Vous êtes sur la page 1sur 6

FISMA SI-7 Buyer’s Guide

Evaluating Your Next Compliance Solution

FOUNDATIONAL CONTROLS FOR 
SECURITY, COMPLIANCE & IT OPERATIONS
The Federal Information Security Management Act (FISMA) tasks Questions for your vendor:
government agencies with a major organizational, technological and »» Can it detect and alert on changes in
budgetary challenge. It can be hard to know how to best allocate your real-time? Periodic scans can miss
changes that are reverted back.
agency’s resources and talent to meet FISMA compliance, and a big
»» Can it filter expected, accepted and
part of that challenge is feeling confident that you’re choosing the right
routine change, so as to only alert on
cybersecurity and compliance reporting solution. changes that need to be investigated?
»» Can it target changes that have
This buyer’s guide focuses on one of »» In environments with rapid been identified by MITRE ATT&CK or
the most difficult security controls provisioning, does the solution other cybercrime frameworks, so
agencies must adhere to: NIST SP integrate with virtualization, cloud and as to proactively identify changes of
800-53 SI-7. The SI-7 (“SI” meaning DevOps tools so that it’s present when greatest concern?
“System Information and Integrity”) a new system is spun up? »» Is the system capable of tracking
control instructs agencies on software, »» Can it detect the presence of a new ownership, mission, management,
firmware and information integrity. As FISMA group and location for each
threat (like a new hash) without having
of 2017’s executive order, “Effective asset, so as to be able to report and
to rescan?
immediately, each agency head shall alert appropriately?
use The Framework for Improving
Critical Infrastructure Cybersecurity (the SI-7.2: Automated Notifications
Framework) developed by the National of Integrity Violations SI-7.5: Automated Response to
Institute of Standards and Technology, or
NIST SP 800-53 states, “The use of auto- Integrity Violations
any successor document, to manage the As identified in NIST SP 800-53,
mated tools to report integrity violations
agency’s cybersecurity risk.”1 “Organizations may define differ-
and to notify organizational personnel in
a timely matter is an essential precursor ent integrity checking and anomaly
Government systems are categorized
to effective risk response. Personnel responses: (i) by type of information
as low, moderate or high sensitivity. All
having an interest in integrity violations (e.g., firmware, software, user data);
controls are mandatory for everyone,
include, for example, mission/business (ii) by specific information (e.g., boot
but the set of mandatory controls gets
owners, information system owners, firmware, boot firmware for specific
larger for moderate- or high-sensitivity
systems administrators, software types of machines); or (iii) a combination
agencies. The subset of SI-7 controls
developers, systems integrators, and of both. Automatic implementation of
that are most relevant to the largest
information security officers.”2 specific safeguards within organizational
numbers of agencies are 1, 2, 5 and 7.
information systems includes, for exam-
While an adequately-robust security and
ple, reversing the changes, halting the
compliance solution will cover all SI-7
information system, or triggering audit
controls, these are often the subcontrols
that require the most attention:

SI-7.1: Integrity Checks


As identified in NIST SP 800-53,
“Security-relevant events include, for
example, the identification of a new
threat to which organizational informa-
tion systems are susceptible, and the
installation of new hardware, software,
or firmware. Transitional states include,
for example, system startup, restart,
shutdown, and abort.”2

Questions for your vendor:

»» Does the solution cover firmware?


