Data and Networking Integrity Solutions by utg65734


									  Foundation for Data Security
Control Over Your IT Infrastructure

          October 19, 2001
  John Ludchen, Regional Account Manager
Tripwire Company Fast Facts

   Tripwire, Inc., Founded in May 1997
    First generation technology developed at Purdue University in 1992
    Most widely deployed data and networking integrity solution
    First commercial product available in 1998
   1800+ Customers, adding 300 clients per quarter
    Headquartered in Portland, Oregon
    Offices in Japan, France and Germany
   Principal Investors:
    Advanced Technology Ventures     Bessemer Venture Partners
    Sun Microsystems                 Deutsche Banc Alex. Brown
Tripwire for Servers Summary
   Monitors for, detects and reports on all file changes
    - Originated from outside or within the network
    - Malicious or accidental or intentional changes
   Notifies users if, when and how files were changed –
    modified, added or deleted
    - Identifies changes to system attributes, including file size, access
      flags, write time, and more
   Flexible, robust and easy to use – scalable to networks
    of any size, the console was designed for this
   Violations can be prioritized by severity level and
    reported in various formats
   Most comprehensive NT registry monitoring available
The Issue of “Integrity Drift”
   Confidence degrades the minute you go live or “plug in”
   Trust erodes after:
    Applications are installed
    Patches are applied
    Machines are subjected to constant use, change and routine maintenance
   Recovery means reformatting and rebuilding from scratch
   Potential loss is unbounded (and often unknown)

Tripwire Prevents “Integrity Drift”
   Confidence is maintained even as your system changes
   Remediation is as simple as restoring systems to the last
    known good state


Perimeter defenses miss 70% of threats!
    30% of threats occur
    from outside an                    Firewalls
                                       Network-based IDS
                                       Host-based IDS

                                                                  Tripwire for
                                   System                     Servers detects all
                                    Files                      integrity threats
70+% of                                                         Inside and out!
threats occur
from inside the

      "Any organization's biggest security risk is the misuse of information
            by those who already have access to information."
  Forces Against Integrity
Malicious                             access
               Natural    Sabotage
               disaster                                  Hackers
   acts                                     Fraud


                         Loss of              Data                assets
 Negative     Access    customer     Stock disclosed
           interrupted; confidence valuation         Strategic data
   PR                                                compromised
          lost business            impacted
      How Does Tripwire Work?
1. Take digital snapshot
     of existing files             2. Take a second digital
                                    snapshot later in time
                                         to compare

     3. Any integrity
violations are reported
   in various formats
                           Email        Tripwire
Built On Strong Security Technology

Tripwire Protects Itself
   El Gamal 1024-bit asymmetric cryptography
Four message-digest algorithms used to insure data integrity
   CRC 32

Authentication and Encryption Between Manager and Server
   All data transmission uses SSL (Secure Socket Layer)
   168 Triple DES Encryption
Supported Platforms
   Tripwire Manager
     Solaris 7 & 8
     Microsoft Windows NT 4.0 - Workstation, Server, Enterprise Server
     Windows 2000 -Professional, Server and Advanced Server
     Linux – Various distributions, kernel 2.2 and 2.4

