-32 hash of the value data
• MD5 hash of the value data
• SHA hash of the value data
• HAVAL hash of the value data

13
What does Tripwire Monitor?
Unix File System

• Permissions
• Inode number
• Number of links (i.e. inode reference count)
• User ID of owner
• Group ID of owner
• File type
• File size
• File is expected to grow
• Device number of the disk on which the inode is
  stored

• Device number of the device to which the inode
  points.
• Number of blocks allocated
• Access timestamp
• Modification timestamp
• Inode creation / modification timestamp
• CRC-32 hash of the data
• MD5 hash of the data
• SHA hash of the data
• HAVAL hash of the data

14
Tripwire Software is a powerfulApplication with
many uses

• Intrusion detection
• Integrity Assessment
• Software verification
• Configuration Management
• Policy compliance system lockdown
• Damage Assessment Recovery
• Auditing and Data Forensics

Rootkits Trojan Horse Buffer Overflow Denial of
Service
15
Deployment of Tripwire for Servers
Data Integrity AssuranceAcross the Enterprise!

• Web/E-commerce Servers
• DNS Servers
• Application Servers
• Email Servers

• Firewalls
• File and Print Servers
• Database Servers
• Cisco Routers

16
Intrusion Detection Integrity Assessment

• Tripwire should be installed on every system
  where critical data is being stored and on
  systems where applications that use this data
  reside
• Prove that systems and data have not been
  tampered with, external or internal
• Does NOT look for known signatures
• A fundamental layer of protection and an
  essential requirement for all Fortune companies
• Network Host IDS complement Tripwire

17
Software Verification Change Management

• Monitor the installation process of new software
  to ensure proper configuration
• Ensure changes are not made between test system
  and production system
• Audit applications and systems over time to
  ensure integrity, avoid FileServer Drift

18
Policy Compliance

• Help prevent intrusions by standardizing the
  configuration of machines
• Tripwire can verify that users comply with
  configuration policy (drivers)
• Helps meet Internal Audit and Security
  Configuration Management requirements

19
Damage Assessment and Recovery

• Quickly identify which systems and files have
  been compromised
• Focus recovery efforts where they are needed
• Helps meet Contingency Plan, Security Incident
  Procedures and Security Management requirements

20
Forensics Auditing

• Gather and document evidence of compromised
  security
• Use evidence to show criminal intent and help
  prosecute attacker
• Important component of Security Incident
  Procedures, Event Reporting, and Audit Trail
  methodology

21
Tripwire Manager 2.4
Tripwire Manager Features
NT or UNIX

• Centralized reporting
• Centralized policy management
• Edit distribute configuration file
• Edit distribute policy file
• Execute manual integrity checks
• Update Tripwire database
• Centralized scheduling

Tripwire Manager Architecture
22
Tripwire Manager

• Powerful, easy-to-use software for managing up to
  2500 Tripwire for Servers installations
• Centralized management and easy distribution of
  policies
• See changes over your entire enterprise by
  object, violation type or group
• Centralized analysis allows you to
• Quickly assess which systems have been changed
• Correlate changes across multiple systems

23
Tripwire Products

• Tripwire for Servers (UNIX and NT)
• Host-deployed on servers managing overall system
  integrity
• Tripwire Manager
• Manages multiple server deployments (up to 2500)
• Tripwire for Web Pages
• Apache Edition, verifies integrity of Web content
  in real-time
• Tripwire for Routers
• IOS Edition, manages the configuration integrity
  of routers
• Tripwire Service and Support Products
• Maximizes customer success and satisfaction with
  Tripwire products

24
Tripwire ROI

• After one attack or mis-configuration Tripwire
  will pay for itself
• Average time to re-build a basic application
  server is 20-25 hours if an attack has occurred
• Average per hour salary for system administration
  is 30.55
• Average cost to rebuild a basic server 687
• Source 2000CSI Computer Crime Security Survey
  and 1999 SANS Salary Survey
• With Tripwire, a compromised server can be
  brought back on line in less than one hour
• Above figures do not include costs of loss of
  business.

