Not so fast…what about MFIM.
File Integrity Monitoring (FIM) has been part of the distributed landscape for years, generally as a component of an enterprise anti-malware strategy. But as attacks become more sophisticated and nearly undetectable, FIM needs to be a key component across the entire network, mainframe included.
Considering the potential of non-compliance with big fines attached, FIM needs to be front and center with your enterprise security strategy. The most recent version of the Payment Card Industry Data Security Standard, v. 3.1, requires you to “implement audit trails to link all access to system components to each individual user” (Req. 10.2) and "use file integrity monitoring or change detection software…." (Req. 10.5). What this means is that you must make sure you are monitoring the secure state of your system-wide operating systems for any signs of tampering; PCI DSS is not just talking about Windows/UNIX. You must do this for all systems or face the potential of fines for PCI DSS noncompliance that can go as high as $100,000 per month. True, PCI DSS fines are few and far between but in at least one instance a U.S. retailer sued Visa for PCI compliance fines, levied by the credit card processor. Whatever the fine potential, chances are you don't even want to risk the publicity and potential brand damage.
On the distributed side of your datacenter, automated FIM is sometimes provided by a Security Information and Event Management (SIEM) system. It's a pretty straightforward process. When an operating system and applications are procured and the server and workstations are confirmed to a secure working state, a FIM program takes a “snapshot” of the secure state of the operating system.
In a distributed environment, a file integrity checker calculates MD5 hashes or checksums of the files loaded and stores them in a database. This becomes a digital fingerprint, and any change in any of the files will cause the MD5 hash to change, indicating that a file has been accessed or altered.
Effectively, there is little evidence across our market of a z/OS program that can facilitate FIM on a mainframe, and link the event data to a distributed SIEM as traditional FIM solutions do. But it is possible to facilitate FIM on your mainframe and we have a few instances of this in the field. We call this complementary SIEM process mainframe file integrity monitoring, or simply MFIM.
The key to MFIM is to look at the mainframe counterparts to the Microsoft Windows install folder. One of these, SYS1.PARMLIB, or the PARMLIB concatenation, is the most important set of datasets in your organization, listing system parameter values used by nearly every component of z/OS. You can't just take a checksum "snapshot" of these mainframe files, as a distributed FIM solution would do, because the files in a mainframe environment are simply too big to scan and system performance would suffer.
The details of tracking mainframe event messages are far too many to get into a blog post. Essentially, you need a way of getting the mainframe events that indicate file access (and access attempts) to your distributed SIEM system, and you need to do this from the mainframe in real time. But you also need a software tool that will convert these mainframe events to a distributed event log format in real time, so your SIEM system admins can use the data for actionable information.
Learn more from this complementary whitepaper "InfoSec Myths Debunked: FIM is only for Windows/UNIX." | Download PDF here.
This is all made possible with CorreLog’s agent-based software solution, SIEM Agent for z/OS:
- SIEM Agent converts mainframe system management facilities (SMF records) to distributed SIEM-type Syslogs in real time, from within the LPAR.
- SIEM Agent forwards the data to the enterprise SIEM, ready formatted. No additional formatting required once it leaves the LPAR.
- z/OS event message types include all RACF, ACF2, Top Secret, and DB2 database activity monitoring
- Other event message types include address space, file accesses, TCP/IP, FTP, CICS and other security event message types.
- The conversion and transmission to the enterprise SIEM system takes place in real time, and the data is encrypted for security.
For more information on the CorreLog SIEM Agent for z/OS, please click here.