Security Information & Event Management Blog | SIEM

Four Keys to Ensure your Mainframe is Included in your Enterprise and Security Compliance Strategy

Icon-mainframe-SIEM-101-20171031Mainframe computers process some of the world’s most sensitive data. 96 of the top 100 global banks, nine out of 10 of the top global life and health insurance companies, and 355 of global Fortune 500 companies all still rely on mainframes to perform mission-critical applications.[1] Think you’ve never come in contact with these so-called computer dinosaurs of the past? Think again. If you’ve used an ATM or carried out any credit card transaction today, your data has been processed on a mainframe. Now, with the proliferation of cloud computing and online transactions, mainframes are as relevant as ever, and moving closer to the Internet each day. Mainframe security has largely been of little concern to IT security administrators, but with their popularity and utility only continuing to increase in the coming years, it is time we start adding the same levels of security measures to big iron that we employ within our distributed Windows/UNIX environments.

SIEM (Security Information and Event Management) systems have long been the industry standard for enterprise network security, but the mainframe has mostly been left out of this predominantly distributed discipline. This is due, in part, to Windows/UNIX and mainframes having matured side by side since the 1980s, but in essentially separate universes. Each platform employs its own terminology, coding languages, user interfaces, human resources, and IT infrastructures. This siloed friction between the “two worlds of IT” has resulted in a lack of security cohesion across both platforms and has weakened what must be a unified front against the growing threat of cybercrime.

Download CorreLog's Mainframe SIEM 101 Whitepaper

Enterprise event log management facilities such as IBM RACF (Resource Access Control Facility) or Computer Associates ACF2 (Access Control Facility 2) and CA TSS (Top Secret Security), have been in standard use for z/OS security for many years. These facilities are constantly generating messages that tell you how users and programs are accessing the system, but the problem is enterprise SIEMs (that are predominantly on Windows/UNIX) don’t receive these messages in real time with event correlation technology to detect potential fraudulent activity. They cannot account for anomalous privileged user activity when it happens, meaning an insider could steal blindly from you and you would not be notified until your batch report sends the log data to the SIEM, perhaps many hours later. Given the threat landscape we are facing today, if you are not receiving mainframe event log messages in your SIEM in real time, you are putting your entire organization at risk.

Proactive steps to extend the real-time visibility of SIEM monitoring into the mainframe will equip IT security admins with up-to-the-second security notifications – across all systems— for faster remediation in the event of a breach of either platform. With the CICS facility and terminal emulation, the mainframe is closer to the Internet than ever before and is constantly being probed. However, by incorporating mainframe events in real-time alongside distributed events, a one-world view of your enterprise for security and compliance can be realized. Below are four keys to ensure your mainframe is included in your enterprise and security compliance strategy.

  1. Visibility: Leverage your existing mainframe security facilities such as IBM® RACF®, CA-ACF2™, CA-Top Secret®, CICS, FTP, TSO, TCP/IP, IBM® Db2®, IMS, and others into your SIEM for real-time security visibility.
  2. Event Consolidation: The collector should be able to, in real-time while still inside z/OS, convert mainframe events into syslog format for compatibility with distributed SIEMs, for a 360-degree perspective on threat activity
  3. Alerts and Service Desk Integration: Once your mainframe is connected to your SIEM or IT SOC, you’ll have the capability to send up-to-the-second security alerts in formats such as email, SMS text, SNMP trap, or even issue help desk ticket notifications.
  4. Auditing, Archiving, and Forensics: This will help you facilitate the requirements for data security standards such as PCI DSS, FISMA, GDPR, HIPAA, GLBA, ISO 27001, SOX, IRS Pub. 1075, and others.

To learn more about integrating the mainframe into your SIEM, click here to download CorreLog’s thought leading whitepaper titled “Real-Time Mainframe SIEM 101: Increasing your SIEM footprint to your mainframe is critical for enterprise data security and compliance strategy.”

There are only a few vendors with products that bridge the security gap between mainframe and distributed computing with real-time mainframe event management. CorreLog is one such vendor, with roots in mainframe computing dating back to the 1970s. Our mainframe SIEM solutions are designed as a complement to organizations’ existing SIEM strategies and budgets. We understand z/OS as a critical business asset, and have built operationally sound, scalable, and highly functional mainframe security solutions to help maintain your enterprise security and compliance posture.

For more information on our z/OS security solutions visit


[1] Glinda Cummings, IBM Sr. Security Product Manager, “The Myth of Mainframe Security,”; IBM, “Why Mainframe Servers?”, Link

0 replies