This podcast episode explores the unique collaboration between LogRhythm Axon and CimTrak, two cutting-edge cybersecurity solutions. Our experts, LogRhythm's Josh King and Cimcor's Justin Chandler discuss how these technologies make security easy, providing insights into reducing security noise and enhancing decision-making capabilities within the Cloud. The podcast can be listened to in its entirety below.
Mark Allers: Welcome
We are excited to discuss the newest collaboration between Cimcor and LogRhythm. We've brought together experts from both companies to explore the synergies that can be achieved when LogRhythm’s new and exciting product, Axon, is used in conjunction with Cimcor's CimTrak Integrity Suite.
For listeners who might not be familiar with the two products, I'll do a quick little 10-second, 15-second summary of each product. LogRhythm Axon is a groundbreaking, scalable, cloud-native SIEM platform. It is optimized for the analyst experience based on 20 years of real-world security knowledge.
LogRhythm Axon eases the load to defend against and reduce the risk of cyber threats. And for those that don't know and understand CimTrak, the CimTrak Integrity Suite is a robust security and compliance tool that offers real-time integrity monitoring, assessment, remediation of IT assets that have deviated from a known and trusted and expected state of operation. Functionality delivered through its Axon integration includes system hardening, configuration management, change control, change prevention, rollback and remediation, and a number of other functions.
This enables customers to detect unknown, unwanted, and unauthorized changes, both malicious and circumvented, in real-time to restore them to previously trusted baselines of operations. So joining us today are two distinguished engineers and subject matter experts from each organization from Cimor, we have Justin Chandler, and from LogRhythm, we're pleased to welcome Josh King, both of whom have played a critical role in facilitating this collaboration. So welcome to both of you.
So Josh, what specific security challenges do LogRhythm customers face that CimTrak could help address?
Josh King: First off, thanks for having me, Mark. It's always a pleasure to speak with you, and of course, Justin. Really, that's a great question as far as the security challenges that are being faced.
Everything from compliance needs that our customers have to detecting threats in real-time. These are some of just a very small load of what our customers are facing. And there are a few ways that CimTrak can help with that. One is with your file integrity monitoring.
Which I really like, as it helps detect those unauthorized modifications or tamperings, which could potentially indicate a security breach. And then you look at different security, or I'm sorry, compliance requirements, such as, PCI, HIPAA, CMMC, GDPR, and those require organizations to implement file integrity monitoring. Then, we have insider threats. That is something that has posed big big holes, whether, they're internal, or intentional, unintentional. They certainly pose a significant risk, and by integrating CimTrak with the LogRythm Axon, we're able to detect those, as well as some advanced threats that are occurring, whether that's from malware, ransomware, ATPs, everyone's favorites right now. I think it was 234 known adversaries, plus an additional 34, according to the latest CrowdStrike report. So that's just some of the ways that CimTrak can help our LogRhythm customers when we go ahead and we integrate the two solutions together.
Mark Allers: Fantastic. Thanks, Josh. And to parlay onto the question that was posed to Josh, Justin, if you could describe the certified integration between Axon and CimTrak and what that looks like from a technical perspective?
Justin Chandler: The entire integration really revolves around getting all of CimTrak's forensic details and alerts into Axon. Axon users need all their logs from all their tools and systems aggregated in the central location to easily review, alert, identify all these critical activities occurring in the environment.
Well, CimTrak can integrate to Axon by sending all of our logs via HTTPS webhooks. Which is a big upgrade over, Syslog in terms of speed, security, and the feature sets around them. Especially people who might still be using UDP out there, right? With our webhooks, we can send full forensic details, alerts, benchmark scans, compliance scans, and all those details for Axon users to see within their console.
Mark Allers: Fantastic. And a little parlay onto that. One of the things that oftentimes the SIEM community gets bombarded with is this kind of alert fatigue mindset. With this integration, what kind of data can be pushed on over into the LogRhythm environment that can help with address this issue?
Justin Chandler: Yeah, CimTrak, will be monitoring all your critical files, applications, services, registry keys, databases, Active Directory, the list goes on. So getting these change alerts and forensic details about the change, the who, the what, the when, the where, the why, all these details can be found in Axon in raw log format, or in some of our new dashboards we created.
Mark Allers: Fantastic. Thank you. That's exactly what I was looking for. Okay, so say a bad actor slips through. Either by an XDR and antivirus or, whatever there is in place, and it slips by, and this happens far too often, and they modify some business logic, or they add a backdoor, or a malicious payload in the kind of in the mindset of ransomware.