   Tripwire for Servers
     Solaris 2.6-7, 8
     Microsoft Windows NT 4.0 - Workstation, Serer, Enterprise Server
     Windows 2000 -Professional, Server and Advanced Server
     HP-UX 11.0, 10.20
     Compaq Tru64 Unix 4.0 & 5.1
     IBM AIX 4.3
     FreeBSD 4.3
     Linux – Various distributions, kernel 2.2 and 2.4
What does Tripwire Monitor?
Windows NT/2000 File System
   Archive flag          MS-DOS 8.3 name
   Read only flag        NTFS Compressed flag
   Hidden flag           NTFS Owner SID
   Offline flag          NTFS Group SID
   Temporary flag        NTFS DACL
   System flag           NTFS SACL
   Directory flag        Security descriptor control
   Last access time      Size of security descriptor for this object
   Last write time       0 to 4 hashes of the default data stream
   Create time           Number of NTFS data streams
   File size             0 to 4 hashes of non-default data streams
What does Tripwire Monitor?
Windows NT/2000 Registry
    Registry type: key or value           Maximum length of data for any
                                            value in the key
    Owner SID
                                           Security descriptor control
    Group SID                             Size of security descriptor
    DACL                                  Last write time
    SACL                                  Registry type: key or value
    Name of class                         Type of value data
    Number of subkeys                     Length of value data
                                           CRC-32 hash of the value data
    Maximum length of subkey name
                                           MD5 hash of the value data
    Maximum length of classname           SHA hash of the value data
    Number of values                      HAVAL hash of the value data
    Maximum length of the value name
What does Tripwire Monitor?
Unix File System
   Permissions                       Device number of the device to
   Inode number                       which the inode points.
   Number of links (i.e. inode       Number of blocks allocated
    reference count)                  Access timestamp
   User ID of owner                  Modification timestamp
   Group ID of owner                 Inode creation / modification
   File type                          timestamp
   File size                         CRC-32 hash of the data
   File is expected to grow          MD5 hash of the data
   Device number of the disk on      SHA hash of the data
    which the inode is stored         HAVAL hash of the data
    Tripwire Software is a powerful
    Application with many uses
   Intrusion detection
   Integrity Assessment
   Software verification
   Configuration Management
   Policy compliance & system lockdown

   Damage Assessment & Recovery          Trojan Horse
                                          Buffer Overflow
                                          Denial of Service

   Auditing and Data Forensics
     Deployment of Tripwire for Servers
             Data Integrity Assurance
              Across the Enterprise!

 Web/E-commerce Servers  Firewalls
 DNS Servers              File and Print Servers
 Application Servers      Database Servers
• Email Servers            Cisco Routers
          Intrusion Detection &
          Integrity Assessment
 Tripwire should be installed on every system where
  critical data is being stored and on systems where
  applications that use this data reside
 Prove that systems and data have not been
  tampered with, external or internal
 Does NOT look for “known signatures”
 A fundamental layer of protection – and an essential
  requirement for all Fortune companies
 Network & Host IDS complement Tripwire
         Software Verification &
          Change Management

 Monitor the installation process of new software
  to ensure proper configuration
 Ensure changes are not made between test
  system and production system
 Audit applications and systems over time to
  ensure integrity, avoid “FileServer Drift”
            Policy Compliance

 Help prevent intrusions by standardizing the
  configuration of machines
 Tripwire can verify that users comply with
  configuration policy (drivers)
 Helps meet Internal Audit and Security
  Configuration Management requirements
           Damage Assessment
                and Recovery

 Quickly identify which systems and files have
  been compromised
 Focus recovery efforts where they are needed

 Helps meet Contingency Plan, Security Incident
  Procedures and Security Management
       Forensics & Auditing

 Gather and document evidence of compromised
 Use evidence to show criminal intent and help
  prosecute attacker
 Important component of Security Incident
  Procedures, Event Reporting, and Audit Trail
    Tripwire Manager 2.4
Tripwire Manager                                                      Tripwire Manager
Features:                           NT or UNIX                        Commands
   Centralized                                                             Reports
    reporting                                                               Data

   Centralized policy              SSL
    management                                                    SSL
                                            SSL          SSL
   Edit & distribute
    configuration file
   Edit & distribute
    policy file
   Execute manual                                                          Tripwire for
    integrity checks     Tripwire for                                        Servers
                          Servers                              Tripwire for    UNIX
   Update Tripwire       NT/2000
                                          Tripwire for
    database                               Servers
   Centralized
    scheduling                   Tripwire Manager Architecture
Tripwire Manager
 Powerful, easy-to-use software for managing up
  to 2500 Tripwire for Servers installations
 Centralized management and easy distribution
  of policies
 See changes over your entire enterprise by
  object, violation type or group
 Centralized analysis allows you to:
    Quickly assess which systems have been changed
    Correlate changes across multiple systems
    Tripwire Products
   Tripwire for Servers (UNIX and NT)
    Host-deployed on servers managing overall system integrity
   Tripwire Manager
    Manages multiple server deployments (up to 2500)
   Tripwire for Web Pages
    Apache Edition, verifies integrity of Web content in real-time
   Tripwire for Routers
    IOS Edition, manages the configuration integrity of routers
   Tripwire Service and Support Products
    Maximizes customer success and satisfaction with Tripwire products
                     Tripwire ROI
   After one attack or mis-configuration Tripwire will pay for
        • Average time to re-build a basic application server is 20-25
          hours if an attack has occurred
        • Average per hour salary for system administration is $30.55
        • Average cost to rebuild a basic server $687
          Source: 2000CSI Computer & Crime Security Survey and 1999
          SANS Salary Survey

