Are All FIMs Created Equal?

DATA SECURITY PODCAST

In a recent podcast interview with Steve Morgan, editor-in-chief of Cybercrime Magazine, Robert E. Johnson, III, Cimcor CEO/President discusses the latest views on data security and the importance of system integrity monitoring and best practices for businesses regarding file integrity monitoring. The podcast can be listened to in its entirety below.

Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. 

Q: Joining us today as President and CEO Robert Johnson, III. Robert has been a pioneer in the development of next-gen, system integrity monitoring, self-healing systems,  and cybersecurity software. Rob, great to have you back with us again today.

A: Great to be back with you, Steve.

Q: So today, we're going to talk about file integrity monitoring. I don't think there's anybody I know in the industry who knows as much about this topic as you do.  I have to kick off by asking you - are all FIMs created equal? Explain to me the difference between FIM - file integrity monitoring -  and next-generation FIM. Is that something the industry understands or is it something that Cimcor coined the phrase, and now people are just starting to understand it?

A: I think you pretty much nailed it there Steve.  There is a difference between FIM and next-gen FIM. And you are correct. Next-gen FIM is something that Cimcor has been coining and trying to push into the industry to help differentiate between what needs to be done and what folks have been doing in the past.

So for traditional FIM, and FIM stands for file integrity monitoring, it was generally poll-based. You would set it to perhaps monitor something once a day, say every day at 2 AM.  And it would only look at files. When a file had changed, it would provide a notification to you  - in a log file- and it may email you.

Now let's think about that. If it's polling once a day at 2 AM and something happens at 3 AM,  well that means it will be 24 hours before you even realize something has happened. So say you receive that email 23 hours later, we just don't feel that's good enough.

So the goal of traditional FIM is to let you know or inform you of what files have changed - eventually. 

In contrast, we're pushing a different model and we're calling it next-gen FIM,  kind of playing off of file integrity monitoring, but to be honest, it is really next-gen system integrity monitoring. It is much broader. So in this new paradigm of an integrity monitoring product, everything is real-time. So if a file change or registry item changes, you're notified about it instantly in real-time.

And then there is broader monitoring. We extend far beyond just files to monitoring Registry, Active Directory, Network Devices, Docker Configurations, Kubernetes, AWS Configurations, other cloud platform as a service configurations, or infrastructures of service configurations.

So we're extending beyond files into so much more.  But all these items - if anything's changed in some way that you don't expect  - can have a material impact on your business. So that's what we're looking for. Those things that can change and alter system behavior.

So there are some other things that we do that go beyond just integrity monitoring. Next-gen FIM is also about proactive responses beyond logging. What about self-healing capabilities? when something's changed, and it should have changed, next-gen FIM should have self- healing capabilities to be able to change those things right back and accelerate your remediation or response to events.

It also means that we're thinking about things like "how do you even block unauthorized changes that deviate outside of what the expected baseline should be of a system?".

And I also think a core component of next-gen integrity monitoring is about the integration with ITSM  ticketing systems, like ServiceNow or BMC Remedy. Because that allows you to really integrate into a complete change management and security and vulnerability management workflow. Those two together are a powerful combination.

So the goal is completely different. Unlike traditional FIM “tell me what files to change eventually”, next-gen integrity monitoring is about “what has changed right now in your infrastructure and mapping out a clear strategy on how to deal with it, remediate it, and move forward”.

Q: So, Rob. Very interesting. You know, the concept of, you know, file integrity monitoring to system integrity monitoring, self-healing, a lot of what you talked about. So, I get it. I'm intrigued. What are you hearing back from CISOs and security practitioners when you explain this to them for the first time?  Are they wrapping their head around this, you know, is that where they want to go?

A: You know, I believe that there is a growing awareness now, that this is the next logical step. I think that people are starting to see and understand the limitations of the traditional file integrity monitoring tools, including a lot of noise.

And I think that's one of the key aspects that really affect the adoption of traditional file integrity monitoring was that there was a lot of noise. You can almost think of it as change monitoring,  just monitoring changes to files and providing you with a lot of alerts.

Well, next-gen integrity monitoring is about whittling out the noise as well, and really providing you only with information that matters. Changes to the integrity of system that really matter.

So I believe a couple of things. One, you asked to people get it. They want the realize that they want more than traditional file integrity monitoring, one of the things I've noticed time after time presentation after presentation Steve, is that many of the things that I just spoke about, people don't even realize as possible.  Is not on a radar as something that's within the grasp of a security engineer.

So there's a bit of an education process and an enlightenment process where as we go through our sales process or demonstrate our product, that their eyes open and realize, you know, there's more to life than just events.  There's that remediation piece that can be tremendously accelerated when you have enough information to go straight to the core problem, remediate it and fix it,  or use our tool like CimTrak, to fix it automatically.

So, it's so fun Steve to sit in on our presentation. You can see folks enter into this new paradigm and the shift in what they believe is actually possible, to something new that is possible and that they never expected.

Q: Rob, that's great feedback. Thank you so much for joining us today. We'll be back with you shortly.

A: Sounds great. Can't wait to be back with you, Steve.

To learn more about CimTrak's Next-Gen System Integrity Monitoring Software download the technical summary today.