Explain to me what would happen if I were running CimTrak and LogRhythm Axon together.
Josh King: What would happen is with the file integrity monitoring that CimTrak has, we would detect that either the business logic has been modified, there's a back door that's been there, or a payload has been installed onto critical files.
CimTrak is going to detect those and it's going to detect them in real time. Justin and I have spent a lot of time together, and seeing how fast we're actually able to monitor and see those changes is absolutely fantastic because it provides that real-time detection. And then, once we've detected that, then we're going to have, the real-time alerting, and that's where it's going to go ahead. It's going to, notify us immediately upon that unauthorized change to those critical files or those configurations. And then those alerts are sent on to LogRhythm Axon, where we're acting as the central hub for managing those security incidents.
And, from that point, we can enrich them with additional contacts that we're pulling from other security events, other data sources, and then we can go ahead and prioritize them based upon the severity of that threat. So it allows us to put into place automated workflows that we can go ahead and initiate based on what we have predetermined within the LogRhythm Axon solution.
So then, after we've gone through, we've correlated everything, we've done our analysis, we can go ahead and look at what actions can be taken. And that's something that you folks do very well, as far as rolling back changes to those known, good configurations. Then we can put procedures in place to block the malicious process, we can initialize a forensic analysis, and then pull some reporting from that point.
Mark Allers: Fantastic. Thank you for that response. You brought up a a term in there that I want to parlay into the next question is real-time. So in the industry as we exist today, we're plagued with this problem of 204 days being the average time to detect a security breach or incident.
So Justin, question for you, how can CimTrak reduce that time, number one, and number two, how does that impact LogRhythm’s, incident response processing capabilities?
Justin Chandler: Wow, 204 days, is that real? That's insane. What is it, like seven months? CimTrak detects changes in real-time, like you said.
That means right now, instantly, right? So that's a big difference between seven months to right now, which is crucial because don't you want to know about those critical files, systems, firewalls, et cetera, changing behind your back right away, or would you prefer seven months, right? CimTrak is the only true real-time monitoring product out there that can provide these alerts and forensic details in real-time right now, which is when you need to know about it, which totally impacts the LogRhythm users.
On the incident response side over there, they don't want to do it 204 days later. Finding out right now. Imagine a hacker had access to your environment for seven months without you knowing that's insane. It's 2024, guys. That's nonsense. CimTrak can clearly detect these changes right now and give you all the info you need.
Back to those dashboards I mentioned, the Integrity Dashboard we created in Axon helps you easily visualize all this data in your environment regarding integrity alerts and the popular usage making changes, top noisy files, what changed in the last hour, quick insights to really get the idea of what's going on right now? And what do I need to take action on? And on the compliance dashboard, you have another way to easily visualize, what's the hardening standpoint of all your systems. Did this GPO change a month ago, and no one noticed? We can do continuous compliance scans to see, is this system hardened? Is it secure? Are there vulnerabilities? And, does it actually meet the compliance framework requirements your company needs to meet? One of the biggest benefits here is awareness, easy to see, and find the info you need to take action on in terms of security.
Mark Allers: Great. Thank you for that. You brought up a term that probably many in the audience know and understand is this term FIM, file integrity monitoring.
So, how important is file integrity monitoring and ensuring integrity assurance and compliance in the Axon world or product?
Josh King: Oh boy. It is extremely important. Number one, integrity assurance. We need to verify the integrity of critical files and configurations and not just, verify them initially, right? But we need to continuously monitor them for changes, and this really helps to ensure that our systems remain in a known and a trusted state. And this is absolutely critical. Seven months for someone just to sit in there and mess with all your files and your configurations, and good Lord, that is just, I'm just gobsmacked with even just thinking about that. And so that's where integrity assurance really comes into play, but then, it also comes back to those compliance requirements, and we need to have that FIM in place. And we, again, continuous monitoring of all those files and then, with the integration with Axon with that reporting that really allows us to see in real-time in the dashboards what is going on. And then when we have something that requires immediate attention, having those alerts, letting us know, “Hey, this has happened, we need to handle it.” So that real-time visibility, the ability to rapidly address that threat, streamline the incident response, and then bring us back to compliance assurance is really why the file integrity monitoring there is so important.