25
Key Benefits of Tripwire

• Faster discovery and diagnosis of problems
• Results in faster remediation and significantly
  less down time
• Augments other security and systems management
• Helps you maximize the effectiveness of your IT
  investments
• Identifies changes, regardless of source or
  intent
• Doesnt rely on known patterns or signatures
• Detects accidental and malicious changes
• Peace of mind
• Helps you know which systems you can trust, and
  which ones you cant

26
Demo time
27
Tripwire applicationsData Security/Intrusion
Detection

• Problem
• 2.7 M is the average cost of an authorized
  user attack, according to the FBI. In fact,
  internal and authorized users your employees,
  partners and consultants commit 75-85 of
  computer crime.
• Solution
• Tripwire detects all unauthorized change whether
  it be from an outside intruder or within your
  organization.

The only way you can know, for sure, when your
systems have been compromised.
28
Tripwire applicationsDamage Assessment and
Remediation

• Problem
• Close to 30 of companies indicated they would
  not be aware that their core business information
  had been altered until 12 to 24 hours later and
  roughly 30 would not be aware of a compromise
  for more than 2 days.
• Source CIO Magazine
• SolutionTripwire pinpoints exact areas of
  change and damage, enabling immediate, efficient
  remediation.

Outage costs can be as high as 25,000/minute.
How quickly can you discover changes to your
systems?
29
Tripwire applicationsSystem Lock-down

• Problem Integrity Drift!
• At the point you are 100 confident in the state
  of your systems, you need to lock them down and
  ensure that nothing changes unless you want it
  to.
• Solution
• Tripwire confirms the lock down of your systems
  by taking a baseline inventory of all your data
  assets and providing immediate visibility into
  any deviations from that baseline snapshot.

30
Tripwire applicationsChange/Configuration
Management

• ProblemChange control processes are only as
  good as your ability to monitor and validate
  those processes.
• 99 of all trouble tickets are the result of
  authorized individuals making unauthorized or
  inappropriate changes
• SolutionTripwire provides visibility across an
  organizations data center, identifying all
  changes authorized or unauthorized.
• Verifies that work orders have been properly
  deployed across all machines. Allows you to map
  all changes back to the original work order

31
Tripwire applicationsIndustry Regulation and
Policy Compliance

• ProblemNew industry regulations require
  significant changes in current business
  practices. Companies not in compliance risk
  stiff penalties and/or a significant loss of
  business.
• SolutionTripwire fulfills integrity
  requirements related to industry regulations,
  such as HIPAA, FDA, FCC, SEC, BS7799, Gramm Leach
  Bliley, SAS70
• Industry standard commercial software solution
  readily available and easy to deploy. Provides an
  audit trail that documents all changes.

32
Tripwire applicationsSystem Auditing and
Verification

• ProblemFailed internal IT Audit(Insert your
  name here)
• Solution
• Tripwire satisfies integrity requirements common
  to IT audit controls and best practices
• Identifies areas of non-compliance
• Validates adherence to IT policies
• Reports provide proof of compliance

33
Tripwire Solution

• Problem
• Reliance on firewalls and other perimeter
  security
• How Tripwire solves this
• Detects damage from internal and external threats
• Detects problems from malicious and accidental
  acts
• Detects changes to data doesnt rely on pattern
  recognition and can identify unknown threats
• Safeguards internal systems as well as
  outward-facing servers

34
Tripwire Solution

• ProblemI cant tell if my systems are truly
  locked down.
• How Tripwire solves thisEnables you to
  establish a baseline inventory of all data assets
  on the systems being locked down
• Provides immediate visibility into any
  deviations from the locked down baseline
• Allows you to quickly remediate changes and
  return systems to their baseline state

35
Tripwire Solution

• ProblemIm worried if were hit by the newest
  virus or worm, my anti-virus software may not
  detect it.
• How Tripwire solves this
• Looks for changes to files and registry settings
  does not rely on known attack definitions or
  signatures
• Allows you to detect the presence of malicious or
  suspicious code and determine what damage has
  been done
• Helps you quickly identify which systems have
  been infected so you can target cleanup efforts
• Detects changes regardless of the source
  internal or external

