Proactive vs. Reactive Mainframe Event Monitoring

Enterprises like healthcare companies, financial services and government agencies rely heavily on the mainframe to protect their most sensitive data. Although open systems are more vulnerable to attacks, the mainframe is not immune. In fact, knowing the valuable data that is stored on the mainframe can make it a more attractive challenge for hackers.

The IBM mainframe blogger Jim Porell discusses attacks on the mainframe that could have been avoided. One involved “some very old open source code…[that] had been successfully hacked on other platforms.” Other network attacks drove a denial of service. Porell explains the role of insiders in some of the most egregious attacks:

Not unlike Edward Snowden and WikiLeaks, insiders have released confidential information stored on mainframes. In each of these cases, better security practices and the use of additional products and monitoring could have inhibited these data thefts.[1]

Are You Securing Your Mainframe or Just Making Data Haystacks?

Just as in your open systems environment, your mainframe is logging all of the events that are occurring, 24 hours a day, seven days a week. If there is a specific event an IT professional needs to locate for security or compliance purposes, they run a report on it. But for the most part the data is logged and then left alone.

The problem with this approach is that no one is proactively managing the logged data so they can catch a potential threat as it’s unfolding. If there is a data breach the IT staff won’t know about it until after the fact—if they ever discover it at all. Even if the IT lead decides to run a report, that’s just one more thing on their employee’s to-do list. It could take weeks for that report to be created. By then, if an anomaly is spotted it’s too late to act on it.

Also, writing security programs for the mainframe is a very specialized skill. Creating a robust mainframe-monitoring program is not a one-and-done proposition; if you’re creating your own program, you need to be constantly maintaining and updating it.

Without real-time visibility into your mainframe log data, how can you hope to easily catch an attempted hack or, worse, a malicious insider breach? You can’t. If you want information it’s like searching for a needle in a haystack, or as one customer put it, you’re dealing with “multiple haystacks” in which you’re hoping to find that one needle.

Be Proactive with Your Mainframe Log Data

Instead of letting your mainframe log data languish in a black hole, it’s wiser to put it on a platform that lets you apply intelligence to it. With up-to-the-minute visibility into mainframe events as they happen, the right people can be immediately alerted when suspicious activity is detected. You can create rules and policies that create a trigger when a particular security event occurs. You can look for password violations and other red flags. Suddenly that static log data comes alive and can be acted upon now rather than tracked down later to do damage control.

Companies that want to make the best use of their mainframe log data choose a technology like a Mainframe Event Acquisition System (MEAS™), which enables them to collect, store, report and take action against the event data through integration with SIEM (Security Information and Event Management) and log management technologies. Having real-time visibility into all your systems will give you peace of mind that you are doing everything you can to keep potential hackers at bay.

[1] https://jimporell.com/2015/01/27/mainframe-security-how-good-is-it/

Leave a Reply