Mainframe cyber breaches are a now a reality, see the recent Luxottica and Swedish Nordea Bank breaches as evidence. The myth that mainframes are unhackable is harmful, and today big iron is now closer to the Internet than ever processing millions of online transactions per minute. However, security measures have not caught up against the growing threat of cyber-attacks to the mainframe, despite it being the machine that likely stores your most sensitive data. In this most recent CorreLog blog, we discussed the threat that exists to the mainframe given the amount of highly valuable data it stores for governments, banks, and other large organizations. Here, we will highlight how to achieve a best practice approach when it comes to mainframe security.
Many companies are now hiring “white hat” penetration testers to help them discover vulnerabilities before a malicious hacker can. Today, hackers constantly probe your enterprise network perimeter and will find network vulnerabilities if you don’t find them first. However, while proactively testing and patching your network with white hat pen testing and bug bounties is an essential step towards protecting data, it’s only part of the solution. To create a more holistic network defense strategy, you need real-time monitoring for all user activity across your entire IT infrastructure (including the mainframe), with event correlation to detect anomalous activity from vulnerabilities your pen testing crews might miss.
Penetration testing is an excellent way to protect against outside threat, but insider threat may be more dangerous. A recent Insider Threat Spotlight Report from the LinkedIn Information Security Community Group comprised of more than 300,000 members, discovered that 60 percent consider privileged IT users and administrators their largest security risk. This is due, in part, to a privileged user’s ability to wipe audit trails for malicious activity. Without a notification from auditing, a privileged user can leak or steal enormous amounts of highlight sensitive data before you even know they’re there. This puts PII (Personally Identifiable Information), ePHI (Electronic Protected Healthcare Information), corporate/government intellectual property, military schematics, manufacturing systems data, and more at serious risk if this activity audited isn’t flagged in real time in a Security Operations Center or SOC. And you must do this across all systems mainframe and distributed alike.
For many large organizations, one or more IBM z/OS mainframes constitutes a strategic capital investment for the most mission-critical applications, processes and data. Of these organizations, only a small percentage acknowledge mainframe vulnerability and employ the appropriate tools to monitor z/OS in real time the same way their distributed counterparts do with Windows/UNIX and open source assets attached to their SOC. This leaves significant amounts of time where mainframe data is outside the scope of up-to-the-second security visibility and immediate remediation upon threat discovery. With Security Information and Event Management (SIEM) software platforms existing predominantly in distributed environments, CorreLog zDefender™ for z/OS allows organizations to include mainframe event log data into their SOC for a uniﬁed, multi-platform view of enterprise security event data in a single console.
CorreLog zDefender™ for z/OS expands the role of your corporate distributed IT security system – whether CorreLog SIEM Correlation Server or other distributed SIEM collector – to include real-time mainframe messages from RACF, ACF2, Top Secret, Db2 accesses, and other important user activity data relevant to data security. Complete your SIEM strategy leveraging this powerful and unique real-time mainframe security management component.
Anatomy of a Mainframe BreachA comprehensive mainframe security strategy requires a multipronged approach that incorporates both pen testing as well as real-time visibility. In 2017, the average time to detect and secure a breach was 191 days, according to the Ponemon Institute, but with GDPR on the horizon and the high cost of data breaches your company cannot afford to become a data breach statistic. Heed the advice of cyber-security professionals to start taking mainframe security seriously now. We have researched and written about mainframe breaches in an informative whitepaper that you can download titled “Anatomy of a Mainframe Breach.” You may download this whitepaper here.