Mainframes come with plenty of security – why should they use a Security Information and Event Management (SIEM), when it doesn’t even run on the mainframe? This is pretty much the opening argument from most mainframers when talking about SIEMs, and, at first glance, it seems pretty reasonable, but is it?
SIEM software products and services combine Security Information Management (SIM) and Security Event Management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. SIEM products that you may have come across include: ArcSight and IBM QRadar, Splunk, LogRhythm, McAfee Enterprise Security Manager, Dell RSA Security Analytics, or Dell SecureWorks.
So, it’s a fairly busy marketplace, but why should a mainframer worry about it? After all, z/OS security relies on the use of an External Security Manager (ESM) solutions such as IBM RACF (Resource Access Control Facility) or Computer Associates ACF2 (Access Control Facility 2) and TSS (Top Secret Security). Basically, RACF, ACF2, and TSS maintain mainframe security by allowing or preventing access by, for example, a user or a program to a resource, such as a dataset. The downside to these products is that they don’t provide any form of real-time auditing or monitoring. At most mainframe sites, this is usually carried out by running a batch job overnight or, if required, a special job investigating a specific event, after the event has occurred.
In many ways, mainframes have avoided hacking because of security by obscurity. They are just too hard for outsiders to get their head round. And this complexity can lead to another problem area. Someone who doesn’t quite have the right authority and definitely doesn’t have the right training starts to make changes. No-one is quite sure what was done, but no-one is alerted to these changes until a batch job was run over night!
Or what about the disgruntled person with administrator level authority who accesses confidential information and sends it off site. And they have the authority to cover their tracks so that it’s hard to tell what’s been done. This is referred to as the fox guarding the hen house because those organizations rely on their z/OS security administrator to run the necessary batch jobs to identify any security-related events or breaches.
Clearly what’s needed is a SIEM product that can work in near real time and can monitor security logs and events by receiving those security logs. This means that your security team has a central, enterprise-wide view of all the events they need to capture and all the security threats they need to recognize. And they need a way to separate those critical security incidents from the run-of-the-mill business-as-usual events. It’s just not good enough to depend on batch jobs running long after any incident. Events need to be tracked and uncovered in real time, from all corners of the business.
And these days, that’s only part of the picture. Not only do you need to make sure that your data is secure and not subject to unauthorized access, you need to make sure that it is seen to be secure – that it complies with all the appropriate regulations. These include regulations such as FISMA, GLBA, HIPAA, PCI, SOX, etc, as well the new EU regulation, GDPR (General Data Protection Regulation). GDPR applies to any company storing information about an EU citizen, so that will include airlines, car companies, and anyone else that swipes an EU resident’s credit card.
Loss of data or loss of confidential, business-critical plans could lead to loss of earning, and a loss of business confidence. Contravening regulations will lead to massive fines – the maximum fine for contravening GDPR is 4 percent of turnover or €20m. This makes the argument that sites use saying that they can’t afford a SIEM to seem rather ridiculous because, with fines that size, you can’t afford not to have a SIEM!
Various software agents are available that can forward z/OS system console and SMF messages in the proper format, as well as messages from RACF, ACF2, Top Secret, DB2, CICS, and FTP, to a central SIEM system. Once the data is in the SIEM, it can then be indexed, searched, analysed, and visualized. Administrators can define specific items of interest for extra levels of monitoring: for example, files that contain credit information, or health care details. The real-time alerts from the mainframe can be managed, filtered, routed, and searched using the SIEM’s GUI interface.
And that way, your mainframe-based data stays secure and your company is compliant with the appropriate regulations.