Mark Allers: Thanks for that. So I'm going to, I'm going to stay with you still, Josh here, to add on to the discussion of FIM. Axon enables security teams to defend against cyber-attacks effectively to do four things. Save time, find threats faster, gain comprehensive visibility, and execute seamlessly.
So, given those four kind of value propositions, if I was to ask you a two-sentence or an elevator pitch. How does CimTrak’s integration align and supporting those four key value propositions? What would your response be?
Josh King: By automatically detecting those unauthorized changes to those important files and configurations. And being able to see, via the integration with Axon, those events in real-time, and then correlating them with the other security events that have occurred within the environment.
Mark Allers: Perfect. Perfect. And Justin, what are your thoughts relative to those four key values? And how can CimTrak help reduce costs, increase visibility, and reduce the risk of security breaches and incidences?
Justin Chandler: Like Josh mentioned, one of the biggest priorities here is continuously monitoring your compliance standpoint.
While security is great, and everyone wants it, really it's the compliance frameworks driving these standards, thank God, right? And one of the first parts in terms of cost is, well, time. CimTrak is easy to install, deploy, configure, and integrate to Axon. Takes the man-hour cost away. You don't need to spend weeks or months configuring and getting things up and running.
And in terms of failures and disasters that CimTrak could have alerted on, remediated, or even prevented from occurring in the first place, yet again saving you cost and time. And then, in terms of the audit side, for your audit prep, CimTrak can build your audit report for you, provide evidence in the report, showing evidence for all these requirements that we support, a majority of them, which is easier for the engineer to gather the data and easier for the auditor to review the data.
Sometimes people start this audit prep very far along in the process where we can get this data right away, auditor's walking in, run the report, give them the proof, and you're on your way. I've even had some clients save hundreds of thousands of dollars in just their audit costs because the auditors say we used to spend 36 hours reviewing this.
Now it's three. Hey, we both saved time and money. CimTrak has more visibility than people even think. While we keep talking about Windows and servers and workstations, we have the largest variety of OS support and device support out there.
Windows, Linux, AIX, Solaris, Mac OS, AIX, HP UX, firewalls, routers, ESXi hosts, FreeBSD, databases, AD, Docker, Kubernetes, the list goes on. So we have huge visibility in your environment and, of course, visibility surrounding these critical changes and vulnerabilities on your systems, and most enterprises in their environment can provide visibility around these changes and compliance right from CimTrak’s console and of course, Axon’s dashboards.
Lastly, your last point was risk. With our compliance module running those benchmark scans for the hardening. It's nice to get the audit prep, but we're also helping harden your machines and securing them to prevent the most common attacks out there. Breaches, vulnerabilities,
Windows Fresh Install is not secure.
Linux fresh install is not secure.
There are a lot of settings you need to enable and configurations you need to change to make it secure. That's what we help you do, is reduce the risk and strengthen your environment and alert you when that stuff changes.
Mark Allers: Thanks for that response. Now, a couple times, both of you have brought up the word compliance, and it seems like compliance is the outcome, security is the mission.
Let's talk about compliance a little bit here. What would you say are the top three compliance mandates LogRhythm Axon is being asked to support?
Josh King: So definitely PCI, GDPR, is up there as well, and then HIPAA is also another really big one that we're being asked to support.
Mark Allers: So, can the joint solution between Axon and CimTrak provide a more comprehensive compliance auditing and reporting approach?
Josh King: Yeah. Yeah, absolutely.
Through monitoring and reporting, since we're collecting the data from all the different various sources within the environment, plus CimTrak for the file integrity monitoring, we can go ahead and consolidate those events with that other data, which provides us a more comprehensive view of all those security events that are relevant to those compliance mandates. And the integration really enables us to have the correlation and contextualization of all that data, which provides us great visibility and not just visibility, but understanding of those potential security threats, which helps us to prioritize and respond to those incidents more effectively.
Mark Allers: Fantastic. So last question on this topic for you here, but I know the audience, if they could ask, they would ask, is there any overlap relative to what you just described and the CimTrak product in the Axon framework?
Josh King: While there may be some overlap as far as some various capabilities, such as log management and incident response, the integration of the two solutions really enhances the overall compliance effort, and we do this by leveraging the various strengths that we both have.
For example, with Axon, we really provide that centralized logging monitoring and incident response capabilities, while CimTrak offers really the specialized file integrity monitoring capabilities. So with them both linked together, they provide, in my opinion, a more comprehensive approach to that compliance auditing, the reporting, as well as addressing multifacets of the security and the regulatory requirements.
