The keys to effective security information and event management (SIEM) for IT environments include early detection, rapid response, and collaboration between all the platforms in your IT infrastructure. Yet many organizations struggle to effectively integrate their mainframe security needs with the rest of their IT environments.
With Syncsort Ironstream®, Splunk users can easily monitor and effectively resolve security issues on the mainframe by opening real-time operational data in Splunk Enterprise Security. We’ll take you through common security and compliance challenges organizations face and how Ironstream® can work with Splunk to eliminate those security blind spots.
View this webinar on-demand for a discussion about common security and compliance challenges organizations face and how Syncsort Ironstream® can work with Splunk to eliminate those security blind spots.
Key topics include:
• Proactive reporting to identify and solve problems before they happen
• Providing appropriate visibility to ensure management support
• Best practices for report types and presentation style
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Get Mainframe Visibility to Enhance SIEM Efforts in Splunk
1. Get Mainframe Visibility to Enhance
SIEM Efforts in Splunk
Bill Hammond, Product Marketing
Sid Isted, Product Management
1
2. • Why is Mainframe Security Data Important?
• What are Customers Are Looking For?
• Introduction to Ironstream
• Visualizing & Reporting Security Data in Splunk
• Customer Stories
Agenda
2
3. Traditional
mainframes
continue to
adapt and deliver
increasing value
with each new
technology wave
91%of executives predict long-term
viability of the mainframe as the
platform continues evolving to
meet digital business demands
80%Up to 80% of the world’s
enterprise data and transactions
reside on or pass through
IBM z Systems
3
BMC 12th Annual Mainframe Research Results – Nov. 2017 Syncsort 2018 State of Resilience: The New IT Landscape for Executives:
Threats, Opportunities and Best Practices.” Jan. 2018
that’s 2,500,000,000 -- business
transactions per mainframe per day
2000+ organizations overall
2.5 B
4. Big Iron to Big
Data Analytics
Challenges
So many data sources
Mainframe:
Systems Management Facility (SMF),
Syslog, Log4j web and application logs,
RMF, RACF, USS files and standard
datasets
Format of data
Mainframe:
• Complex data structures (SMF) with
headers, product sections, data
sections, variable length and self-
describing
• EBCDIC not recognized outside of
the mainframe world
• Binary flags and fieldsVolume of data
Millions of log records generated daily
• 9.7TB Average Daily Mainframe Log Data
Difficulty to get the
information in a timely
manner
• Not real-time, typically have to wait
overnight for an offload
• Typical daily FTP upload/downloads
can’t get granular
4
6. • Incorrect definition of User IDs: weak passwords, default passwords with no expiration,
incorrect or too high of a security privilege for user
• Weak access controls and security administration for critical databases, datasets, files, and
resources
• Network intrusion including unwanted port scans, Denial of Service (DoS) attacks, network
flood attacks, malformed network packets, and other intrusions
• Data vulnerability exposures including incorrect/invalid data, including viruses, coming into
the IBM system or secure data leaving the system
• Privileged and non-privileged users neglecting basic security precautions mandated by the
organization
• Aggregating data from multiple sources in a way that helps drive faster, better decisions
Top Security Challenges
6
7. What is SIEM?
• Real-time analysis of security alerts
generated by applications and network
hardware
• Holistic, unified view into infrastructure,
workflow, policy compliance and log
management
• Monitor and manage user and service
privileges as well as external threat data
Security Information and Event Management
10. • High performance, low-cost, platform for collecting critical
system information in real-time from the mainframe
• Normalization of the z/OS data so it can be used off
platform analytics engines
• Full analytics, visualization, and customization with no
limitations on what can be viewed
• Ability to easily combine information from different data
sources and systems
• Address the SME challenge: use by network managers,
security analysts, application analysts, enterprise
architects without requiring mainframe access or
expertise
What Customers are Looking For...