36
Tripwire Solution

• ProblemMy systems change constantly, but I
  cant track the changes and dont know which
  ones to act on first.
• How Tripwire solves this
• Accurately tracks file and registry settings over
  time
• Allows you to establish and centrally manage data
  policies across your enterprise
• Quickly shows which changes are common to
  multiple systems
• Allows management based on severity of violations

37
Tripwire Solution

• ProblemDiscovering the cause of system problems
  is a long, trial-and-error process
• How Tripwire solves this
• Instantly identifies which systems have been
  affected
• Pinpoints areas where changes have occurred
  including the system registry
• Allows you to manage by severity of violations
• Provides proactive alerts based on violation
  severity thresholds

38
Tripwire Solution

• Problem
• I need to make strong recommendations that other
  people trust.
• How Tripwire solves this
• Tripwire is the worlds most widely deployed data
  and network integrity solution
• Award-winning solutions with 10 years of proven
  success and reliability
• Recommended and used by leading security experts
  as an essential part of a strong layered security
  strategy

39
Tripwire Solution

• Problem
• I need to ensure tamperproof security solutions
  (no one can cover up their tracks or get around
  them)
• How Tripwire solves this
• Tripwire protects its own data with cryptography
  to prevent spoofing and tampering
• Uses SSL communications between Manager and
  Servers
• Detects changes in the configuration and program
  files of other components of your security
  infrastructure

40
Tripwires Solutions

• ProblemIn the past, weve bought products then
  had trouble finding staff who are familiar with
  them.
• How Tripwire solves this
• Used by and known to many thousands of system
  administrators and consultants around the world
• Large community of users to leverage for
  information, best practices, and even staffing
• Worldwide training and certification available
  through Tripwire and its Authorized Training
  Centers

41
Battling the Code Red WormCustomer Major
wireless provider

• Problem Worm affected critical IIS web servers
• Unable to identify servers with updated security
  patch
• Root.exe file added to a number of systems
• Tripwire Solution enables fast remediation
• Quickly identifies servers still in need of patch
• Pinpoints systems and directories that have been
  compromised with the Root.exe file

42
Pirated Software DistributedCustomer ISP
andWeb Hosting Company

• Problem Hard drives on NT Web servers full
• Hackers used to distribute pirated software to
  cohorts
• Rebuild required manual file by file review
• Tripwire Solution
• Notifies administrators as soon as files are
  added or changed
• Reduces downtime and automates file integrity
  checks

43
Changes to System FilesCustomer Consulting
Firm in Europe

• Problem md5 hash changed on customers key
  system files
• Added Rootkit caused violation
• Tripwire Solution
• Saved customer from having to rebuild several key
  systems
• Able to replace effected files and change
  passwords instead, saving precious time and money

44
Online Buying Shut DownCustomer Major online
auction house

• Problem Group of hackers infiltrates systems
• Risk of customer data being compromised
• Internet servers had to be unplugged and rebuilt
• Entire site was shut down
• Tripwire Solution
• Reduced system clean-up from estimated 2 years to
  3 months
• Files scanned from clean system and compared
  against those on hacked machines

45
Trading System HackedCustomer Online Stock
Trading Company

• Problem Web Servers are compromised
• Shutting down was not an option
• Damage to companys reputation would be severe
• Potential loss of trading revenue was enormous
• Tripwire Solution
• Quickly identified 14 of 120 servers were
  affected
• Enabled site to remain online until the end of
  the trading day
• Provided baseline to fully restore and verify data

46
IT Security Professionals Tell Us

• I cant tell if my systems are truly locked down.
• Im worried if were hit by the newest virus or
  worm my antivirus software may not detect it.
• I have the perimeter solved. Do we need anything
  else?
• My systems change constantly, but I cant track
  the changes and dont know which ones to act on
  first.
• Discovering the cause of system problems is a
  long, trial-and-error process.
• I need to make strong recommendations that other
  people trust.
• I need to ensure tamperproof security solutions
  (no one can cover up their tracks or get around
  them)
• In the past, weve bought products then had
  trouble finding staff who are familiar with them

