Staying Vigilant with Security Intelligence for Mainframes

© 2012 IBM Corporation

IBM Security Systems

1© 2014 IBM Corporation

Staying Vigilant with Security Intelligence for Mainframes



2

A new security reality is here

61%

data theft and cybercrimeare their greatest threats2012 IBM Global Reputational Risk & IT Study

of organizations say

Average cost of adata breach

2014 Cost of Data Breach, Ponemon Institute

$3.5M

70%of security

executives have cloud and mobile security concerns2013 IBM CISO Survey

Mobile malware growthin just one year

2012 - 2013 Juniper Mobile Threat Report

614% security tools from

vendors

85

45IBM client example

83%of enterprises

have difficulty finding the security skills they need2012 ESG Research



3

Sophisticated attackers break through safeguards every day

SQL injection

Watering hole

Physical access

MalwareThird-party software

DDoSSpear phishing

XSS Undisclosed

Attack types

Note: Size of circle estimates relative impact of incident in terms of cost to business Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014

2011Year of the breach

201240% increase

2013500,000,000+ records breached

61% of organizations say data theft and cybercrime are their greatest threats2012 IBM Global Reputational Risk & IT Study

$3.5M+ average cost of a data breach

2014 Cost of Data Breach, Ponemon Institute

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov21294&S_TACT=102PW99W



4

Security leaders are more accountable than ever before

Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series

Loss of market share and reputation

Legal exposure

Audit failure

Fines and criminal charges

Financial loss

Loss of data confidentiality, integrity and/or

availability

Violation of employee privacy

Loss of customer trust

Loss of brand reputation

CEO CFO/COO CIO CHRO CMO

Your board and CEO demand a strategy

5 © 2014 IBM Corporation

Mainframe Security Landscape



6

IBM System z is a highly securable environment

Security is embedded into the System z architecture

Processor

Hypervisor

Operating system

Communications

Storage

Applications

System z security addresses regulatory compliance for:

Extensive security event logging and reporting capabilities

Extensive security certifications including EAL5+ (e.g., Common Criteria and FIPS 140)

Identity and access management

Hardware and software encryption

Communication security capabilities



7

Today’s technologies have eliminated “mainframe isolation”

The increasingly desirable target of the mainframe

Sou

%of all active coderuns on the mainframe80 %

of enterprise data ishoused on the mainframe80

Internet

Cloud

Social

Mobile

Big Data

Business Innovation



8

Security challenges specific to the mainframe

Monitoring of security events from System z is often performed by the people that implement security changes!

Poor Separation of duties

Window of opportunity to commit fraud

Out dated practices

Staff unable to focus on improving security

Silo approach . . . System z isolated from the Enterprise Security Monitoring practice

Security Monitoring no longer fit for purpose, often running reports that were written 20 years ago . . . the threat and compliance landscape has changed significantly!

Existing SIEM solution does not handle events from the mainframe very well

Many events are not logged or reviewed

Too many critical events are being reported 24+ hours later

Security Monitoring does not meet compliance requirements



9

and more challenges …..

The mainframe can be difficult to hack from the outside world, however it has been done!

Biggest threat to the mainframe is the insider / internal attacks

Those employees with detailed knowledge of the systems – they also know how to

circumvent controls

Many Security Monitoring implementations would not detect suspicious/inappropriate

activities

Attackers can avoid detection for months/years



10

Addressing those challenges with IBM Security zSecure

zSecure AdminEnables more efficient and effective RACF administration, tracking and statistics using significantly fewer resources

zSecure VisualHelps reduce the need for scarce, RACF-trained expertise through a Microsoft Windows–based GUI for RACF administration

zSecure CICS ToolkitProvides access RACF command and APIs from a CICS environment, allowing additional administrative flexibility

zSecure Manager for RACF z/VMCombined audit and administration for RACF in the VM environment including auditing Linux on System z

zSecure Command VerifierPolicy enforcement solution that helps enforce compliance to company and regulatory policies by preventing erroneous commands

zSecure AlertReal-time mainframe threat monitoring of intruders and alerting to identify misconfigurations that could hamper compliance

zSecure Adapters for QRadarCollects, formats and sends enriched mainframe System Management Facility (SMF) audit records to IBM Security QRadar SIEM

zSecure AuditVulnerability analysis for the mainframe infrastructure; automatically analyze and report on security events and monitor compliance



11

Prioritized incidents

Integrated to improve Security Intelligence

Automated offense identificationReal-time correlation and analytics

Anomaly detectionIndustry and geo trending

Network and virtual activity

Configuration information

Security devices

Users and identities

Vulnerabilities and threats

Global threat intelligence

Servers and mainframes

Data activity

Application activity


Data activity



IBM Security zSecure

z/OS

RACF

ACF2, TSS

CICS, MQ

Data activity

IBM InfoSphere Guardium

DB2

IMS

VSAM


IBM Security AppScan

Web apps

Mobile apps

Web services

Desktop apps

IBM Security QRadar

Embedded Intelligence



12

The zSecure products that enable integration with QRadar

RACFCA ACF2

CA Top Secretz/OS

CICSDB2

Event sources from System z . . .



