Tripwire Enterprise is a policy compliance/risk management, IT operations and security tool. Its purpose, among other things, is to add context to changes. Given that Tripwire has been known for over a decade as being able to spot changes in critical files in Microsoft operating systems, it is not surprising that Tripwire Enterprise has strong capabilities along those lines as well.
Consisting of vulnerability management, security configuration management and log management, Enterprise can interface with 100 third-party devices. Based on the security model of prevent, detect, analyze and respond, this is a sort of SOC in a box with a bit of the NOC thrown in as well. Its policy management functionality automates configuration assessment and compliance. Integrity management monitors file integrity in real time while forensics and inspection does deep data collection and manages historical change and audit information.
Finally, remediation and integration functionality provides automated and guided remediation and system integrations. Enterprise is agent-driven. The Axon agent is lightweight. However, there is an agentless option.
The architecture is composed of rules that ask questions of the agents. The agent then responds to the enterprise server looking for changes from the baseline - not just files but applications, devices, etc. Only changes move across the network so there is a very low network footprint.
We dropped into the integrity monitoring dashboard. You can create your own dashboard using the available widgets. This one was set up to show a bar graph of changes by date and approval, and bar graphs of suspicious changes by asset and by platform. The standard in use was NIST 800-53, High Security.
Once we saw the top level we were able to drill down into the widget. This took us to individual changed elements. Drilling down to the level of an individual asset you can get detailed test results. The same is true if you look at the test itself. This will tell you what devices passed or failed (or passed part and failed part) of the test.
Enterprise integrates directly with Service Now and can generate tickets to perform closed loop remediation. The product comes with 750 policies out of the box. That translates to over 25,000 individual tests. For critical event response, a specific and detailed flow chart is generated allowing the analyst to see the event in good detail. Because of the closed loop remediation work flows, users either can do remediation of the event yourself or let the system do it for them.
Enterprise interfaces with threat feeds so, when the tool's internal capabilities are factored in, malware infections, including unknown malware and ransomware, can be halted before damage is done.
Further, there is an extensive policy library that ships with the product but you can build your own policies if you wish. The website has a support portal that requires sign-in. It includes a knowledge base and all content, such as policies, is available for download.
There is no included support. All options are fee-based and the costs are dependent on a number of factors, such as location, scope of support, on-site or remote, etc. Enterprise is an on-premises product and supports several databases, including MySQL, MS-SQL and Oracle.
This is a feature-rich security and risk management tool That can get pricey in large implementations. However, Tripwire has a track record that all but ensures that the product will behave as expected. We were impressed overall and there is a lot of functionality to offset the cost of the tool. Given its capabilities, cost of ownership is quite reasonable. We would have liked to see a minimum no-cost standard support package. Documentation is solid.