47
Integrity Reporting
This pie chart provides a high-level view of the
types of changes that have occurred.
Quickly pinpoint important changes with
color-coded icons that represent violation
severity
Identify exactly what file attribute changed.
48
Report Filtering
Use the filter function to identify only the most
critical file violations to react to immediately.
Only shows the file violations that fit a
particular filter criteria.
49
Report Summary
Click here for more details
View a summary of violations with specific detail
about all the reports
50
Database Update Mode
Quickly accept authorized changes by selecting
what file or report to update
51
Integrity Scheduling
Click here to select the integrity check
parameters
Only execute specific sections of the policy to
perform a scheduled integrity check.
52
File Distribution
click the Distribute File command
Make one change to a configuration or policy file
and then select OK to distribute this file to
all the servers that need this file.
53
Tripwire for Routers

• Solution Overview

54
The Need for Network Integrity Assurance

• Routers are the backbone of our network
  configuration of routers and switches are changed
  constantly as a part of the normal business
  process.Therefore, ensuring continuous
  integrity of routers is critical for assuring the
  integrity of networking infrastructure.

Kenneth Newman Regional Information Security
Consulting/Firewall ManagerAmericas Deutsche
Bank AG New York
55
Common Challenges our Customers Face

• Extensive outages, taking hours to isolate and
  discover the cause
• Many individuals managing the router network,
  resulting in undocumented change
• Difficulty in reporting router changes to the
  network management staff

56
Tripwire for Routers

• Tripwire for Routers shows which Cisco routers
  have drifted from an authorized configuration,
  providing a solution that
• monitors, compares, alerts,and restores the
  integrity of the startup and running
  configuration files

57
Tripwire for Routers

• Reduces network downtime by quickly detecting
  unauthorized changes to routers
• Restores routers to known good state within
  minutes of an alert
• Can be configured for automatic restoration
• Monitors all your routers from a single console
• Provides strong security for network
  administration
• Uses encrypted pass phrases and role based user
  privileges
• Establishes a change audit trail
• Provides accountability for configuration changes
  

58
Routers
What can go wrong as part of normal business
operations?

• Routers are actively managed
• A router mis-configuration/outage can disable
  part or all of an organizations network

Whats at stake?
59
The trouble with routers

• What can go wrong?
• Routers are actively managed
• A router mis-configuration/outage can disable
  part or all of an organizations network
• Whats at stake?
• Lost time during troubleshooting
• Lost productivity during down time
• Lost revenue during down time
• Lost customer confidence
• Lost market valuation

60
Exposure if the Network Goes Down
Amazon.com
Year 2000 Sales 2.76 Billion 14.6 Billion
29 Billion
Online Sales/Day 7.6 Million 40 Million 79.5
Million
61
How Tripwire for Routers Works
62
Tripwire for Routers How it works
Establishing baselines and integrity checks how
it works
Telnet
TFTP
Tripwire for Routers
Routers
Copies running and startup configuration files
from the router via TFTP to Tripwire for Routers
63
Tripwire for Routers How it works
Restoring router configuration how it works
Telnet
TFTP
Tripwire for Routers
Routers
Using telnet and TFTP a copy command is issued
that copies the baseline startup configuration,
via TFTP, from Tripwire for Routers into the
routers memory
64
Tripwire for Routers Preview
65
(No Transcript)
66
Support and Professional Services

• Solution Overview

67
Tripwire Professional Services

• Complete deployment and implementation services
  available
• Minimizes impact to your companys resources
• Maximizes results and return on your investment
• Comprehensive training and certification programs
• Delivered by Tripwire and Tripwire Authorized
  Training Centers
• On-site technical training available
• Standard and Premier support programs fit your
  needs
• Online Discussion Forums, Policy Resource Center
  and Knowledge Base available

68
Industry Recognition
2001 Excellence Award
Best Intrusion Detection Solution, 2001
3rd Fastest Growing, 2001