Mark Allers: Fantastic. And Justin, I know you live and die by a lot of conversations in compliance. What are some examples of compliance mandates and requirements that CimTrak can enable Axon to provide on a continuous basis, even above and beyond PCI, GDPR, and HIPAA?
Justin Chandler: While those are three popular compliance frameworks we help with another hot one is CMMC. A lot of government contractors want to continue getting contracts, but now they can't unless they're CMMC compliant. So that's something that's really popped right now for the deadline. People want to be compliant to continue their business. Beyond that, we support, SOC 2, HIPAA, Josh mentioned, many NISTs, ISOs, the list goes on. But with CimTrak, we can scan all these systems based on the CIS benchmarks or DISA STIGs, and actually take the data from these test results of the hardening standpoint and map them to compliance frameworks.
That's how we can build these reports for you. We can make a PCI, a CMMC, a HIPAA, or whatever report with every requirement in it, fill out as much of it as we can for you, providing the evidence in the report with your system values where it belongs for the auditor to read.
Mark Allers: When you say evidence, tell me what the evidence looks like.
So let's say CimTrak runs its scan, and it comes back and some device has failed. What is inside that report that gives the auditors, or the preparation of audit, gives them that information to understand why that particular control may be failed or passed?
Justin Chandler: Yeah the benchmark is full of many tests that are checking all these settings to see is this good or bad? Is it secure or not? For example. Your passwords for Windows server, your passwords must be 14 characters or more. Real security requirement, you don't want to enforce two-character passwords, that'd be easy to brute force security. But in terms of showing the evidence of that, how do we know it's 14 characters or more and being enforced?
The test is checking GPOs and registry keys. We'll actually pull the registry value for that key and show you in the report underneath this requirement. Okay. Your value is 7. It's not 14, you fail, which makes it easy for the engineer to understand why. Yhey might be thinking, “I swore I pushed that GPO out, maybe I got to do a GP update force.” Or, “Now I know why, thanks CimTrak, for showing me.” Or for the auditor side, they say, “Pass? Says who?” It's right here in the report. You want 14 characters or more? Here you go. See, my system shows 14, back to cost. I hear people will take screenshots and write scripts to gather all these values. We're doing that, and we're putting it right in the report where it belongs. So, even more time saved.
Mark Allers: So inside that report, let's say something failed. How easy is it to rectify or to get that failed back into a state of pass?
Justin Chandler: Good point.
Mark Allers: Is this is this something that takes an hour? A day?
Justin Chandler: No, and you gotta think about, how do admins manage their environment, right? Domain controllers. You got a thousand Windows machines, how do you enable the screensaver on all of them? A GPO template, you push it out, it takes five seconds. All follows that same management perspective. Now you get an alert that this password thing failed. Characters are seven characters instead of 14. We provide the remediation steps to fix it. Maybe you don't know how. We're going to give you the exact path in the GPO editor to change, and then value it should be. And then what you're going to do is make a template and push it out across the board because they all need it. So it's very easy to understand what's wrong. how do I fix it, and push it out in bulk.
Mark Allers: And all this information sits in Axon, correct?
Justin Chandler: Yeah, another good point. While it is in our reports and our console, Axon users don't want to go to CimTrak/AV/EDR. It's a hundred tools they have to manage.
Axon brings everything into one place. So in our compliance dashboard I referenced, right away, you can log in and easily see these graphs and visualizations that, “Oh! Three systems are no longer hardened anymore. I don't know what happened yesterday. They were good. I better go take action,” or, “Wow! I logged in, and a hundred percent of my machines are healthy and hardened. I feel good. And it took me one second to see that.”
Mark Allers: Fantastic, thank you. You brought up another term that seems to hit us all here, and it's alert. And I'll tie that to alert fatigue, or as the industry calls it, noise. Does the integration between CimTrak and Axon help reduce alert fatigue and noise? And if so, what does that look like?
