This dire need for innovation in the security space is giving upstarts like Tanium ample traction, even as stalwarts like Tripwire augment and retrofit their solutions to address a new era of threats.
The Portland-based security behemoth needs little introduction—its products and approach to security have been an IT mainstay for years. Though Tripwire Enterprise is the firm’s flagship intrusion detection and prevention system (IDPS), the basic underlying method for intrusion detection is common across all of Tripwire’s offerings, and indeed—many competing IDPS offerings have adopted the same or similar approach to security. Both enterprise and open-source versions of Tripwire exist, and are based on code originally contributed by the company back in 2000. For more information regarding host-based/network-based IDS tools and Tripwire’s commercial and free offering, please take a look at our Tripwire Enterprise vs. Tripwire Open-Source comparison.
Tripwire Enterprise is a host-based IDPS: it checks the host machine’s integrity by comparing the current state with a previous state and reports its findings to the user. Tripwire first scans and stores initial information on each file as cryptographic hashes in a database (thereby eliminating the need to load the actual file contents). A security breach would ostensibly result in local files changing in size and contents—so if a difference in the stored hash value is detected upon scanning the files, an intrusion flag is raised and the user is notified. This methodology forms the basis of the tool’s ability to detects intrusions; subsequent actions such as the alerting IT staff and blocking or inoculating the threat are then carried out.
As its name implies, Tripwire Enterprise is geared towards large organizations with sizeable IT infrastructures in place. Available for Windows, Linux, and other Unix variants such as Solaris and AIX, the solution features various enterprise-centric capabilities: centralized management and reporting of multiple Tripwire installations, out-of-the-box compliance policies for PCI and NIST adherence, and more. Technical support is available via phone or email, with professional services available on-call to assist with custom installations.
Founded in 2007, Tanium has been experiencing significant momentum as of late. Fueled by recent funding announcements, platform/product enhancements, and ever-heightening public concerns around security, the firm’s approach to securing IT infrastructures has been met with much fervor and excitement. Many have been awaiting a much-needed disruption in the security space, but only time will tell if Tanium’s security model will hold up in the continuum of ongoing, evolving threats.
Tanium is an endpoint security and management solution. Two attributes of the offering in particular are heavily marketed: natural language search and its 15-second visibility and control. The firm asserts that its platform can navigate, interrogate, and act on problematic issues in 15 seconds, regardless of infrastructure size or complexity. In terms of security, this means that Tanium can detect and remediate threats in 15 seconds with its endpoint detection and response capabilities. That said, it’s not readily clear how these performance metrics were benchmarked, even as speed continues to be the solution’s defining characteristic and main selling point.
The platform’s wow factor comes primarily from its natural language search feature. Tanium’s web-based management console contains a prominent search box at the top for entering in natural language queries. For example, typing in the following would retrieve a list of all servers in the environment with OpenSSL 1.0.1:
“show all servers with a package called OpenSSL 1.0.1.”
The platform uses a peer-to-peer model for threat response and remediation. Once installed on the network, the Tanium server communicates with a few select endpoints on which agents are installed. These agent-installed endpoints in turn communicate with their adjacent peers and relay collective information to the next agent-installed endpoint down the line. The final agent-installed endpoint then sends the aggregated responses back to the Tanium server. Because of this peer-to-peer architecture and streamlined interrogation/communications flow, the platform is able to deliver significant performance and scalability benefits over competing security solutions.
Both solutions take different approaches to security and can make for somewhat of an apples-to-oranges comparison. Tripwire is a centralized, host-based IDPS solution—like other tools in this category, its architecture is client-server based and relies heavily on the use of agents for security monitoring and validation (agentless mode is possible but limited in its capabilities). Tanium also requires the installation of agents, but only on selected endpoints to facilitate its peer-to-peer security model. For a breakdown of agent/agentless pros and cons, please check out our post on Agent vs Agentless architectures.
Tripwire has been an effective enterprise security solution for well over a decade, but its competence is arguably waning in the face of new threats. Not only is the original codebase getting long in the tooth—it’s also shared with the open-source version of the product. Furthermore, Tripwire is known to generate an abundance of false positives and must be configured and/or tuned-down to minimize noise. On the other hand, Tanium’s new approach to enterprise security is promising, but the verdict is still out on whether its model for IT security will be effective against the large scale enterprise attacks of tomorrow. And while it’s convenient to say that only time will tell which approach to infosec-- or combination of thereof-- will ultimately prove most effective, the truth of the matter is that security will always be a moving target.