   With Tripwire, a compromised server can be brought back
    on line in less than one hour
   Above figures do not include costs of “loss of business.”
Key Benefits of Tripwire

   Faster discovery and diagnosis of problems
    Results in faster remediation and significantly less down time
   Augments other security and systems management
    Helps you maximize the effectiveness of your IT investments
   Identifies changes, regardless of source or intent
    Doesn’t rely on known patterns or signatures
    Detects accidental and malicious changes
   Peace of mind
    Helps you know which systems you can trust, and which ones
      you can’t
Demo time
Tripwire applications:
Data Security/Intrusion Detection
  “$2.7 M is the average cost of an authorized user attack,
  according to the FBI. In fact, internal and authorized users –
  your employees, partners and consultants – commit 75-85% of
  computer crime.”
  Tripwire detects all unauthorized change whether it be from an
  outside intruder or within your organization.

The only way you can know, for sure, when your
systems have been compromised.
Tripwire applications:
Damage Assessment and Remediation
  “…Close to 30% of companies indicated they would not be
  aware that their core business information had been altered until
  12 to 24 hours later and roughly 30% would not be aware of a
  compromise for more than 2 days.”
       Source: CIO Magazine

  Tripwire pinpoints exact areas of change and damage, enabling
  immediate, efficient remediation.
 Outage costs can be as high as $25,000/minute. How
 quickly can you discover changes to your systems?
Tripwire applications:
System Lock-down
Problem: Integrity Drift!
  At the point you are 100% confident in the state of your systems,
  you need to lock them down and ensure that nothing changes
  unless you want it to.
  Tripwire confirms the lock down of your systems by taking a
  baseline inventory of all your data assets and providing
  immediate visibility into any deviations from that baseline
Tripwire applications:
Change/Configuration Management
  Change control processes are only as good as your ability to
  monitor and validate those processes.
  99% of all trouble tickets are the result of authorized individuals making
  unauthorized or inappropriate changes

  Tripwire provides visibility across an organization’s data center,
  identifying all changes – authorized or unauthorized.
  Verifies that work orders have been properly deployed across all
  machines. Allows you to map all changes back to the original work order
Tripwire applications:
Industry Regulation and Policy Compliance

