September 26, 2017 Cybersecurity

Three Mainframe Cybersecurity Insights Gleaned from DerbyCon 7.0 Legacy

Hackathons, live music and a memorial for a cockroach were just a few of the entertaining sideshows party to last week’s DerbyCon 7.0 Legacy in Louisville, KY, partly owing to the event’s description as not “just another security conference.”

More specifically, what makes DerbyCon unique is the community of security professionals from a variety of backgrounds who attend and/or speak to ideas that help push the bounds of security. Being a mainframer, I knew that this conference wasn’t going to be about mainframes. My purpose was to see where similarities in practices and methodologies might be.

It turned out attendees were there from many of the organizations that rely on mainframes. I had great conversations with some and overheard others talking about the mainframes in their organization. In the end, I was able to glean a few insights very applicable to mainframe cybersecurity. Here are three:

1. Develop Testing Methodologies

Deral Heiland held a great talk, “Executing an Effective Security Testing Process,” on developing security principles pertaining to the Internet of things (IoT), including developing “sound methods for identification, and mitigation of security vulnerabilities within IoT products.

Much like the mainframe, hackers can’t easily get to the actual hardware of IoT; however, there are network protocols they can use to hack into them. Both IoT devices and the mainframe include exploitable vulnerabilities due to increased, unavoidable connectivity—it’s foundational to IoT, and when it comes to the mainframe, increased integration with web and mobile applications requiring mainframe data creates new opportunities for malicious activity.

As Deral explained, the security community needs to be developing test methodologies to go after people who exploit those vulnerabilities. For improved mainframe cybersecurity, your red team (penetration testers) must research new system vulnerabilities and identify potential hacker entryways, while your blue team (hunters) looks at log data and analytics to find potential insider threats.

2. Develop Data Hypotheses

Jared Atkinson and Robby Winchester talked about how to leverage the data you have for improved security in “Purpose Driven Hunt: What Do I Do with All This Data?” After you collect mass amounts of data, the ability to properly analyze it is essential.

It’s rather inefficient and purposeless to collect data and stare at it, waiting for patterns to emerge. Instead, Jared and Robby recommended generating hypotheses—based on an application, how would people most likely misuse it? Once you have a hypothesis, you can hunt for data and patterns that match it.

Applying this to mainframe cybersecurity, imagine if you wanted to find out if someone was looking at a higher number of credit card numbers than other users. To identify this behavior, you would build a test and analyze data comparing users in similar roles to determine if any are viewing an abnormally higher number of credit card numbers, or perhaps the same credit card number over and over, compared to colleagues.

Solutions like Compuware Application Audit exist for this purpose: to identify user behavior patterns based on criteria before sending the data you collect into a SIEM like Splunk for analysis. This is core to the hunt for malicious activity that has evaded other defenses, i.e., insider threats.

3. Strive for Progress, not Perfection

This seemed to be one of the running themes at DerbyCon, and it’s certainly something we talk about at Compuware. The accelerating pace of digitization enables innovation but also enables those who would disrupt it with malicious intent.

Security teams focused on achieving an ultimate end goal are kidding themselves and possibly preventing themselves from being nimble and adaptable in shifting security landscape. Mainframe cybersecurity personnel are especially vulnerable here, as so many are accustomed the platform’s defenses against hackers.

As fortified as the mainframe is, even improved system-level security through pervasive encryption with the z14 mainframe can’t change the modern reality of insider threats. Security teams must, therefore, assume anything can happen and focus on continuously improving their enterprise systems with better analysis tools and processes, such as testing and hypothesizing, for detecting behaviors.

Just as with DevOps, mainframe IT has plenty to learn from open systems when it comes to security—and vice versa. While DerbyCon is oriented towards mainstream infosec areas, it’s certainly a conference worth attending as a mainframe cybersecurity professional. Never once was I chastised about being a mainframer. This was a very friendly and open-minded group of attendees, and I would recommend that any mainframe security person attend at least one of these.