10
11. Detect Data Movements
• Inbound/Outbound FTP
Dataset access operations
• Determine potential security threats based on unauthorized access attempts
• Ensure only authorized users are accessing critical datasets
Privileged/non-privileged User Activity Monitoring
• Unusual behavior pattern – off hours connections
• High number of invalid logon attempts
Attack Detection
• Intrusion, Scans, Floods
Authentication Anomalies
• Entered the building at 08:30 but logged on from another country at 09:00
Network Traffic Analysis
• High data volumes from a device/server
What Can Mainframe Data Tell You?
11
13. 13
Ironstream® Architectural Considerations
Online
Services
Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
Apps
Messaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Smartphones
and Devices
RFID
Call Detail
Records
On-
Premises
Private
Cloud
Public
Cloud
Ultra Light Weight
• Minimal CPU impact even for
billions of SMF records
Non-intrusive
• Collect data from critical system
• Zero impact to throughput
Fast
• Collect data in real-time
Secure and Reliable
• Error recovery
• Data loss prevention
• Security
• Load balancingIBM z
Mainframe
IBM i
System
Ironstream
14. Ironstream® for z/OS (Mainframe)
14
Assembler
COBOL C,
REXX
!
IRONSTREAM DATA FORWARDER
TCP/IP
Ironstream Desktop
DCE IDT
Data Collection Extension
SYSOUT
Live/Stored
SPOOL Data
Db2 USS Alerts
Networks
Components
ForwarderAPI
Application Data
SYSLOG
SYSLOGD
SMF RMF File Load Log4j
Real-time Collection
IMS
Z/OS
15. • Real-time Visibility into Mainframe Security Event Data:
• Authentication and access failures
• Creation or deletion of users
• Changes to user security information, passwords, and access rights
• Log-in activity
• Excessive data transmissions
• Unusual movement of data
• Intrusion detection, Denial of Service
15
Ironstream® provides…
16. 16
Ironstream & Splunk for Security and Compliance (SIEM)
Easier to identify unauthorized mainframe access or other security risks and ability to
meet increasing compliance requirements
Challenges Addressed
• Tracking security related issues including password changes, login success and failures,
account lock outs, dataset access, FTP activity
• Identify changes in access patterns to detect potential security threats
• Move from post event forensics to real-time monitoring of the security environment
• Fulfillment of mandatory security and compliance audits to meet corporate and regulatory
requirements
• Eliminate manual reporting along with the delay required to get the information, by
accessing it in real-time
20. Syncsort z/OS Security Dashboard
TCP/IP Network Traffic
Intrusion Detection showing Port Scans and Denial of Service Attacks
20
21. Ironstream Splunk Integrations
Integrates with Splunk
Enterprise Security
(SIEM)
• Splunk Enterprise Security is a
premium app that provides an
enterprise-wide view of
security across all platforms
Integrates with Splunk IT
Service Intelligence
(ITOA)
• Splunk IT Service Intelligence
(ITSI) is a premium app that
delivers unique “service-centric”
view of critical internal and
customer-facing business
services
Ironstream Data Model
for Mainframe
• The Syncsort Ironstream Data
Model for Mainframe provides
a structured and logical view
of mainframe log data
elements in Splunk for faster
searching, analysis and Splunk
development
22. Ironstream z/OS Security & Splunk Enterprise Security
All collected data sources can also be mapped
to Splunk CIM for Enterprise Security and
automatically exposed in ES dashboards along
with security information from other platforms
• This requires the Ironstream for Splunk
Enterprise Security to be installed
• This provides an enterprise-wide, integrated
view of security across all platforms via ES
dashboards provided by Splunk
22
23. Syncsort Confidential and Proprietary - do not copy or distribute
Sample: Splunk Enterprise Security™ Security Posture Dashboard
Now shows z/OS® intrusions and anomalies
along with events from other platforms
23
25. Federal
law-enforcement
agency
The combination of Splunk and Ironstream®
delivered the ability to obtain full visibility—
in real time—into the most sensitive
authentication procedures and data across
its IT environment, ultimately enabling it to
fulfill its audit obligations with ease.