  New industry regulations require significant changes in current
  business practices. Companies not in compliance risk stiff
  penalties and/or a significant loss of business.
  Tripwire fulfills integrity requirements related to industry
  regulations, such as HIPAA, FDA, FCC, SEC, BS7799,
  Gramm Leach Bliley, SAS70
   Industry standard commercial software solution – readily available and
   easy to deploy. Provides an audit trail that documents all changes.
Tripwire applications:
System Auditing and Verification
  Failed internal IT Audit
  (Insert your name here…)
   Tripwire satisfies integrity requirements common to
   IT audit controls and best practices
   Identifies areas of non-compliance
   Validates adherence to IT policies
   Reports provide proof of compliance
Tripwire Solution
   Reliance on firewalls and other perimeter security
How Tripwire solves this:
   Detects damage from internal and external threats
   Detects problems from malicious and accidental acts
   Detects changes to data – doesn’t rely on pattern
   recognition and can identify unknown threats
   Safeguards internal systems as well as
   outward-facing servers
Tripwire Solution
  I can’t tell if my systems are truly locked down.
How Tripwire solves this:
  Enables you to establish a baseline inventory of all data
  assets on the systems being locked down
  Provides immediate visibility into any deviations from the
  locked down baseline
  Allows you to quickly remediate changes and return
  systems to their baseline state
Tripwire Solution
  I’m worried if we’re hit by the newest virus or worm, my
  anti-virus software may not detect it.
How Tripwire solves this:
   Looks for changes to files and registry settings – does not rely on
   known attack definitions or signatures
   Allows you to detect the presence of malicious or suspicious code and
   determine what damage has been done
   Helps you quickly identify which systems have been infected so you
   can target cleanup efforts
   Detects changes regardless of the source – internal or external
Tripwire Solution
  My systems change constantly, but I can’t track the
  changes and don’t know which ones to act on first.
How Tripwire solves this:
   Accurately tracks file and registry settings over time
   Allows you to establish and centrally manage data policies
   across your enterprise
   Quickly shows which changes are common to multiple systems
   Allows management based on severity of violations
Tripwire Solution
  Discovering the cause of system problems is a
  long, trial-and-error process
How Tripwire solves this:
   Instantly identifies which systems have been affected
   Pinpoints areas where changes have occurred –
   including the system registry
   Allows you to manage by severity of violations
   Provides proactive alerts based on violation severity
Tripwire Solution
  I need to make strong recommendations that other
  people trust.
How Tripwire solves this:
   Tripwire is the world’s most widely deployed data and
   network integrity solution
   Award-winning solutions with 10 years of proven success
   and reliability
   Recommended and used by leading security experts as an
   essential part of a strong layered security strategy
Tripwire Solution
  I need to ensure tamperproof security solutions (no one
  can cover up their tracks or get around them)
How Tripwire solves this:
   Tripwire protects its own data with cryptography to prevent
   spoofing and tampering
   Uses SSL communications between Manager and Servers
   Detects changes in the configuration and program files of
   other components of your security infrastructure
Tripwire’s Solutions
  In the past, we’ve bought products then had trouble
  finding staff who are familiar with them.
How Tripwire solves this:
   Used by and known to many thousands of system
   administrators and consultants around the world
   Large community of users to leverage for information, best
   practices, and even staffing
   Worldwide training and certification available through
   Tripwire and its Authorized Training Centers
               Battling the Code Red Worm
                        Customer: Major wireless provider

   Problem: Worm affected critical IIS web servers
    - Unable to identify servers with updated security patch
    - Root.exe file added to a number of systems
   Tripwire Solution enables fast remediation
    - Quickly identifies servers still in need of patch
    - Pinpoints systems and directories that have been
      compromised with the Root.exe file
                Pirated Software Distributed
                                        Customer: ISP and
                                      Web Hosting Company

   Problem: Hard drives on NT Web servers full
    - Hackers used to distribute pirated software to cohorts
    - Rebuild required manual file by file review
   Tripwire Solution
    - Notifies administrators as soon as files are added or
    - Reduces downtime and automates file integrity checks
                     Changes to System Files
                     Customer: Consulting Firm in Europe

   Problem: md5 hash changed on customer’s
    key system files
    - Added Rootkit caused violation
   Tripwire Solution
    - Saved customer from having to rebuild several key
    - Able to replace effected files and change passwords
      instead, saving precious time and money
                    Online Buying Shut Down
                    Customer: Major online auction house

   Problem: Group of hackers infiltrates systems
    - Risk of customer data being compromised
    - Internet servers had to be unplugged and rebuilt
    - Entire site was shut down
   Tripwire Solution
    - Reduced system clean-up from estimated 2 years to 3
    - Files scanned from “clean system” and compared
      against those on hacked machines
                        Trading System Hacked
                Customer: Online Stock Trading Company

   Problem: Web Servers are compromised
    - Shutting down was not an option
    - Damage to company’s reputation would be severe
    - Potential loss of trading revenue was enormous
   Tripwire Solution
    - Quickly identified 14 of 120 servers were affected
    - Enabled site to remain online until the end of the trading
    - Provided baseline to fully restore and verify data
IT Security Professionals Tell Us…
   I can’t tell if my systems are truly locked down.
   I’m worried if we’re hit by the newest virus or worm my antivirus
    software may not detect it.
   I have the perimeter solved. Do we need anything else?
   My systems change constantly, but I can’t track the changes and
    don’t know which ones to act on first.
   Discovering the cause of system problems is a long, trial-and-
    error process.
   I need to make strong recommendations that other people trust.
   I need to ensure tamperproof security solutions (no one can
    cover up their tracks or get around them)
   In the past, we’ve bought products then had trouble finding staff
    who are familiar with them
    Integrity Reporting
                             This pie chart provides a high-level
                              view of the types of changes that
                                        have occurred.

