In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, Robert E. Johnson III, Cimcor CEO/President, discusses the importance of using the right file integrity monitoring software for compliance. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today is President and CEO, Robert E. Johnson, III. Robert has been a pioneer in the development of next-gen system integrity monitoring, self-healing systems, and cybersecurity software. Robert, welcome back. It's great to be speaking with you. It's been a little bit since we've recorded together.
A: That's true, but it's great to be back together with you on your show.
Q: Yeah, thank you. And so, Robert, we're here to talk about file integrity monitoring and compliance, and I know in past episodes, you've spoken of file integrity monitoring. But I think we seem to just kind of scratch the surface on how it can help companies who, you know, they need to comply with specific regulatory requirements, etc. So, to start off our conversation. I'd love for you to weigh in on, you know, are there specific compliance requirements that we should know about in tandem with these two topics? Or anything that you'd want to share.
A: That's not a straightforward question. The compliance requirements that you should know about actually vary by the industry that you're involved in. So, for instance, in organizations that process a large quantity of credit cards and perform many credit card transactions, they'll be interested in PCI-DSS. Or hospitals would be concerned more about HIPAA. In the energy vertical, They will be interested in NERC-CIP, and so many, more.
So many times organizations have industry-specific compliance, requirements, and oftentimes they must actually comply with multiple requirements. For instance, a hospital may have to deal with HIPAA, and they also have to deal with PCI, because not only are they helping patient and patient data, but they also are processing credit cards for their payments. However, regardless of what you have to comply with, almost all of the modern cybersecurity and compliance frameworks have this one common threat:
It's that system and file integrity is a core component to ensure that systems are operating in the expected manner.
The challenge is really how do you implement file integrity monitoring at scale, without noise, and in a manner that aligns very well with the compliance frameworks and regulatory requirements that you have to deal with on a daily basis.
Q: So from what it sounds like, you know, it's not just checking a box, and organizations need to think critically about their IT infrastructure and how it impacts compliance. Is that what you're saying?
A: That's right! Don't be that guy. Don't just check the box. There are several file integrity monitoring tools on the market. However, in practice, you will see that most of them are simply monitoring file changes. They will simply report to you all changes, whether those changes are good or whether those changes are bad. So if you simply select any file integrity monitoring tool with the objective of just checking a box, you will find that your security and engineers will rapidly become overwhelmed with alerts and noise, and unwanted information. And think about it, noisy tools either get turned off or they get ignored. That's the last thing you want because tracking and enforcing integrity is such a critical component of one's cybersecurity strategy that you need to ensure that the tool you're using is appropriate, adequate, and efficient, and easy to use for your engineers.
Furthermore, if you simply check a box and purchase most of the FIM tools that are out there. You will not only get a ton of noise, but you will also get a limited set of functionality. Most FIM tools only monitor files, and oftentimes only files under Windows. But if you think about it, think about how many assets in your infrastructure would benefit from integrity monitoring. Examples could be your configuration settings for AWS, database schema configurations, active directory users, network device configurations, Esxi hypervisor settings. You know, if you really are trying to secure your infrastructure and go beyond simply checking the FIM checkbox, you'll be concerned more about monitoring files for change but you'll be interested in monitoring the integrity of all of the assets in your IT infrastructure.
Q: It sounds like companies should focus on what the, you know, "file integrity monitoring requirement" must achieve and what will be effective for the organization. I guess, rather than quickly putting a check box on the FIM, you know, with an ineffective tool. If all FIMs are not created equal, I guess, Robert, you know, to start to wrap up our conversation. What should our listeners be looking for?
A: Your listeners should be looking for next-generation file integrity monitoring tools, and stay clear of any legacy-type tools. The category that these next-generation, file integrity monitoring tools fall into nowadays is something called "system integrity assurance," and system integrity assurance tools more directly align with the real intent of most of those compliance requirements. It complies in a way which also simplifies how to install and create policies all without unnecessary noise.
Infrastructure is quite complex, and so are your compliance requirements. You will find that the system integrity tools, such as our product, The CimTrak Integrity Suite will help you comply with many of the requirements even beyond that FIM requirement. Even beyond that FIM check box. With our product, CimTrak, we've taken steps much further than any other tool on the market. You know, we feel that a strong security strategy begins with a strong security management process, and we include all of the components to manage change from end to end within your infrastructure.
CimTrak can detect changes, not just to files, but to databases to AD, cloud infrastructures, docker, Kubernetes, and so much more. In addition, we provide the tools to manage the process with either a built-in ticketing system or via third-party ticketing system integrations. For instance, our software can directly connect and interface with ServiceNow or BMC Remedy, and that provides this clean and consistent way to view and document unexpected changes. We believe that CimTrak, we not only help cybersecurity professionals secure the infrastructure and help them comply with critical controls, but we also provide the reports and the documentation the auditors need to actually do their work.
Q: Fantastic. Well as always, Robert. Such a pleasure, speaking with you. Thank you so much, and I'm looking forward to next time.
A: I look forward to being on your show again next time as well, Hillarie. And if anyone in your audience is interested in actually trying our product, CimTrak, we'd be glad to accommodate them, either with a free demo or a free trial of our software in our own environment just reach out to us at www.cimcor.com.
Q: Awesome. Thank you, Robert.
A: All right, thank you, Hillarie.
October 18, 2022