In-Depth

Configuration Management: Ecora Auditor Pro and Tripwire Enterprise

Compliance is often a matter of managing change

• By Chris DeVoney
• 03/20/2007

Change may be in the air and change may be inevitable, but change in the enterprise’s or institution’s IT environment, given today’s regulatory and performance needs, better be controlled and well documented. The need is not only to detect activity from cyberfelons and fulfill auditing mandates but to make the IT organization more productive.

Compliance is a major bedfellow in our IT lives and whether the acronym is SOX, GLBA, HIPAA, FISMA/FISCAM, Basel 2, or PCI (the payment card industry’s security standard, not the computer bus), our organizations must demonstrate conformance. In any audit, it’s not just show-and-tell of the policies, procedures, and workflow but the reports and results of running systems that count.

In a way, configuration control and management is a cousin to vulnerability scanners. One shows where our network or server configurations have visible opportunities for exploits. The other shows that our configurations are what we believe they should be, either unchanged with best practices applied or with tested and authorized changes. After all, IT is a service to our organizations and we deliver improved services though our “changes.”

As we have experienced, change isn’t necessarily good. It’s not just the “ain’t broke, don’t fix” philosophy. Changes in OS or application settings can introduce vulnerabilities or instability. Patches to operating systems, databases, and applications can inflict allergic reactions that upset working systems. Insufficiently tested internal updates can open the help-desk floodgates and reduce productivity across the enterprise.

Operationally, a history of changes can be invaluable for remediating problems and assuring best practices. Compliance-wise, that history confirms that right steps are taken, such as when a departing employee access, accounts, and files have been removed from systems.

That management/compliance inquiry led me to two of the many companies in the market: Ecora and Tripwire. Both companies have products that do the same basic thing: find the baseline of servers, network infrastructure pieces (such as firewalls and routers), and databases and report any changes. What the products do with the information distinguishes the two.

For me, Tripwire is somewhat of an old friend. The original Tripware was developed by Dr. Eugene Spafford and then-student Gene Kim at Purdue University in 1992. The software, inspired by the havoc created by the Morris Worm, was a Unix system file integrity checker that doubled as an intrusion detection system. The software made identifying and remediating changed files easier, particularly when that change was an outsider hack or goof by an insider to (formerly) working files. The freeware/open source program ran on tens of thousands of servers and is estimated at quarter-million copies in active use.

Kim founded Tripwire, Inc. in 1997 and unleashed commercial versions appropriate to medium and large enterprises and institutions and covers a broad range of operating systems (Windows, Unix, Solaris, Linux), MS Active Directory, Sun Java directory, and Novell’s eDirectory directory services, network devices from companies such as Cisco, Juniper Networks, CheckPoint, F5, HP, and Nokia, and Oracle and MS SQL databases. Given that Kim is also cofounder of non-profit Information Process Technology Institute whose membership consists of IT audit, security, and operations professionals, Tripwire has a larger slant to the operational aspects of change tracking than just compliance tracking.

Ecora, which is just as well-known for its Patch Manager software, slants its Auditor Pro product equally at operations and compliance reporting. The product doesn’t have the networking breadth (it currently monitors only Cisco equipment) but does support VMWare, tracks both MS Exchange and IBM Notes, and application tracks with Citrix and MS IIS.

Ecora emphasizes its agentless approach to discovering and monitoring; Tripwire mostly uses agents. However, Tripwire has a lower infrastructure investment using a single frontend server connecting to a backend database server. Ecora stages a polling server in each location reporting to a central frontend web and backend database servers. In both cases, the products can leverage existing database servers/farms.

Ecora provides more high-level executive dashboarding and a larger library of compliances reports, and it has better integration with help desk ticketing systems for finding, remediating, and reconciliation of problems due to errant changes.

Both products will integrate with change management databases (CMDB). Ecora has intimacy with BMC’s Attrium. Tripwire has integration with BMC and CA, HP, and IBM.

Both products can be up and running within a couple of days and you’ll have major functionality within two weeks. Expect to expend a .2 to .5 FTE for ongoing care and feeding. With pricing charged per server and device (although Ecora throws in desktops at no charge), the initial acquisition price tags for large enterprises and major institutions often has a six-figure price tag.

However, the “payday” can be intriguing. Tripwire reports how two people duplicated the compliance work performed by a 12-person group. Ecora reported how a single person in a couple of hours produced the compliance reports that previously took fifteen people and a couple of weeks. Both products can reduce trouble-ticket diagnosis and remediation times from a couple of days to several hours. With KPMG estimating that 50 to 60 percent of audit findings are IT related, these product can reduce compliance adversities.

Eric Maiwald, a senior analyst and a CISSP who covers the space at the Burton Group, wants that companies should be wary of point solutions. Maiwald notes that the space falls into the union of security/computer management products (such as CA Unicenter and Landesk) and the configuration management side (think BMC and Cambia). He also feels the product space is two to three years away from full maturity.

I’m comfortable with that thinking, but I’m also comfortable with both Tripwire and Ecora. I see enough maturity and survival instincts in the two companies for customers to get a meaningful return on the investment. Neither product is the universal panacea for all enterprises for change tracking and compliance reporting. Nor are these products meaningful in an absence of internal company controls and a culture of compliance. Even so, depending on your infrastructure and increasing regulatory needs, these products are worth more than a cursory look.