Quickly pinpoint important
changes with color-coded
  icons that represent
    violation severity                                              Identify exactly what file
                                                                       attribute changed.
Report Filtering
    Use the filter function to identify
   only the most critical file violations
         to react to immediately.

                                             Only shows the file
                                              violations that fit a
                                            particular filter criteria.
Report Summary
                  Click here for more details

                      View a summary of
                 violations with specific detail
                      about all the reports
    Database Update Mode

Quickly accept authorized
changes by selecting what
  file or report to update
Integrity Scheduling

        Schedule multiple checks              Click here to
        on the same machine at                  select the
           different times and               integrity check
                 intervals                     parameters

                  Only execute specific
                 sections of the policy to
                  perform a scheduled
                     integrity check.
File Distribution
                                     …click the
                                   “Distribute File”

         Make one change to a
         configuration or policy               …and then select OK to
                 file…                        distribute this file to all the
                                              servers that need this file.
Tripwire for Routers
   Solution Overview
The Need for Network Integrity
   “Routers are the backbone of our network – configuration of
    routers and switches are changed constantly as a part of the
    normal business process.

    “Therefore, ensuring continuous integrity of routers is critical
    for assuring the integrity of networking infrastructure.”
    Kenneth Newman
    Regional Information Security
    Consulting/Firewall Manager–Americas
    Deutsche Bank AG New York
Common Challenges our Customers Face

 Extensive outages, taking hours to isolate and
  discover the cause
 Many individuals managing the router network,
  resulting in undocumented change
 Difficulty in reporting router changes to the
  network management staff
Tripwire for Routers

  Tripwire for Routers shows which Cisco
  routers have drifted from an authorized
  configuration, providing a solution that:
  – monitors, compares, alerts,
  and restores the integrity of the startup and
  running configuration files
Tripwire for Routers

   Reduces network downtime by quickly detecting
    unauthorized changes to routers
    Restores routers to known good state within minutes of an alert
    Can be configured for automatic restoration
   Monitors all your routers from a single console
   Provides strong security for network administration
    Uses encrypted pass phrases and role based user privileges
   Establishes a change audit trail
    Provides accountability for configuration changes
 What can go wrong as part of normal business operations?
   Routers are “actively managed”
   A router mis-configuration/outage can disable
    part or all of an organization’s network

    What’s at stake?      lost customer
                           confidence -
                          loss of market
                        lost revenue due to
                        investigate, isolate
                            and restore
The trouble with routers
   What can go wrong?
    Routers are “actively managed”
    A router mis-configuration/outage can disable part or all of
      an organization’s network
   What’s at stake?
    Lost time during troubleshooting
                                                    Lost customer
    Lost productivity during down time               confidence -
                                                    loss of market
    Lost revenue during down time                      valuation
    Lost customer confidence                $$    Lost productivity &
    Lost market valuation
                                                  Time to investigate,
                                                  isolate and restore
   Exposure if the Network Goes Down

Year 2000 Sales    $2.76 Billion   $14.6 Billion    $29 Billion
Online Sales/Day   $7.6 Million    $40 Million     $79.5 Million

Cost of             $315,000       $1,666,667       $3,312,500
How Tripwire for Routers Works

            1     Establish Baseline Config.
              2     Run Integrity Checks

     Change            Changes Found?

                      Changes Permitted?

                  Examine Report

                            Deny the Change    Restore Router

Tripwire for Routers Preview
Support and Professional Services
          Solution Overview
Tripwire Professional Services
   Complete deployment and implementation services
    Minimizes impact to your company’s resources
    Maximizes results and return on your investment
   Comprehensive training and certification programs
    Delivered by Tripwire and Tripwire Authorized Training Centers
    On-site technical training available
   Standard and Premier support programs fit your needs
   Online Discussion Forums, Policy Resource Center and
    Knowledge Base available
Industry Recognition

  2001 Excellence

                      Best Intrusion
                    Detection Solution,    3rd Fastest
                           2001           Growing, 2001

To top