Podcast: PCI DSS And Continuous Monitoring
DATA SECURITY PODCAST
In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, Robert E. Johnson III, Cimcor CEO/President, discusses the latest views on PCI DSS Compliance and the concept of Continuous Monitoring and Security. The podcast can be listened to in it's entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Rob welcome back great to have you on the show again.
A: You know it's great to be back on with you, Hillary.
Q: So Rob later in 2021, it is expected that PCI DSS version 4.0 will be released with updated requirements. And even though the finalized requirements are standard, and you know the standards have not been released, we know, one of the high level goals includes promoting security as a continuous process, so can you elaborate on security as continuous process for us?
A: Sure you're hearing more about that, nowadays, but you know the concept of continuous monitoring and continuous security it really isn't new. However, amazing tools that can be proactive and help you accomplish that continuous security as a process and continuous compliance as a process - those are new. And they're becoming more mature by the day. In fact, on the federal side, there's been a significant push to adopt something called CDM and that stands for continuous diagnostics and mitigation. And you know their tenant is to understand what's on your network, who's in your network , what's changed on you network, and if it does, what are you going to do about it.
So CDM really embraces this continuous security as implements those four big questions that I just threw out there. So it's great to see that in the federal side of things, but PCI DSS I think is the compliance standard that will help drive that philosophy in the commercial space. So I find that very encouraging and I look forward to that.
One of the things that we've seen is that, you know this traditional cycle of periodic audits - say twice a year - or whatever interval that you have in mind. That creates this mentality, where there's this big push to prepare for this audit event, and to pass that audit event.
But in between those audit events there are these gaps Hillary. Really it’s a gap in tenaciousness, a gap in preparedness, and a gap in measurement. Continuous monitoring and security helps ensure organizations always understand their security posture and I think that really encourages them to adjust throughout the year, based on this dynamic data.
Q: And so, now that we've defined security as a continuous process, what are some ways we can implement continuous security or continuous monitoring and security?
A: Right that's a really good question. Many of you have probably heard the quote “If you can't measure it you can't improve it”, and that quote is usually attributed to Peter Drucker, the father of modern management. But in truth, it was actually said by Lord Kelvin, and that was the physicist who defined the temperature of absolute zero. So I think that same philosophy actually applies to security. Imagine that thermometer as Lord Kelvin perhaps imagined it, but it actually measures the security posture of your environment. Every day. Whenever you decide to check to understand the temperature of your security posture. Continuous security begins, in my opinion, with continuous measurement.
And you have to have the right tools in place right from the beginning to understand where you are in this continuum. So it's important to continuously assess where your servers stand in terms of the security posture.
For example, if you have a hardened server in your infrastructure, say you hardened it last month. Is that server in the same hardened state today? Have users alter some of the local security policies or settings in that server that somehow decreased it from that originally hardened state?
Imagine you're doing that across your infrastructure. How would you really measure that? Doing that manually is almost untenable, and perhaps impossible, especially over a large number of servers.
So that's where some of these new, modern tools really make a difference, such as our CimTrak Integrity Suite. The CimTrak Integrity Suite can continuously assess your servers to ensure that they're in that expected hardened state. This provides security engineers, with the feedback that they need, so that they can quickly identify changes and fix them incrementally.
Not that mad dash right before an audit — but incrementally throughout the year as issues arrive. Furthermore, it also provides the feedback that they need to actually improve over time, and measure and prove that your security posture has improved over time .
So that CimTrak Integrity Suite tool that I mentioned earlier, our tool actually measures more than just the heart and state of a server, but we can also help you understand if your state of integrity has changed in any way, and measure it. Have any files been modified in an unexpected manner — and measure it. What about new users being added or removed? What about privileges ?It is measuring all of it, understanding it, having insight, and knowing what's changed over time in a continuous in real-time fashion.
On top of it all, we also help you measure where you stand in terms of various compliances, such as PCI DSS, the topic of this podcast, or NERC-CIP, NIST, and many others. You know — kind of seeing where you stand for all the servers and systems in your infrastructure against these compliances can just be invaluable. Especially when you can measure it and understand if you're doing better or not in the end. This makes the security engineer's job much easier because, by implementing continuous security and compliance, what that actually means, is that you're continuously ready for an audit.
Q: Great Rob. Thank you so much for joining us and telling us about continuous monitoring and security, really, really appreciate it.
A: No problem. Glad to be on your station again and look forward to meeting all of you again.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".