13

What does the enabling zSecure products deliver?

5655-N17 - IBM Security zSecure Audit for RACF or CA ACF2 or CA Top Secret *

5655-AD8 - IBM Security zSecure Adapters for QRadar SIEM *

5655-N21 - IBM Security zSecure Alert for RACF or CA ACF2 **

Log file based (send events collected over time . . hours or days) *

Real time (send event seconds after it occurs) **



14

How about if you could transform this . . .



15

Into this . . .



16

Scenario # 1 – Inappropriate access to sensitive data on z/OS

Systems Programmer accesses a Payroll file on

the mainframe



17

Scenario # 1 – Monitoring inappropriate access to sensitive data

Who accessed the sensitive resource

What they accessed

Resource is sensitive for read access



18

Scenario # 1 – Monitoring inappropriate access to sensitive data

Drill down into event detail

zSecure has enriched event data – assists the Security Officer to understand the user involved

and what they accessed



19

Scenario # 2 – Privileged User Activities occurring on System z

Assigning powerful RACF

attributes

Modifying the Trusted

Computing BaseLogon with powerful

emergency user IDs



20

Scenario # 2 – Monitoring Privileged User activities in QRadar

Events sent to QRadar, seconds

later

Collected and sent to QRadar

by zSecure Alert



21

Scenario # 2 – Monitoring Privileged User activities in QRadar

Drill down into event detail

Detailed information alerts us to the fact that an emergency user ID has been used – big problem

for mainframe customers!



22

Scenario # 3 – Security Administrator activities occurring on System z

Executing RACF Commands

Security Administrator is creating new security

definitions on the mainframe



23

Scenario # 3 – Monitoring Security Administrator activities

A view of the RACF commands that have been executed over a 24 hour period – mainframe customers

typically run this type of report on a daily basis!Event data collected by

zSecure Audit



24

Scenario # 3 – Monitoring Security Administrator activities

Drill down

The actual RACF command that was

executed by the Security Administrator



25

Scenario # 4 – Monitoring your Systems Programmers

Highly sensitive resource – keys to the

kingdom!

Could be used to circumvent system

security



26

Scenario # 4 – Monitoring your System Programmers

Drill down



27

Scenario # 5 – Keeping track of Security Violations

A view of security violation for sensitive application datasets

Application data is sensitive for read access



28

Scenario # 6 – Spot trends in behaviour amongst infrastructure staff

Is this normal for the user?



29

Scenario # 7 – Who used FTP to transfer sensitive data?



30

Scenario # 8 – Daily (scheduled) reporting Customers typically run scheduled monitoring

reports



31

Scenario # 8 – Daily (scheduled) reporting

Schedule a report to monitor who

has been reading your sensitive files



32

Value of zSecure integration with QRadar

Plugs a hole in the Enterprise Security Monitoring practice

Provides a holistic, centralised approach for Security Monitoring

Supports separation of duties – stop the legacy practice of self-policing!

Maximise QRadar capabilities for:

– Log management

– Security Information and Event Management

– Anomaly detection

– Incident forensics

– Configuration Management

– Vulnerability Management

– Risk management

Enhances the monitoring experience with graphical displays and user friendly reporting

Extend best practices and comply with regulatory/legal/compliance requirements



33

Visit our blog:www.securityintelligence.com

Learn more about IBM Security QRadar SIEM

Download the 2014 Gartner Magic Quadrant for SIEM : http://ibm.co/U7Syom

Visit the IBM QRadar Website: http://ibm.co/QRadar

Visit our Website

Follow us on Twitter: @ibmsecurity

Learn about IBM Security zSecureAdapters for QRadar SIEM LINK

http://www.securityintelligence.com/

http://ibm.co/U7Syom

http://ibm.co/QRadar

http://www-03.ibm.com/software/products/us/en/subcategory/SWI60

http://www.twitter.com/ibmsecurity

http://www.twitter.com/q1labs

http://www.twitter.com/q1labs

http://www-03.ibm.com/software/products/en/zsecure-adapters-qradar-siem



34

Learn more about IBM Security zSecure solutions

zSecure website

zSecure product library

zSecure information center

zSecure latest release

zSecure forum

zSecure Redbook

http://www.ibm.com/software/tivoli/products/zsecure/

http://www-01.ibm.com/software/tivoli/products/zsecure-library.html?S_CMP=rnav

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc_1.13/welcome.html

http://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/7/897/ENUS212-337/index.html&lang=en&request_locale=en

http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1255

http://www.redbooks.ibm.com/abstracts/sg247633.html?Open



35

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY

http://www.ibm.com/security

Software

Staying Vigilant with Security Intelligence for Mainframes