Tripwire vs OSSEC

Posted by UpGuard

Tripwire vs OSSEC

Effective cybersecurity is no longer relegated to deep-pocketed enterprises—a myriad of open source solutions can offer adequate protection to the most cash-strapped of organizations. That said, there are some capabilities free just won't get you, but how critical are they in the grand scheme of cyber resilience and are they worth the price tag? Tripwire and OSSEC are two popular solutions on opposite sides of this spectrum; let's see how they stack up.

To survive cyber threats in this day and age, security must be implemented using a layered approach that combines several different technologies, rather than relying solely on a monolithic, all-in-one solution. For example, vigilant enterprises will more often implement SIEM, security analytics, and resilience monitoring using products that specialize in these capabilities. Comprehensive offerings like Tripwire and OSSEC cover many bases—host-based intrusion detection (HIDS), file integrity monitoring (FIM), log analysis, and more—but will likely require integrations with other solutions to fill out an enterprise's cybersecurity toolchain. 

Get the Digital Resilience eBook

Tripwire

Tripwire comes in two versions: Tripwire Enterprise and Tripwire Open Source. Foundationally, both are host-based intrusion detection systems for monitoring file/configuration changes. FIM has arguably been Tripwire's longstanding forte, with other strong features like reporting and policy-based monitoring for regulatory compliance (e.g, PCI DSS, NERC, NIST). Other capabilites such as vulnerability management and log analysis are available with Tripwire IP360 and Tripwire Log Center, at a cost.

Tripwire UI
The Tripwire UI. Source: softwareasia.com.

Again, effective enterprise security measures are compromised of many different solutions working in conjunction with each other. To this end, Tripwire's integration framework makes it possible to install components for connecting to a CMDB, integrating with a SIEM, and more. These Apps enable connectivity to leading solutions like Remedy, ServiceNow, Jira, Splunk, ArcSight, to name a few.

OSSEC

To say that OSSEC is a popular HIDS is an understatement: the solution purportedly averages around 5,000 downloads per month. But being open source isn't the sole driver behind its widespread use. The free, battle-tested platform makes it a sensible solution to deploy, even as an extra layer of security to augment other paid-for products in the cybersecurity toolchain.

Screenshot 2016-11-23 at 4.53.33 PM.pngThe OSSEC interface. Source: linuxlove.eu.

OSSEC supports all major operating systems including *nix, Mac OS, and Windows in agent mode. Other notable strengths include a powerful FIM and an advanced log analysis engine capable of processing log types from various sources/devices: FTP servers, databases, web servers, mail servers, firewalls, and more.

 

Side-by-Side Scoring: Tripwire vs. OSSEC

1. Capability Set

Both offerings boast a broad range of capabilities with several that standout among others. Tripwire Enterprise's FIM, configuration monitoring, and robust policies make it a strong contender for intrusion detection/threat protection and compliance. OSSEC's FIM is also a powerful feature, in addition to its correlation and analysis engine, centralized policy enforcement, rootkit detection, and others.

Tripwire score_570.png
OSSEC score_570.png

2. Ease of Use

OSSEC can be easily installed with deployed agents in under an hour; however, the solution is certainly not the easiest to configure and fine-tune (its web UI doesn't help much in this regard). Tripwire Enterprise's visual management console is a cut above OSSEC's, but users may nonetheless find the various interfaces for rules, tasks and reports difficult to get a handle on.

Tripwire score_3.png
OSSEC score_4.png

3. Community Support

As a free, open source offering, OSSEC commands a sizable following in the community, despite changing hands several times over the years—first to Third Brigade in 2008, then to Trend Micro in 2009 (through its acquisition of Third Brigade). The solution is currently maintained by a large user and developer community, with a plethora of community support resources available online. In contrast, Tripwire Enterprise doesn't have any public community forums or portals to support it—only a smattering of white papers and case studies on the Tripwire website

Tripwire score_2.png
OSSEC score_5.png

4. Release Rate

Tripwire Enterprise is currently on version 8.5, while its open source version hasn't been updated since 2013 (a full release history is unavailable). The latest version of OSSEC is 2.8—check out details regarding the project's releases over the years on its GitHub page.