Josh King: Yes. That is a big one that a lot of teams face is having all of those alerts that are coming in and really not knowing what's a false positive, what's a false negative, where do we go from here? How do we trim all this out? We're spending hours and hours just trying to get through it on a daily basis. And then on top of it, most of these folks are wearing other hats. They have additional responsibilities within their environments and they don't have the time to be able to even go through all of them in a day. And, we can definitely help reduce that alert fatigue and the noise, and we can do that in a couple of different ways. With our focused alerts, whenever we have the unauthorized changes that occur, that's only when we're going to see those alerts be generated from CimTrak and sent into Axon. And again, we always correlate that security data in the indicators with everything else that is occurring within the environment, and that correlation ensures that only those relevant alerts are then escalated from that point for further investigations, which is going to reduce the overall volume of alerts that we are seeing, and it's going to give those teams back that time that they really need to be able to prioritize the rest of their responsibilities within their environment.
Then we prioritize those threats, and we do that again with that integration between CimTrak and Axon. So by taking in the correlation from other security incidents, we can go ahead and prioritize that if we see that, it's something that is occurring often, then we know that okay, yeah, this is not just a one-off here, we need to go ahead and really dig into this. Let's go ahead and raise this from a P3 to a P1.
Justin Chandler: That's cool stuff. I actually didn't know about the correlation piece there. I'm learning something every day. But I want to jump in and another thing that can happen in terms of reducing noise is CimTrak can actually reduce noise before sending logs to Axon. Kind of already giving them a minimized approach on what they already need to reduce. Because they already have every other app that's coming inbound as well that they're reducing noise for. We can actually help them out a little bit while we have our Trusted File Registry that helps reduce known good patch changes because why bother the SOC team with 100,000 alerts for Windows updates that you knew were going to happen and were supposed to happen on Patch Tuesday? So even before it gets to Axon, CimTrak can reduce noise before, and then on top of that, Axon's capabilities to reduce yet again. Really helps highlight those critical alerts that people really want to see and need to.
Mark Allers: Thank you for that comment. One last question I'm going to pose to you as we tie everything right back to the topic of today's podcast, which is navigating known and unknown threats. I think we all know and understand what known threats are relative to a CVE that gets populated into a National Vulnerability Database, but unknown threats.
Just an open question relative to closing out the podcast. Justin, what are your thoughts? How does CimTrak help identify unknown threats and be able to give that information and provide that information and link it into Axon? What would be your elevator pitch on that?
Justin Chandler: We all have antivirus, right?
And what does it help us with? Known malicious threat files. But what about that one config file that got changed that brought down your production web server or production app? AV wouldn't help you there. It's not a bad file, but it ruined your production. What about a zero-day attack on your system right now? The definition of that is it's unknown.
Yet again, your AD will not help you. However, while CimTrak maintains the baseline history of all these files and their hashes over time, while we may not know on day zero, and nor would anybody, we can actually identify that you had a zero-day attack at some point on your system. Maybe it was removed by now. It did its payload and destroyed itself. Guess who would have caught that file ad? By which user, in which process, and in what path? CimTrak. And, of course it would have been sent over to Axon. But, 30 days later? Now everyone knows this is some threat, we all figured it out. It's not a zero-day anymore. AVs get their updates, now they know, but it's not on your system. Yet again, they wouldn't help you or tell you. CimTrak gets that knowledge, now we alert and say, “Hey, we know this bad file was there at some point. And we're letting you know, in case you want to investigate, rollback, or rebuild because who knows what damage it did because no one knew about it back then. But at least we're here to tell you after the fact, as nobody else would.”
Mark Allers: Thanks, Justin. And if Josh, if you have anything to add onto that, relative to how that value proposition gets kicked over from CimTrak over to the Axon product.
Josh King: From personal experience with actually seeing different files and configurations being changed, and then, seeing the alerts come in, and then seeing the speed that, CimTrak was able to revert them back to their baseline, I was very pleased with the whole entire process because it's seamless and it doesn't take any special skills. It takes the ability to see the alert, press the button, and then it's reverted back. And it's reverted back quickly. And I just absolutely love that. And having, again, seeing that in person, in environments it's amazing. It's just, it's a thing of beauty. It's like looking at a painting that you just want to just stare at and just, you notice all the various brushstrokes and the textures and the different shadings, and you just, you appreciate it so much. At least personally, for me, that's what that, whole entire process is.
Mark Allers: I appreciate it, Josh. And for this podcast, we're going to close out. I'd like to thank both Josh and Justin for their time, energy, and effort set aside for today. We're going to close out the podcast again, appreciate both of you being here and look forward to doing one of these in the future.
If anyone wants any additional information, this podcast will be posted on both sides. Again, thank you, everyone, for listening, and we will be in touch soon.
