Security and compliance are often tightly intertwined. The main difference is that sometimes, security can outpace compliance efforts. While it is easy to infer that a more secure system exceeds a compliance requirement, an auditor should not be expected to deduce the state of a system; the evidence needs to be clear.
There are many factors that can cause compliance shifts. Configurations are constantly changing because there are updates happening to the infrastructure, patches being applied, and applications being updated. These changes cause changes to the system that most probably change the state of compliance with a particular asset.
Most security tools run scans, and they're usually baked in with vulnerability management tools, but they have to be scheduled. Usually, these scans are done once a year or close to an audit date, and the organization then has to work on its remediation steps and get itself into a compliance state prior to the audit. This is a very static approach.
Continuous Compliance is Possible
The trend is going towards a more continuous compliance monitoring state. That can only be achieved with a tool that has compliance monitoring coupled with File Integrity Monitoring (FIM). This is where Tripwire shines, providing secure management assessment and policy management in connection with FIM. That means that after a baseline is established, as soon as a change occurs in your system, you will be immediately notified. This level of monitoring provides visibility of a continuous compliance state.
As an example, if someone needs to test a product that requires an authorized change to a system but they don’t set the system back to its original configuration after the test is concluded, Tripwire will detect this change in the state of the asset. From an FIM perspective, this change is going to be revealed. It will also tie in with the policy rule, showing that a system was not returned to a compliant state. This gives the security team the prompt ability to apply the appropriate remediation measures.
More Than Just Compliance
Compliance is usually managed for the purpose of adhering to a mandated regulation. However, more companies are seeing the value of compliance beyond the perspective of a burden. The goal of most compliance standards and regulations is to create a more secure environment. Organizations are gaining a better understanding that compliance can provide more than just the ability to pass an audit. The ability to perform a risk-based configuration assessment equips an organization with a proactive security posture, reducing vulnerabilities.
Integration With Automated Tools
If Tripwire identifies an asset that falls out of compliance for a particular policy or for a particular policy test, it can trigger a workflow where an automated tool, such as Chef or Puppet, can bring the asset back into compliance. The integration with an automated process can remediate the problem, bringing the organization back to a compliant state and reducing the time in which the organization is non-compliant.
Pick Your Policy
Tripwire provides multiple policy rules that can be used to test compliance. Whether it’s guidance, such as that offered by NIST or CIS, or if it is regulatory, such as PCI DSS or HIPAA, policy rules are provided for each of these. The policies can also be customized. For example, if you are testing against a regulation that requires a minimum 12-character passphrase, but your organization’s internal policy calls for a longer passphrase, the rule can be customized.
The Tripwire Difference
Tripwire can provide continuous compliance monitoring because of its direct intertwining with FIM. Many other compliance products are tied to vulnerability management, but they lack the real-time ability to alert of an immediate change. Tripwire enables the creation of a custom policy against which an application can be checked. If it falls out of compliance quote of your golden configuration, it will issue an alert. This, along with the customizable rules, offers incredible flexibility.
The ability to achieve compliance can be difficult for many organizations. Once the goal is met, many companies find that they have slipped out of compliance for various reasons. The continuous monitoring capabilities offered by Tripwire and FIM can help to ease the compliance challenge. To find out more, contact us here.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