 

Tripwire score_570.png
OSSEC score_4.png

5. Pricing and Support

OSSEC is completely free to download and install, but—as with most open source tools—presumes the requisite technical expertise to make it work. Trend Micro ended commercial support for the project back in 2014; today, paid-for OSSEC support is limited to a handful of third party vendors.

From a pricing perspective, Tripwire Enterprise is inaccesible to non-enterprise shops and budget-conscious organizations, especially if components and add-ons like cloud-based monitoring and compliance management are included. The company offers several options for paid support and professional services. 

Tripwire score_2.png
OSSEC

score_4.png

6. API and Extensibility

Despite lacking a RESTful API for its core platform, Tripwire Enterprise does provide a SOAP API for accessing various platform capabilities such as integrity checks, change reconciliation, version promotion, and report generation; interestingly, other components like Tripwire IP360 are accessible via REST. OSSEC doesn't natively offer any APIs, but third-party vendors like Wazuh have developed REST APIs for controlling OSSEC remotely.

Tripwire score_4.png
OSSEC score_3.png

7. 3rd Party Integrations

A myriad of security solutions have integrated OSSEC into their platforms—for example, the Splunk for OSSEC integration sends OSSEC alerts to Splunk for storing, searching, and visualizing security events. Tripwire integrates with various third-party solutions—ServiceNow, Splunk, and Lastline, to name a few—and offers Apps for enabling advanced capabilities like CMDB connectivity and service ticket automation. 

Tripwire score_4.png
OSSEC score_4.png

8. Companies that Use It

OSSEC is used by leading enterprises, universities, non-profits, and government institutions—some of its corporate customers include Workday, Agilysys, and AlienVault, among others. Similary, Tripwire's customers include of many of the world's leading brands and prominent Fortune 500s. 

Tripwire score_570.png
OSSEC score_570.png

9. Learning Curve

Unfortunately, both OSSEC and Tripwire Enterprise newbies have steep learning curves in store for them. Both platforms are easy enough to get up and running—however, configuration and tuning will present users with varying levels of difficulty. 

Tripwire score_3.png
OSSEC score_4.png

10. CSTAR

Tripwire scored an average CSTAR Score of 684—website perimeter security flaws like server header information leakage and lack of DNSSEC/DMARC make its website prone to compromises. OSSEC's website on ossec.github.io scores an even lower 475 CSTAR score due to the absence of sitewide SSL, disabled HTTP strict transport security, and lack of SPF/DMARC/DNSSEC.

Tripwire

Screen Shot 2016-11-22 at 3.27.49 AM.png

OSSEC

Screen Shot 2016-11-22 at 3.25.54 AM.png

 

Scoreboard and Summary

  Tripwire OSSEC
Capability Set score_570.png score_570.png
Ease of Use score_570.png score_570.png
Community Support score_570.png score_570.png
Release Rate score_570.png score_570.png
Pricing and Support score_570.png score_570.png
API and Extensibility score_570.png score_570.png
3rd Party Integrations score_570.png score_570.png
Companies that Use It score_570.png score_570.png
Learning Curve score_570.png score_570.png
CSTAR

Screen Shot 2016-11-22 at 3.27.49 AM.png

Screen Shot 2016-11-22 at 3.25.54 AM.png

Total  3.3 out of 5  3.6 out of 5


Budget-conscious organizations with resident technical expertise will benefit from the open source power and depth of OSSEC, while deep-pocketed firms will appreciate Tripwire's enterprise-focused offering and its fleet of add-ons. At the end of the day, however, neither of these solutions alone will suffice in protecting organizations against today's cyber threats. A fully-realized layered security framework includes technologies like OSSEC and Tripwire, as well as solutions for monitoring overall enterprise resilience. UpGuard's platform uses both internal and external measures to ensure that your organization's cyber resilience posture is always up-to-par. Try it today, the first 10 nodes are on us.

Free eBooks on DevOps and Security

More Articles

Datadog vs. New Relic

Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.

 

 

Cisco vs. FireEye for Continuous Security

Who provides better continuous security: the world's largest maker of networking equipment or the first cybersecurity firm certified by the U.S. Department of Homeland Security?

Read Article >

AlienVault vs. Tenable for Continuous Security

As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence.

Read Article 

 

Topics: vulnerabilities, continuous security

UpGuard customers