»» Does it cover the full scope and range
of assets, including Windows, Unix,
Linux, routers, switches, firewalls and
storage devices? Fig. 1 Examples of actionable integrity check results.
alerts when unauthorized modifications
to critical security files occur.”2
SI-7 Control Description and
Questions for your vendor:
Supplemental Guidance from NIST
»» Does the solution have the ability to
take action on the endpoint? According to NIST SP 800-53, “The organization employs
»» Can the solution create a ticket in integrity verification tools to detect unauthorized changes to
an ITSM system (like Remedy or
organization-defined software, firmware, and information.
ServiceNow) when required?
»» Can the solution be instructed to Unauthorized changes to software, firmware, and information
act completely automatically—to can occur due to errors or malicious activity (e.g., tampering).
quarantine or otherwise disable
Software includes, for example, operating systems (with key
a system—in the case of serious
anomalies (such as the appearance of internal components such as kernels, drivers), middleware,
a new executable)? and applications. Firmware includes, for example, the Basic
»» Can the solution integrate with Input Output System (BIOS). Information includes metadata
multiple sources of threat intelligence such as security attributes associated with information. State-
datastreams to detect and identify
of-the-practice integrity-checking mechanisms (e.g., parity
malware and act accordingly?
checks, cyclical redundancy checks, cryptographic hashes)
and associated tools can automatically monitor the integrity of
SI-7.7: Integration of information systems and hosted applications.”
Detection and Response
NIST SP 800-53 states, “This control ——National Institute of Standards and Technology2
enhancement helps to ensure that
detected events are tracked, monitored,
corrected and available for historical »» Does the system present the »» Real-time alerts on file and
purposes. Maintaining historical records information in a way that readily configuration changes (SI-7.2)
is important both for being able to supports documentation for further
identify and discern adversary actions
»» Actionable event workflows that can
security review or legal action? isolate or shut down non-compliant
over an extended period of time and
for possible legal actions. Security- systems (SI-7.5)
relevant changes include, for example, Tools and Solutions for SI-7 »» A suite of event collection, correlation
unauthorized changes to established To comply with SI-7, agencies must find and normalization techniques (SI-7.7)
configuration settings or unautho- a tool that not only does integrity moni-
rized elevation of information system toring, but also automates notifications The table below offers a more granular
privileges.”2 and responses to violations and then look at the types of change data your
keeps track of those violations. That’s a FIM solution should provide, and the
Questions for your vendor: lot to ask of a single solution, although benefit to tracking each type.

»» Does the solution create an initial possible if it has a robust enough integ-
baseline of each asset? Are all rity monitoring toolkit. 5 More Key Questions for
monitored changes kept so that it’s Each and every data breach can be Your Vendor
possible to review the history of tracked to a file or configuration change. Not all FIM solutions run the gamut of
changes over time? So if you can detect each new unex- what you need to meet and maintain
»» Can it compare the state of an element pected change as it occurs, you can continuous SI-7 compliance. When
at one time to its state at an earlier or remediate it and return your system speaking to your compliance vendor,
later time? back to a secure, hardened baseline. these essential questions will help you
»» Can it present changes in a side-by- This FIM solution should provide you determine the quality of the solution in
side format that readily enables the with: question:
viewer to see insertions, deletions and »» Visibility into any change—authorized 1. Does it monitor firmware integrity,
modifications from one point in time or unauthorized—that introduces risk covering the full scope and range
to another? to your system (SI-7.1) of my assets?
2. Does it generate automatic alerts
as soon as a change occurs on my
files or configurations?
Examples of Change Details and the Benefits Gained from Them
3. Does it walk you through Change Feature Benefit
remediation instructions to bring Monitor for changes with over 65 attributes of a Deep understanding drives more accurate
my systems back into compliance? file or configuration to consider with attributes remediation
like file hash values (MD5, SHAH-1, etc.)
4. Does it integrate with ITSM
processes and other tools in my IT Version tracking to view each version of a Historical understanding provides better deci-
file/configuration over a period of time. sion making and delivers audit-ready evidence
ecosystem?
Ability to detect users making changes, Removes complexity of detecting changes
5. How does this tool help streamline without requiring native OS auditing.
and optimize proof of compliance
Ability to monitor any device with Not complex and cumbersome since it’s agent-
in the audit process? SSH or Telnet capabilities less and discovers difficult protocols
Scales to cover the entire IT stack (virtualization, Comprehensive coverage assures broad and
Tripwire Enterprise and cloud, physical/virtual servers/desktops, deep security
SI-7 Compliance applications (databases, directory services,
web applications, Exchange), network
As a leading compliance solution devices (routers, switches, firewalls and
provider, Tripwire’s experts and engi- any other device that can utilize SSH).
neers have ensured that implementing Reconciles with patch manifests. Quickly zero in on changes that aren’t associated
Tripwire® Enterprise will align your with patch activity during the patch window
agency with audit-ready SI-7 compli- Understand good vs bad changes based on Minimize false positives, focus on the true
ance. Tripwire is the inventor of FIM, context from the change management process problems
so integrity monitoring is at the core and their potential impact on security.
of what we’ve been perfecting about Automatically monitor changes on Gain real-time change insights
Tripwire Enterprise since its initial newly installed applications
launch over a decade ago. Whitelist users, ports, services and Comprehensive and fast detection of potential
applications to detect unauthorized users, threats
Over the past twenty years, Tripwire has ports, services and napplications
helped government customers baseline Kill unauthorized processes and Enforce integrity requirements and enhances
the key configurations of their critical uninstall unapproved applications security
systems (including file attributes and Easily view side-by-side comparisons Quick assessment of changes delivering faster
hashes), detect changes to those files remediation
and configurations in real-time and
Offers key insight into change Gain better intelligence to make better decisions
near real-time, and most importantly, to events over a period of time
rapidly identify which of the thousands/
Offers key insight into the Better and faster risk assessments
millions of changes taking place each vulnerability risks on assets
day need to be investigated and/or
remediated.

