Effective cybersecurity is no longer relegated to deep-pocketed enterprises—a myriad of open source solutions can offer adequate protection to the most cash-strapped of organizations. That said, there are some capabilities free just won't get you, but how critical are they in the grand scheme of cyber resilience and are they worth the price tag? Tripwire and OSSEC are two popular solutions on opposite sides of this spectrum; let's see how they stack up.
To survive cyber threats in this day and age, security must be implemented using a layered approach that combines several different technologies, rather than relying solely on a monolithic, all-in-one solution. For example, vigilant enterprises will more often implement SIEM, security analytics, and resilience monitoring using products that specialize in these capabilities. Comprehensive offerings like Tripwire and OSSEC cover many bases—host-based intrusion detection (HIDS), file integrity monitoring (FIM), log analysis, and more—but will likely require integrations with other solutions to fill out an enterprise's cybersecurity toolchain.
Tripwire comes in two versions: Tripwire Enterprise and Tripwire Open Source. Foundationally, both are host-based intrusion detection systems for monitoring file/configuration changes. FIM has arguably been Tripwire's longstanding forte, with other strong features like reporting and policy-based monitoring for regulatory compliance (e.g, PCI DSS, NERC, NIST). Other capabilities such as vulnerability management and log analysis are available with Tripwire IP360 and Tripwire Log Center, at a cost.
The Tripwire UI. Source: softwareasia.com.
Again, effective enterprise security measures are compromised of many different solutions working in conjunction with each other. To this end, Tripwire's integration framework makes it possible to install components for connecting to a CMDB, integrating with a SIEM, and more. These Apps enable connectivity to leading solutions like Remedy, ServiceNow, Jira, Splunk, ArcSight, to name a few.
To say that OSSEC is a popular HIDS is an understatement: the solution purportedly averages around 5,000 downloads per month. But being open source isn't the sole driver behind its widespread use. The free, battle-tested platform makes it a sensible solution to deploy, even as an extra layer of security to augment other paid-for products in the cybersecurity toolchain.
The OSSEC interface. Source: linuxlove.eu.
OSSEC supports all major operating systems including *nix, Mac OS, and Windows in agent mode. Other notable strengths include a powerful FIM and an advanced log analysis engine capable of processing log types from various sources/devices: FTP servers, databases, web servers, mail servers, firewalls, and more.
Side-by-Side Scoring: Tripwire vs. OSSEC
1. Capability Set
Both offerings boast a broad range of capabilities with several that standout among others. Tripwire Enterprise's FIM, configuration monitoring, and robust policies make it a strong contender for intrusion detection/threat protection and compliance. OSSEC's FIM is also a powerful feature, in addition to its correlation and analysis engine, centralized policy enforcement, rootkit detection, and others.
2. Ease of Use
OSSEC can be easily installed with deployed agents in under an hour; however, the solution is certainly not the easiest to configure and fine-tune (its web UI doesn't help much in this regard). Tripwire Enterprise's visual management console is a cut above OSSEC's, but users may nonetheless find the various interfaces for rules, tasks and reports difficult to get a handle on.
3. Community Support
As a free, open source offering, OSSEC commands a sizable following in the community, despite changing hands several times over the years—first to Third Brigade in 2008, then to Trend Micro in 2009 (through its acquisition of Third Brigade). The solution is currently maintained by a large user and developer community, with a plethora of community support resources available online. In contrast, Tripwire Enterprise doesn't have any public community forums or portals to support it—only a smattering of white papers and case studies on the Tripwire website.
4. Release Rate
Tripwire Enterprise is currently on version 8.5, while its open source version hasn't been updated since 2013 (a full release history is unavailable). The latest version of OSSEC is 2.8—check out details regarding the project's releases over the years on its GitHub page.
5. Pricing and Support
OSSEC is completely free to download and install, but—as with most open source tools—presumes the requisite technical expertise to make it work. Trend Micro ended commercial support for the project back in 2014; today, paid-for OSSEC support is limited to a handful of third party vendors.
From a pricing perspective, Tripwire Enterprise is inaccessible to non-enterprise shops and budget-conscious organizations, especially if components and add-ons like cloud-based monitoring and compliance management are included. The company offers several options for paid support and professional services.
6. API and Extensibility
Despite lacking a RESTful API for its core platform, Tripwire Enterprise does provide a SOAP API for accessing various platform capabilities such as integrity checks, change reconciliation, version promotion, and report generation; interestingly, other components like Tripwire IP360 are accessible via REST. OSSEC doesn't natively offer any APIs, but third-party vendors like Wazuh have developed REST APIs for controlling OSSEC remotely.
7. 3rd Party Integrations
A myriad of security solutions have integrated OSSEC into their platforms—for example, the Splunk for OSSEC integration sends OSSEC alerts to Splunk for storing, searching, and visualizing security events. Tripwire integrates with various third-party solutions—ServiceNow, Splunk, and Lastline, to name a few—and offers Apps for enabling advanced capabilities like CMDB connectivity and service ticket automation.
8. Companies that Use It
OSSEC is used by leading enterprises, universities, non-profits, and government institutions—some of its corporate customers include Workday, Agilysys, and AlienVault, among others. Similarly, Tripwire's customers include of many of the world's leading brands and prominent Fortune 500s.
9. Learning Curve
Unfortunately, both OSSEC and Tripwire Enterprise newbies have steep learning curves in store for them. Both platforms are easy enough to get up and running—however, configuration and tuning will present users with varying levels of difficulty.
Tripwire scored an average CSTAR Score of 684—website perimeter security flaws like server header information leakage and lack of DNSSEC/DMARC make its website prone to compromises. OSSEC's website on ossec.github.io scores an even lower 475 CSTAR score due to the absence of sitewide SSL, disabled HTTP strict transport security, and lack of SPF/DMARC/DNSSEC.
Scoreboard and Summary
|Ease of Use|
|Pricing and Support|
|API and Extensibility|
|3rd Party Integrations|
|Companies that Use It|
|Total||3.3 out of 5||3.6 out of 5|
Budget-conscious organizations with resident technical expertise will benefit from the open source power and depth of OSSEC, while deep-pocketed firms will appreciate Tripwire's enterprise-focused offering and its fleet of add-ons. At the end of the day, however, neither of these solutions alone will suffice in protecting organizations against today's cyber threats. A fully-realized layered security framework includes technologies like OSSEC and Tripwire, as well as solutions for monitoring overall enterprise resilience. UpGuard's platform uses both internal and external measures to ensure that your organization's cyber resilience posture is always up-to-par.
Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.
As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence.