How to Mainstream Mainframe Cybersecurity with Active Monitoring
There’s a growing gap in mainframe cybersecurity. Most companies use conventional infosec processes like collecting SMF records, scanning logs or relying on security systems like RACF, CA ACF2 and CA Top Secret. Too few leverage active monitoring solutions that provide the ability to see into various processes occurring on the mainframe in real time to help identify suspicious activity.
In “Cybersecurity: Mainstreaming the Mainframe,” a webcast in Compuware’s monthly “Did You Know?” series, we discussed how an active monitoring solution like Compuware Application Audit fills that mainframe cybersecurity gap. You can watch the webcast replay or keep reading to learn more.
The State of Mainframe Cybersecurity
IBM X-Force tracked one billion leaked records in 2014. It dropped to 600 million in 2015, but in 2016, the number more than doubled to four billion. Meanwhile, the average time to detection of these activities is 146 days. That’s plenty of time for an intruder or a malicious insider to access and exploit sensitive customer data your company has sworn to protect, which could result in heavy fines for failing to comply with increasingly austere mandates like the GDPR.
This is big for mainframe teams. Most sensitive data and business-critical systems sit on the mainframe because it’s the most securable platform, yet security teams lack visibility into mainframe application user behavior. They’re also reliant on insiders or outsourcers who may be the ones committing the crimes.
How Application Audit Improves Mainframe Cybersecurity
Application Audit transforms mainframe cybersecurity and compliance through the real-time capture of user behavior, dramatically improving visibility to help you stop insider threats against your core enterprise systems of record. To get that done, it packs a range of intuitive, modern features and capabilities that literally change the face of mainframe cybersecurity.
The people who do things they shouldn’t be doing often have elevated privileges, so auditors pay special attention to their behavior and ask for information regarding activities. There’s always potential a user could doctor the data to hide their tracks.
Application Audit’s browser-based UI allows auditors to determine who they want to monitor or what data they want to capture without having to ask privileged users for that information. An auditor can simply click record to access another screen that lets them determine what they want to capture.
On another screen, auditors can capture a particular user ID and choose to exclude it when they’re on a particular terminal or include it only when they’re in a specific application. They can capture 3270 traffic, TCP/IP or MQ and simply give the record request a name.
Auditors can then establish a schedule for when information they’re capturing should be sent down to a security information and event management (SIEM) engine such as Splunk®.
Auditors can then tell Application Audit they want the information collected going to a SIEM and if there’s a problem with the transmission of that data who to notify.
SIEM Integrations Dashboard
When data is made available to a SIEM like Splunk, you can view trends such as the number of distinct users:
- On different LPARs
- Getting invalid transaction messages
- Logged onto a system longer than normal
Each of these are indicators of suspicious behavior. Being able to see that data allows you to detect and drill down into potential malicious activity to stop insider threats before they occur.
Finally, auditors can select the “Recordings” menu choice to look at active, inactive and scheduled recordings.
Application Audit can help you focus on detecting insider threats by capturing the data you need and making it available in an easy-to-consume format for security teams that may be inexperienced with mainframe data. In this way, you can mainstream mainframe cybersecurity by keeping it on the same level as other infosec operations. To learn more, watch the webcast replay of “Cybersecurity: Mainstreaming the Mainframe.”
John Crossno and Mike Bassett
Latest posts by John Crossno and Mike Bassett (see all)
- How to Mainstream Mainframe Cybersecurity with Active Monitoring - August 22, 2017