Tripwire alternative Need a Tripwire® Alternative?

The views and opinions expressed below are exclusively those of New Net Technologies (NNT), and are not provided or endorsed by Tripwire, Inc. This page is designed for anyone researching market options. The information on this page is provided solely for research relating to any potential purchase of NNT software. Tripwire ® is a trademark of Tripwire Inc.

There’s no shortage of file integrity monitoring products available, all aiming to provide a HIDS (host intrusion detection system solution). With Tripwire no longer the default go-to option it once was, understanding which one is right for your environment and how the options stack up against other solutions is not always easy. To aid your selection process we have compiled a checklist of the main areas that should be catered for when looking for a FIM based solution.

As a minimum, FIM solutions should identify who made the change; the account name and process used to make that change and should deliver both real-time and scheduled reports, providing details of folder, file, configuration and registry changes for all devices, such as Windows, Linux, UNIX, Network Devices, and Firewalls.

Top tips for selecting a FIM solution:-

  • Real-time detection of File Changes is essential
    Time is of the essence, data theft and system damage can begin from the instant the malware is introduced. Real-time FIM is essential - a once daily check on file integrity will miss interim file changes, particularly with polymorphous malware which can change its identity or even cloak itself completely once installed. The traditional Tripwire 'once-per-day file system poll' approach could leave a breach undetected and doing damage.
  • Who Made the Change?
    ‘Who made the change’ must be recorded. Unless your FIM solution is recording who made a change, you have no straightforward means of establishing this information. Mining logs will only tell you who was logged onto a server at the time of a change and this could run to tens or hundreds of users. Knowing who made a change allows you to corroborate this with the individual - otherwise all file changes must be investigated equally and treated as serious threats.
  • FIM must operate forensically
    There are plenty of solutions that purport File Integrity Monitoring but close examination can often reveal just a basic check on the modification date and/or size of the file (this will not cut it from a Compliance standpoint). There has to be some checksum/hashing of the file system to truly guarantee system integrity and provide a HIDS function, particularly if this is to serve a compliance mandate such as PCI DSS.
  • FIM isn't just for servers
    Firewalls, routers, appliances, switches all contribute to the security of your IT estate. Real-time monitoring of rule and configuration settings for these devices may prove to be the difference between stopping a breach before damage is done. The same FIM solution should be able to cover all Windows, Linux, Unix and network devices.
  • FIM should underpin and re-enforce Change Management
    FIM changes should be reported as either unplanned/unauthorized, or planned and authorized with the corresponding Change Authorization and detail available for cross reference (what actually changed and does that correlate with the planned change record?). Unplanned changes should always be investigated and reconciled with RFC details, even for emergency or unexpected changes.

Monitoring systems for unusual or unexpected activity is vitally important if we are to properly protect sensitive data. FIM provides a perfect host intrusion detection solution because any breach will leave some kind of change to the settings or file system. To do this effectively you must first be able to ‘define what a good and compliant state’ looks like within your environment and then capture any changes to that state with context and severity applied such that you are able to quickly determine whether or not the change is really serious and what needs to be done to mitigate any consequential problems, as well as learning from the alert to prevent the same thing from happening again.

Which Product Do I Need?

Learn More…

USA Offices
New Net Technologies Ltd
9128 Strada Place
Naples, Florida, 34108
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
NNT Logo
UK Office
New Net Technologies Ltd
Spectrum House, Dunstable Road
St Albans


Tel: 08456 585 005
Fax: 08456 122 031
Connect with NNT
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
Sign up to NNT's IT security and compliance monthly newsletter. Get breaking security news, how-to tips, trends and commentary direct to your inbox.