Tripwire Enterprise covers more than »» SI-7.2: In support of SI-07 (2), Tripwire and hardware with real-time agent-
just the SI-7 subcontrols covered in this Enterprise and Tripwire Log Center™ based file integrity management
guide. Here is a look at how Tripwire provide a full suite of alerting and and critical change control. Tripwire
Enterprise maps to the subcontrols actionable event workflows should Enterprise offers cybercrime and
described above: integrity violations occur. Mitre ATT&CK dashboards that
»» SI-7.1: Tripwire directly provides can monitor both security-relevant
»» SI-7.5: In support of SI-07 (5), Tripwire changes of interest to the agency,
SI-07 (1) controls for software and
Enterprise and Tripwire Log Center regardless of whether or not those
hardware with real-time agent-
provide a full suite of alerting and changes trigger a change to policy
based file integrity management
actionable event workflows should compliance. Tripwire products
and critical change control. Tripwire
integrity violations occur. Actionable also provide monitoring rules and
Enterprise provides monitoring
workflows can be set to isolate or hardening policy that cover all aspects
rules and hardening policies that
shut systems down in the event of a of the file system—including services,
cover all aspects of the file system
violation. ports, firmware and command-based
including services, ports, firmware
and command-based configurations to configurations—to keep your systems
»» SI-7.7: Tripwire products directly
keep your systems secure. secure. We also provide a full suite
provide SI-07 (7) controls for software
of event collection, normalization,
correlation and reporting techniques.
Our monitoring includes a full set
of response alerting and actionable
workflows which can isolate systems
should the need arise.

Request a Demo
Let us take you through a demo of
Tripwire’s security and vulnerability
management products and services
customized to your specific IT security
and compliance needs. Visit us at
tripwire.com/contact/request-demo to
schedule your demo today.

References
1 https://www.dhs.gov/executive-or-
der-strengthening-cybersecurity-feder-
al-networks-and-critical-infrastructure
2 https://nvd.nist.gov/800-53/Rev4/control/
SI-7
Tripwire is the trusted leader for establishing a strong cybersecurity foundation. Partnering with
Fortune 500 enterprises, industrial organizations and government agencies, Tripwire protects the inte­
grity of mission-critical systems spanning physical, virtual, cloud and DevOps environments. Tripwire’s
award-winning portfolio delivers top critical security controls, including asset discovery, secure config-
uration management, vulnerability management and log management. As the pioneers of file integrity
monitoring (FIM), Tripwire’s expertise is built on a 20+ year history of innovation helping organizations
discover, minimize and monitor their attack surfaces. Learn more at tripwire.com

The State of Security: Security news, trends and insights at tripwire.com/blog


Connect with us on LinkedIn, Twitter and Facebook

©2018 Tripwire, Inc. Tripwire, Log Center/LogCenter, IP360 and Tripwire Axon are trademarks or registered trademarks of Tripwire, Inc.
All other product and company names are property of their respective owners. All rights reserved. BRFSI7BG1a 1901