two colleagues using mainframe siem security solutionA typical enterprise can collect millions of monitoring data points every day. Sifting through all that information and determining what may pose a security threat is where a SIEM (security information and event management) solution comes into play.

In the early days SIEM solutions were not equipped to handle mainframe data, but that has changed. With many enterprise clients storing the majority of their business data on the mainframe, it is critical to include this information in a SIEM solution in order to get an enterprisewide view of anomalies and potential security threats.

As a cybersecurity architect for mainframe solutions, I work with clients from all industries who are faced with the challenge of sending information from their mainframe to a SIEM, and the one they are using most frequently is Splunk. While there are other SIEM solutions in the marketplace, this blog will focus on Splunk.

The question I usually get from mainframers is, what does a SIEM do and why do I need to one? Briefly, a SIEM does the following:

  • Gathers and stores security data from many, many sources (often more than thousands) and correlates it all in real-time, applying advanced analytics to determine when “bad things” are happening.
  • Generates alerts if suspicious activity is detected.
  • Stores the data for a long time, providing rapid access when needed and supporting forensic investigations.
  • Satisfies a requirement to prove compliance with many standards and regulations such as HIPAA, PCI DSS and SOX.

When talking about SIEMs you may hear some of the following terms used:

  • Correlation: Looking for common attributes, and linking events together into meaningful bundles.
  • Data aggregation: This is log management that aggregates data from many sources, including network, security, servers, databases and applications, providing the ability to consolidate monitored data to help avoid missing critical events.
  • Alerting: Automated analysis of correlated events, and notifying recipients of immediate issues.
  • Dashboards: Tools that take this event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.
  • Compliance: Producing reports from the gathered data that can be used in clients’ existing governance and auditing processes.
  • Retention: Long-term storage of data to provide trending over a long period of time as well as being used for forensic investigation.
  • Forensic analysis or security/threat intelligence: The ability to search across all these different logs based on specific criteria.

One of the challenges in getting mainframe information into a SIEM is the data conversion (e.g., EBCDIC to ASCII). Usually, clients use z/OS system management facilities (SMF) as a starting point to collect data and send that information into Splunk. SMF collects information on performance, security, events that are happening in z/OS, and technical operations. There are other log types that can be collected, but I’m going to focus on z/OS SMF data. There are products like Syncsort Ironstream and IBM CDP (Common Data Provider) that provide the capability to gather this information and format the data that Splunk can digest.

My clients’ SIEM solutions are typically also used in their security operations center (SOC). Clients usually have playbooks that describe how to respond to certain alerts that may be identified through their SIEM, but they also want to develop playbooks for handling potential situations from their mainframe data. SMF data is foreign to these people, so I usually ask them how they deal with other areas and what other playbooks they have developed. They have a general idea of what is needed from the mainframe but are not certain how or what to look for in that data, so I work with them to understand that the mainframe is just another large server with a different log type.

Typical use cases I help them develop are:

  • Privileged user actions. Privileged users can be someone with elevated privileges such as a z/OS systems programmer, or even a bank teller that can approve a special transaction.
  • Security changes to their mainframe security product (e.g., RACF, CA ACF2, CA Top Secret).
  • Changes to system software and/or configuration changes.
  • Access attempts to resources where any user was denied that access.
  • Successful changes to system software and/or configuration by users that have the authority.
  • Attempts to elevate a privilege.

I usually pick one or two of the above to get the client started. Privileged user actions is a very common example; I work with the client to understand their definition of a privileged user and what kinds of events need to be captured. We develop a test plan to capture this information, review how that information is being sent and consumed by the SIEM, and then determine the appropriate response. This may mean modifying their current privileged user playbook, or developing one specific to the mainframe. Once they are comfortable with this scenario, we will work on other ones to help them understand what specific elements are required for each case.

Securing today’s businesses requires a holistic approach that includes gaining insights across the entire security event timeline from every possible point of compromise. This sensitive data must be protected and monitored in accordance with data processing standards, and because approximately 80% of the world’s critical data resides on IBM Z, the burden is on the organizations using them to employ the most modern security best practices in SIEM to protect it.

With both a dedicated IBM Z practice and an $800-million security practice, Sirius is uniquely positioned to help clients implement the most security solutions on their mainframes, their distributed systems, their storage and networks, across their endpoints and into the cloud.

Interested in learning more? Join Sirius Cyber Security Architect Julie Bergh and IBM Distinguished Engineer Michael Jordan for a live webinar on October 5, where they’ll discuss multiple elements of IBM’s strategy for making the IBM Z platform more secure and more resilient against the onslaught of cyberthreats, and its central role in enterprise security and resiliency.