Tripwire Enterprise now features the ability to collect digital forensic data in the event of a data breach.
“Tripwire Enterprise monitors systems in real-time for changes that could be indicative of a breach,” said Tim Erlin, vice president of product management and strategy at Tripwire. “When a security breach is suspected, Tripwire Enterprise’s new Incident Response Rules can be used to collect in-depth data on what happened on a system to speed and support incident response.”
Tripwire Enterprise delivers forensic data from Windows-based systems file, network, process, USB, and USB artifacts. In each area, Tripwire Enterprise:
- File access: Identifies files which have been opened, searched for, or executed, including trusted Microsoft Office locations which may be abused by an attacker.
- Network artifacts: Identifies active network connections. These help in identifying whether malware is communicating with command and control servers, and check for active lateral movement from the endpoint.
- Process execution: Provides evidence of processes which have been executed on an endpoint. Tripwire Enterprise can show both actively running and executables which have evidence of having been run in the past.
- USB usage: Provides a list of actively installed USB drives, drives which have been installed in the past, and any mount points which may be set up on the endpoint.
- User activity: Identifies actions the user has taken on the endpoint and what a user was searching for to help determine a malicious actor’s goal.