Heavy hitters FireEye and Tripwire are unique contenders in the security offering lineup– both were the first to develop novel approaches to IT security that have since been emulated industry-wide: FireEye was an early innovator of virtualization and sandboxing technologies as applied to security, while Tripwire was the first to bring a commercial host-based intrusion detection system to market. We’ll take a closer look at the two and compare/contrast each respective solution’s strengths and weaknesses.
FireEye Threat Intelligence
It’s been estimated that close to 1 million new malware threats are born every day, making them next to impossible to detect and remediate using conventional methods. To address this, contemporary security tools have taken to creating isolated environments for analyzing, identifying, and protecting environments from new threats. FireEye pioneered this approach with its Multi-Vector Virtual Execution (MVX): a virtual machine-based technology that enables the detonation of suspicious files, Web objects, and email attachments inside an isolated environment. Once detonated, the suspected malware’s behavior is monitored closely– file locations, new registry keys, corrupted DLLs– as well as any outbound call destinations– are tracked and analyzed.
The FireEye Multi-Vector Virtual Execution (MVX) and Dynamic Threat Intelligence Cloud. Source: FireEye.
Along with the MVX engine, FireEye has also created the FireEye Dynamic Threat Intelligence cloud: a global network of interconnected FireEye sensors deployed throughout its customer networks, technology partner networks, and service providers globally. These sensors perform over 50 billion analyses of over 400,000 unique malware samples daily, and work in conjunction with the MVX engine to both source and identify/disseminate new threat information.
The MVX engine and Dynamic Threat Intelligence cloud augment a wide range of FireEye’s security products, including various endpoint, network, and security appliances. Subscription-based, threat intelligence services and professional incident response and security assessment services are also available through Mandiant, which was acquired by FireEye in late 2013. Mandiant’s security consulting services are frequently sought out following high-profile data breaches, the more recent cases being the Target and Anthem hacks. For more about the Anthem attack, check out Don’t Make An Anthem Out Of Compliance.
Tripwire has been an IT mainstay for years, having created the industry’s first commercial host-based intrusion detection and protection systems (IDPS). In essence, by capturing a baseline image of system configurations in known good states, Tripwire is able to perform ongoing integrity checks that in turn enable a wide variety of intrusion detection, compliance monitoring, and configuration management capabilities. Tripwire Enterprise is the firm’s flagship intrusion detection and prevention system (IDPS), and can secure and monitor servers (virtual and physical), desktops, databases, applications, network devices, and more.
Under the hood, Tripwire’s offering is a host-based IDPS: by checking a host machine’s integrity by running ongoing state comparisons, the technology can validate a system’s integrity and determine if unauthorized changes have occurred. It accomplishes this scanning and storing the information of each known good file as cryptographic hash in a database. A security breach would result in certain file size and content changes, so if differences are detected between the file hashes, an intrusion flag is raised and the appropriate IT staff are notified. This methodology is the underlying mechanism powering Tripwire’s ability to detect intrusions.
Tripwire Enterprise security controls. Source: Tripwire, Inc.
Both enterprise and open-source versions of Tripwire exist, though the latter only supports *Nix platforms. For more information regarding host-based/network-based IDS tools and Tripwire’s commercial and free offering, please take a look at our Tripwire Enterprise vs. Tripwire Open-Source comparison.
Comparing The Two
Both offerings are geared towards large organizations with sizeable IT infrastructures in place, and are priced as such. Ongoing professional services and support are required for implementing and maintaining solutions from both vendors, albeit various standalone and subscription-based services can be had. For example, FireEye’s granular subscription-based services like Threat Intelligence and FireEye-as-a-service can be purchased in the absence of its comprehensive security solutions. Similarly, Tripwire’s FIM and Policy Manager can be purchased as standalone components. Both are uniquely competent in their respective areas: FireEye with its MVX engine and its Dynamic Threat Intelligence cloud, and Tripwire with its strong policy management and compliance monitoring capabilities.
Regardless of which solution is more suited for your organization, keep in mind that no one offering is capable of providing comprehensive protection in today’s threat landscape. Contemporary cloud environments and continuous delivery/integration pipelines require a layered approach to security that need validation at all phases– not just in production. To this end, UpGuard provides comprehensive security monitoring and testing to ensure that all your servers and devices– including security solutions– are themselves safe from cyber attacks and working as expected.
Find out how security solutions Tripwire Enterprise and Tanium stack up against each other in this comparison.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >