Why Behavioral Analytics Top SMF Data for Mainframe Security
IT security breach attempts are becoming more ominous, having risen five percent from 2014 to 2015 according to IBM’s X-Force Research: 2016 Cyber Security Intelligence Index. A report from Identity Theft Resource Center (ITRC) and CyberScout (formerly IDT911) shows U.S. data breaches tracked in 2016 hit an all-time record high of 1,093, up 40 percent over the near record high of 780 reported in 2015. Security administrators are struggling to keep up, with the global average time to detection being 146 days, further research shows.
For the mainframe, this could pose serious problems. Even as the most securable enterprise platform for hosting business-critical applications and data, insider breaches are becoming a major concern. Much of what will determine mainframe security improvements is how organizations decide to monitor and track users moving forward.
Today, many mainframe teams still leverage SMF data to perform system-level activity monitoring. However, this level of visibility is inadequate for truly understanding user behavior, information security analysts need to discover patterns and prevent breaches.
“To address the volume sifting and time-to-identify-breaches problem, security software providers are increasingly integrating analytics software with their respective security management products. Analytics software can read massive amounts of data quickly, searching for patterns, identifying policy violations and tracking user behavior,” Joe Clabby of Clabby Analytics writes in the new report, “Compuware: Real-time Capture of Mainframe User Behavior for Cybersecurity and Compliance.”
The report discusses differences between system-level activity monitoring, accomplished with resources like SMF data, and application-level activity monitoring, accomplished using a tool like Application Audit, Compuware’s new cybersecurity and compliance solution, which provides security analysts with an end-user perspective to see which applications and data users access, as well as when, where, how and why, making it easier to detect and prevent insider threats.
SMF Data vs. Behavioral Analytics
So, what’s wrong with using system-level activity monitoring via SMF data?
“To date, enterprise security administrators have manually sifted through SMF data, scanned through mountains of disparate log data, and used security integration and event management tools to examine user behavior by tracking application usage and data access. However, these approaches and tools put far too much pressure on security administrators to locate needle-in-a-haystack breach behavior,” Clabby writes.
He goes on to say: “Security administrators don’t have time to monitor huge amounts of data as timeframes become shorter and things move faster. “[SMF] data stores are so vast, it takes too much time for humans to analyze data, find patterns and identify threats to data security.
“Using a tool like Application Audit provides mainframe user behavior intelligence to SIEM engines like Splunk via Syncsort Ironstream or CorreLog enabling security administrators to “streamline user behavior analysis—helping enterprises protect data more efficiently.
“Application Audit collects information on who is accessing which applications and databases. It organizes that information and presents it to an analytics program that can quickly evaluate vast amounts of data, looking for suspicious behavior, helping organizations overcome data volume overload and improve time to detection.”
Read the report from Clabby Analytics to learn more about the differences of leveraging SMF data and other disparate logs for system-level activity monitoring versus leveraging Application Audit and its integrations for deeper visibility through application-level activity monitoring.