Strengths: Very strong monitoring, remediation and reporting capabilities.
Weaknesses: We are not sure how a large number of endpoints would affect pricing, but we suspect in a large enterprise – hundreds of thousands of endpoints, widely distributed – it could get quite expensive, even with the discounts Tripwire offers for volume.
Verdict: If you are looking at technology-driven solutions to GRC challenges, this one deserves very close attention.
Tripwire is one of those companies that has evolved over the years, adding a depth of experience that adds to its credibility. The company traditionally monitored critical files for changes and when a change occurred, under the premise that the change was unauthorised and signaled an attempt to compromise the file, notified the administrator of a potential breach. But that was then and this is now. There is a lot more to Tripwire today and Tripwire Enterprise is a good example.
For all of that, Tripwire Enterprise is a security configuration and change management tool. So it approaches risk management from the perspective of device configuration and integrates with more than 100 third-party offerings. Additionally, there is a lot of automation in Tripwire Enterprise that enables workflows, as well as investigation of indicators of compromise. Like other products of this type, Tripwire Enterprise wraps its technology in policy and standards. The system recognises more than 600 combinations of supported devices and policies. All of these can be tested against and Tripwire supports this with monthly updates.
Tripwire Enterprise focuses on policy management, integrity management (the deepest part of its DNA), incident investigation and inspection and response and integration. To get started we dropped into the Tripwire Enterprise Console. This is a straightforward dashboard that is a portal to a lot of drill-downs that take users deep into what the tool actually is doing: namely, reporting and policy/device management. The system can be deployed physically on-premises or it can be virtualised. There are agents on the endpoints being monitored, but the tool can be agentless, as well.
We watched as the system detected an attack with obfuscation and defeated it. This is Tripwire Enterprise's meat and potatoes: It compares the running processes it knows and that it is supposed to see with those actually running. A discrepancy means that a solution is needed. Tripwire Enterprise finds it and deploys, stopping the attack and returning the target to normal. The tool ingests threat feeds and knows about current malware. It also can consume STIX and TAXII indicators of compromise.
All of this is communicated to the various reports and dashboards and, since it is completely standards-based, those reports show not only compliance, but system risk posture. This is a clear case where being in compliance does not necessarily mean that one is secure, but being secure will get a system into compliance.
This technology-centric tool focuses on the state of the network and the communications devices on it. It is concerned with reducing risk through careful monitoring to threats and vulnerabilities and then reporting in a risk and compliance-centered format. However, Tripwire Enterprise takes the position that protecting the network and reporting in context with standards and regulatory requirement will get you where you need to go. For small to mid-sized organisations, this is enough. For very large organisations, this is an excellent addition to a traditional GRC tool.
Pricing is attractive, although it could get expensive with lots of endpoints to cover. The website is excellent. We have always liked Tripwire and this offering is a typical example of well-thought-out application of technical change monitoring and how it enables GRC.