Tripwire Enterprise now collects digital forensic data to support incident response

Tripwire Enterprise now features the ability to collect digital forensic data in the event of a data breach.

“Tripwire Enterprise monitors systems in real-time for changes that could be indicative of a breach,” said Tim Erlin, vice president of product management and strategy at Tripwire. “When a security breach is suspected, Tripwire Enterprise’s new Incident Response Rules can be used to collect in-depth data on what happened on a system to speed and support incident response.”

Tripwire Enterprise delivers forensic data from Windows-based systems file, network, process, USB, and USB artifacts. In each area, Tripwire Enterprise:

• File access: Identifies files which have been opened, searched for, or executed, including trusted Microsoft Office locations which may be abused by an attacker.
• Network artifacts: Identifies active network connections. These help in identifying whether malware is communicating with command and control servers, and check for active lateral movement from the endpoint.
• Process execution: Provides evidence of processes which have been executed on an endpoint. Tripwire Enterprise can show both actively running and executables which have evidence of having been run in the past.
• USB usage: Provides a list of actively installed USB drives, drives which have been installed in the past, and any mount points which may be set up on the endpoint.
• User activity: Identifies actions the user has taken on the endpoint and what a user was searching for to help determine a malicious actor’s goal.