The Problems with Monitoring Mainframe Events Using Programs Written In-House

There are some situations in life when do-it-yourself (DIY) is appropriate, even preferable, to calling in a professional. You have a clogged drain so you borrow your friend’s plumbing snake and spend an hour clearing it. But if that drain keeps getting clogged it might be a structural problem with your pipes. Maybe you live in an old house with antiquated pipes. What then? Trying to DIY your way out of hiring a professional might be tempting, but if you’re not a plumber, doing so could result in a much costlier problem.

In the past, companies using a mainframe would have some nuts-and-bolts process in place to monitor their mainframe events. They might run a report, browse through that report looking for any anomalies, and then act based on that rudimentary information. As data breaches began to emerge as a real threat, these companies may have raised the bar a bit. The IT department might have tasked someone to write a program to search for certain criteria automatically.

The problem with these in-house approaches is that they just aren’t as thorough or comprehensive as they need to be. Creating a robust mainframe-monitoring program is not a one-and-done proposition; if you create your own program, you need to constantly maintain and update it.

How Well Intentioned Companies Become Data Security Cautionary Tales

When your security is at stake, it’s important to recognize when you may be in over your head. Your attempts to DIY the problem might end up costing your company—and your clients—dearly if a data breach occurs.

Writing security programs is a specialized skill. If that’s not in your company’s wheelhouse, it makes more sense to hire someone than to try to do it in-house. If your IT professionals DIY it, your company could end up as the next cautionary tale about a preventable data breach. It’s like how some IT folks think they can write their own cryptographic algorithms. If you think you can write a good cryptographic algorithm, you’re probably wrong. Only experts who have studied it and who have their code reviewed by others are successful. Similarly, a poor implementation of a mainframe-monitoring program won’t provide anything more than security theater.

There’s also the issue of cost in manpower to consistently update these programs. In addition to not having the expertise, your IT department typically doesn’t have the time to be as thorough or as comprehensive as they need to be to protect your mainframe data.

Longtime security expert Bruce Schneier has blogged about the case for outsourcing security. He argues,

The primary argument for outsourcing is financial: a company can get the security expertise it needs much more cheaply by hiring someone else to provide it. Take monitoring, for example. The key to successful security monitoring is vigilance: attacks can happen at any time of the day, any day of the year. While it is possible for companies to build detection and response services for their own networks, it’s rarely cost-effective.

And then there’s the question of what happens when the employee who wrote the program for your mainframe leaves the company. If your enterprise is relying on that program written in-house to meet its security and compliance challenges and the author of that program is no longer an employee, you run the risk of not having anyone else on board who can adequately monitor or update your main source of security. That’s when hacks happen.

The Alternative: Automated Mainframe Monitoring

The next phase in mainframe event monitoring is automation. Automation includes real-time monitoring of all log files and activities that are taking place on your mainframe, 24/7. The IT professional with automated mainframe monitoring capability can send as much or as little information as they deem necessary to a security information and event management (SIEM) platform for storage, reporting, and real-time alerting.

With these filtering options at their fingertips, IT can work smarter and more efficiently than ever before. Now real-time visibility is possible, and in real-time you can send out alerts to prevent cyber threats from taking place or wreaking serious damage. Automated event monitoring provides the kind of comprehensive program that is necessary to be truly proactive in the security space.