Security Information & Event Management Blog | SIEM

Guest blog post, z/OS security, from Barry Schrager Part 1 of 7: System Integrity

Posted by Barry Schrager on Jun 22, 2015 7:29:00 PM

Mainframe Security Part 1: System Integrity

I’m often asked about what installations can do to maximize their data security in an IBM mainframe environment. For those that do not know me, I was one of the people who started the data security initiative in the mainframe environment when I was asked to form the SHARE Security Project in 1972. We worked together to create a series of requirements to be presented to IBM and I did that in 1974. For more details on this, see

When IBM delivered RACF in 1976, it did not meet two of the crucial requirements – protection by default and what we called algorithmic grouping of resources. 
Read More

Topics: compliance standards, Log Management, z/OS security, system integrity, mainframe security

8 PCI DSS Guidelines for Better Mainframe Compliance

Posted by Tony Perri on Nov 18, 2014 2:10:00 PM

What to do when your mainframe catches a virus

8 Guidelines for monitoring mainframe security controls per PCI DSS Requirements

Now that we have your attention, allow us to expound on the thought. This is a somewhat valid question if you are in banking/finance, retail, healthcare, government or other environment that processes credit cards on a massive scale and requires the computing horsepower of a mainframe.

Why? Because these industries all have to adhere to the malware/anti-virus clause from the Payment Card Industry Data Security Standard (PCI DSS). At a high level, the PCI DSS provides a baseline of requirements for these industries to adhere to for the protection of cardholder data. Even if they have just one credit card transaction over the course of a fiscal year, PCI DSS applies and the penalties are significant. From the PCI Security Standards Council website FAQ page:

Read More

Don’t expect to move your cyber-security gauge towards 'safe' until..

Posted by Charles Mills on Apr 1, 2014 1:00:00 PM

Your network is vulnerable because your log management practice fails to include real-time mainframe data.

The InfoSec World show is upon us. For those of you unfamiliar with InfoSec World, it is an educational conference organized by the MIS Training Institute, an international organization that specializes in audit and information security training. According to their website,, they have trained more than 200,000 IT professionals over the course of its existence.

Read More

Topics: PCI DSS compliance, Log Management, security threat, enterprise SIEM system

DAM that HACK! 7 ways your z/OS DB2 can alert you to cyber threat

Posted by Tony Perri on Mar 18, 2013 12:45:00 PM

Database Activity Monitoring (DAM) is defined by Gartner as “… tools that can be used to support the ability to identify and report on fraudulent, illegal or other undesirable behavior, with minimal impact on user operations and productivity(1)…” If you know what to look for in z/OS DB2 audit trails, you have an excellent window into your mainframe database security health.

Read More

Topics: compliance standards, automated threat detection; event log management;, collect log data, PCI DSS compliance, Log Management

Event Data vs. Syslog Data: 4 points of distinction for the CISO

Posted by Tony Perri on Jan 17, 2013 9:00:00 AM

It should come as no surprise that security information and event management, or SIEM, has been fueled by industry standards groups and government agencies. Leading the charge to how data and security policies are drawn up are organizations with acronym-laden names like PCI SSC, FISMA, FERC, NERC, SOX, HIPAA and many others. The Payment Card Industry Security Standards Council, issuers of the PCI data security standard (PCI DSS), was founded by payment card giants MasterCard, American Express, Discover and several others. In 2006 they issued requirements and offered certifications for merchants, vendors and security consulting companies with the intent to “mitigate data breaches and prevent payment cardholder data fraud.”

Read More

Topics: compliance standards, automated threat detection; event log management;, Log Management

10 Step FIM Approach for Reliability, Data Security and Compliance

Posted by Tony Perri on Sep 26, 2012 2:14:00 PM

One area that you shouldn’t overlook that can derail your ability to hit IT service level agreements (SLAs) is file integrity monitoring (FIM). Your inability to uphold file integrity compromises your ability to deliver critical applications/services and also puts your organization’s security and compliance at risk. Why is FIM so important to SLAs and compliance?
  • FIM ensures file compliance by scanning files in configuration-specified directories and then checks for unauthorized changes.
  • FIM creates a baseline file configuration to be compared to any future configuration state. If there are any deviations from the baseline, an alert of potential threat can be issued.
  • Good FIM practice allows for archiving to compliance standards - PCI DSS, FISMA, SOX, HIPAA, NERC, GLBA, etc... - in the event you need the data for forensics.
Read More

Topics: insider threat, compliance standards, automated threat detection, Log Management, enterprise SIEM system

Mainframe SIEM Log Management in a Distributed IT Security World

Posted by Tony Perri on Aug 9, 2012 2:31:00 PM

Seems like every day we see news headlines about yet another cyber-breach. Government agencies, local municipalities, online gaming and social platforms, financial institutions, even high-school records have been exposed in recent attacks. Scour the web and you will be hard-pressed to find the percentage of breaches occurring on mainframe versus distributed. The data just doesn’t seem to be there. Mainframe gurus will say that it is rare for a mainframe to be compromised, but the reality is that the data to confirm or dismiss this is just too hard to come by. Unless you are an insider and know the details of the breach, all we know publicly is that there was a breach, the number of records compromised and maybe the dollars affected.

Read More

Topics: automated threat detection, collect log data, Log Management, enterprise SIEM system

Log Management Language Barrier Pt. 3: Where to Find Mainframe Events

Posted by Charles Mills on Jun 22, 2012 3:32:00 PM

Over the last few weeks I have written that mainframe people and enterprise security people use “Syslog” to mean two different things and that z/OS SYSLOG is not a good source for the kinds of security incident and event data that enterprise security people need. So when a large retailer came to us and wanted their mainframe security events forwarded to a Managed Security Service Provider (MSSP) for PCI DSS compliance, where did we go for that mainframe security event data? What data is in a mainframe that is a good source of security events?

Read More

Topics: insider threat, automated threat detection, PCI DSS compliance, Log Management

Log Management Language Barrier Pt. 2, Just what is Mainframe SYSLOG?

Posted by Charles Mills on May 29, 2012 4:00:00 PM

Two weeks ago, I wrote that one obstacle to getting your Mainframe to “speak” to your security information and event management (SIEM) console was that mainframe people and enterprise security people speak a different language. They both use the same word, “Syslog,” to mean two different things. SIEM people of course use the word Syslog – as they write it – to mean the RFC 3164 Syslog messages that are at the heart of SIEM processing. Mainframe people use the word SYSLOG – as they usually write it – to refer to a voluminous stream of messages, which for the most part, have little to do with enterprise IT security, log management or network availability. Why?

Read More

Topics: PCI DSS compliance, Log Management, enterprise SIEM system

Log Management Language Barrier: Is it Syslog or SYSLOG?

Posted by Charles Mills on May 10, 2012 9:30:00 AM

Does your mainframe speak Syslog or SYSLOG?

Does your mainframe speak SIEM (security information and event management)? Do your mainframe people speak SIEM? If you are typical, your mainframe is where about 70% of your enterprise data is stored. If you are performing mission-critical processing on your mainframe – and why else would you have one? – then it is critically important that your mainframe can “speak” to your SIEM tool, and can tell the SIEM system when the mainframe detects a potential intrusion or “hack.” But how can your mainframe speak SIEM when your mainframe people don’t even speak the same language as your SIEM people?

Read More

Topics: automated threat detection, PCI DSS compliance, Log Management

Subscribe via Email

Connect with CorreLog