Security Information & Event Management Blog | SIEM

The Anatomy of a Mainframe Breach- z/OS Security Threats are Real

IBM mainframe talent

People have been talking about the demise of mainframes for years, yet they are storing, managing, and processing more information today than ever. Mainframes today process approximately 80 percent of the world’s corporate and government data [1], are used by 71 percent of the Fortune 500  [2], and according to IBM, manage 29 billion ATM transactions per year, worth nearly five billion dollars per day [3]. It’s rare to find a computer in use that is 50 plus years old used as it was 50 years ago, but the mainframe is not only still going strong, it’s adapting to changing technologies and solidifying its position as the most reliable data platform since its inception.

IBM’s development reveals an emphasis on big data processing with an eye towards ultra-reliable support for mobile platforms. In 2015 the hardware giant’s partnership with Apple has proved the mainframe isn’t going anywhere. With more online transactions going mobile, the alliance was a win-win for both enterprises as Apple needed an infrastructure to secure interactions between its products and back-end data on mainframes, and IBM jumped on the opportunity to expand into the growing mobile industry. The partnership has created business applications for iPhone and iPad and has since targeted specific industries whose transactions are going increasingly mobile such as retail, financial institutions, telecommunications services, insurance companies, airlines, government, and more. As these industries come to rely on the ease of the cloud, mainframes continue to be the powerhouse for back-end data that rest in the shadows, out of sight and out of mind. One could argue that such heavy reliance on a “forgotten” and scarcely applauded platform itself, leads to a security vulnerability.  

Download the "Anatomy of a Mainframe Breach" Whitepaper 

Though mainframes have a well-established reputation for high security and data integrity, they are not un-hackable. Mainframes are increasingly closer to the Internet and mobile platforms and this has made them more vulnerable to outside threats. Hackers are constantly testing enterprises’ network perimeters, looking for vulnerabilities, and without the proper security measures in place, organizations may not know they have been breached until it is too late. In 2017, the average time to detect and secure a breach was 191 days, according to the Ponemon Institute [4]. IBM continues to release new versions of its mainframe; its latest z/OS® V2R3, adding enhancements in security to provide data protection for z/OS data sets, giving users the ability to encrypt data to strengthen compliance, audit responsiveness, and provide protection for mission-critical data, but it is still a vulnerable IT asset because it does a lot of processing and reporting in nightly batches. Without real-time alerts of all event messages from z/OS, this leaves data open to threats.

One would think the inherent value of the data on mainframes in our data-driven lives would put z/OS high on the list of things to protect in any given Fortune 500 company, and it is. However, many companies barely acknowledge mainframe vulnerabilities, and many don’t monitor z/OS events in real-time or have the appropriate mechanisms in place to validate compliance with data security standards such as PCI DSS, FISMA, HIPAA, GDPR, and other standards and regulations as do their distributed counterparts. Distributed platforms rely on Security Information and Event Management or SIEM for real-time log management and correlation, but mainframes lack a security equivalent. This can lead to dark periods of time in mainframes where hackers could have hours to exfiltrate data before logs are analyzed by IT security teams. Real-time event message monitoring can give organizations continuous updates of breaches or file integrity disruptions as they happen, providing the quickest time for remediation.

Without real-time monitoring for all privileged user activity, your SIEM could be leaving valuable mainframe data outside the scope of security visibility and open to threats, leaving your most valuable data vulnerable. Protecting the mainframe should be priority number one to every enterprise. With all the information stored on mainframes, it is unlikely we will see the end of them anytime soon, but a serious mainframe breach the size of Target or Equifax could be the end of your organization’s good brand reputation and its leaders’ careers. Transforming real-time mainframe visibility into security events is attainable; with secure storage for audit trails that can tip the spear in your organization’s compliance programs, you can have cross-platform visibility of all user-activity. For more information on obtaining more mainframe visibility, download CorreLog’s whitepaper titled, “The Anatomy of a Mainframe Data Breach and How to Fight Back available here.

Since 2008, CorreLog has been bridging the security and compliance gap between distributed (WIN/UNIX) and mainframe computing environments. Our industry-leading solutions deliver real-time z/OS security inclusion in WIN- and UNIX-based SIEM systems for complete, cross-platform IT security and compliance strategies.

For more information on CorreLog’s industry-leading security solutions, contact us here.

 [1] IBM Systems Magazine, "Data Virtualization on z/OS"

[2] Forbes, "From Shopping to Space Travel, How the Mainframe Changed Our World."

[3] IBM, "IBM Mainframe Ushers in New Era of Data Protection"

[4] Ponemon Institute, "2017 Cost of a Data Breach Study"

0 replies