O B J E C T I V E
• Ability to respond to ever-changing
reporting requests from its auditors in
order to prove compliance with
information-security requirements.
• Visibility into history as well as the
current status of enterprise security
information
C H A L L E N G E
• While they were using Splunk
Enterprise, they were missing critical
mainframe data
• Mainframe logs had sensitive
authentication information on
password changes, log-in successes
and failures and locked accounts
S O L U T I O N
• Syncsort Ironstream was chosen to
provide access to necessary log data
• Data is forwarded automatically and in
real-time
B E N E F I T
• The customer for the first time now
has full visibility into the most sensitive
authentication procedures and data
• Ironstream and Splunk combine to give
them the ability to respond to
reporting and compliance needs
25
26. U.S.-based Loan
Service Provider
Ironstream provided access to previously
inaccessible data to help support one of their
most critical monitoring efforts
“If you’re asking us what the easier solution
is to install and configure, it’s Ironstream”
O B J E C T I V E
• To monitor mainframe IT operations to
track health of service delivery for Loan
Service Providers
• Capture mainframe business data in
support of system and application
monitoring in Splunk
C H A L L E N G E
• Required several data feeds including
SMF, SYSLOG and SYSOUT for batch job
monitoring
• Filtering the log data to selected jobs
• Required the ability to load business
data from sequential files
S O L U T I O N
• Syncsort Ironstream was chosen over
IBM CDP, particularly over its ease of
installation and configuration
• Now able to forward the required log
data and filter it to specific messages
and jobs
B E N E F I T
• Able to monitor Loan Service IT
Operations via Splunk
• Partnered with Winward for Splunk
development who were familiar with
Syncsort Ironstream
26
27. Ironstream Security and Compliance Benefits
• Quickly detect fraudulent activity enabling faster
remediation
• Successfully comply with regulatory requirements and
address security auditing and control policies
• Integrate IBM system security events into the analytics
Spunk’s SIEM solution for centralized analysis
• Monitor and detect incorrect security definitions, weak
access controls, as well as valid and invalid access to
critical resources and data
• Monitor data vulnerability issues including the
movement of data onto and off IBM systems
• Monitor, detect, and prevent network intrusions
27
28. Why Ironstream
Less Complexity
Collect mainframe and IBM i data;
correlate with data from other
platforms; no legacy system expertise
required
Clearer Security Information
Identify unauthorized mainframe and
IBM i server access, other security
risks; prepares and visualizes key
data for compliance audits
Healthier IT Operations
Real-time alerts identify problems in
all key environments View latency,
transactions per second, exceptions,
etc.
Effective Problem-Resolution
Management
Real-time views to identify real or
potential failures earlier; view related
'surrounding' information to support
triage repair or prevention
Higher Operational Efficiency
Enhanced event correlation across
systems; Staff resolves problems faster;
“do more with less”
Eliminate Your Mainframe
“Blind-Spots”
Splunk/Elastic + Ironstream = Your
360ᵒ Enterprise View
31. • Data from multiple sources
• TSO logon tracking – SMF Type 30
• TSO account activity (create, update, delete, lockout) – SMF Type 80
• Port scans, DoS attacks, malformed data packets – TRMD and SyslogD
• FTP authentications and file analysis (file create, access, update, delete) – SMF Type 119 Records and IP
traffic analysis information
• Network events – Ironstream® Network Monitoring Component
Mainframe Security – Data Challenges
32. 32
Gartner Magic Quadrant for SIEM
• During the past year, demand for SIEM technology
has remained strong. The SIEM market grew from
$1.999 billion in 2016 to $2.180 billion in 2017
• Threat management is the primary driver, and
general monitoring & compliance remains
secondary
• The SIEM market continues to be dominated by
relatively few large vendors. Splunk, Micro Focus
(including the ArcSight and Sentinel SIEMs) IBM,
LogRhythm and McAfee command a significant
share of market revenue.