Security Information & Event Management Blog | SIEM

Guest blog post, z/OS security, from Barry Schrager Part 7 of 7: Monitoring the Security of Your z/OS System

Posted by Barry Schrager on May 4, 2016 11:00:00 AM

Every day, after you get your first cup of coffee, do you scan the mainframe security system violation and logging reports looking for abnormal behavior, strange activity, etc.?  Given the size of these, do you do a thorough job of it?  How much time has elapsed from the time any activity occurred to the time you got to this?

When I first developed these reports for ACF2 (dataset and resource) we had systems that ran at a rate of a few MIPS – maybe 10-20.  The current IBM z13™ will process 110,000 MIPS.  The volume of processing has grown exponentially and so has the volume of security incidents – either loggings or violations – produced each day.  Remember that the violations and loggings are there to highlight activity which may affect sensitive data – either the organization’s sensitive data or the z/OS system itself – for, if the z/OS system is modified illicitly, this may be the vehicle for actually accessing or modifying sensitive data by bypassing the z/OS security system controls.  In case you didn’t realize this – if someone can modify the z/OS system and libraries by doing something as simple as link editing a program with the Authorized Program attribute and storing it in an Authorized Library, they can then execute that program and utilize that authorization with relatively simple code to bypass whatever controls you have in place in ACF2, RACF or Top Secret.  

Read More

Topics: insider threat, compliance standards, network security, security threat, z/OS security, mainframe security

Guest blog post, z/OS security, from Barry Schrager Part 6 of 7: Is the network connected to your mainframe secure?

Posted by Barry Schrager on Apr 20, 2016 12:00:00 PM

This segment of my series was authored by Peter Hager and Earl Rasmussen of Net’Q ( I thank them for their input since the network connected to our mainframes must also be secured.

In today’s world we are all connected. There was a time that mainframe access was reserved to the datacenter. Those days are long gone….

Read More

Topics: insider threat, compliance standards, network security, security threat, z/OS security, mainframe security

Guest blog post, z/OS security, from Barry Schrager Part 5 of 7: Monitoring Access to Sensitive Data

Posted by Barry Schrager on Apr 7, 2016 11:56:03 AM

Now that you have eliminated all the z/OS system integrity vulnerabilities you could find, re-evaluated your user validation to minimize the possibility of credentials being stolen, found all your sensitive data and eliminated unneeded copies and implemented a test data management solution, and validated the users who have access to the remaining data and transactions, it is time to evaluate how accesses by authorized users are being monitored.

Remember, there are two different scenarios that can harm your organization. One is the obvious one – a trusted employee goes rogue, obtains sensitive data and uses it in a manner that either profits him and/or harms the organization – Edward Snowden of the NSA is the poster child for this type of calamity. The other is that a loyal employee has their identity stolen and the hacker misuses it. Note that even though you have gone through the steps of securing your z/OS system, nothing is perfect and there are still vulnerabilities in the network configuration and usage that allow Userids and passwords to be passed in the clear, people doing silly things like writing down their passwords on a post-it note, someone looking over a valid user’s shoulder, etc.

Read More

Topics: insider threat, compliance standards, network security, security threat, z/OS security, mainframe security

Guest blog post, z/OS security, from Barry Schrager Part 3 of 7: Where's the data?

Posted by Barry Schrager on Jul 15, 2015 3:00:00 PM

Mainframe Security: Part 3 - Where is all your sensitive data?

bigstock-Expressive-businessman-shruggi-47454826One vulnerability I see a lot are copies of sensitive data outside of the production environment. This sensitive data, if disclosed, can harm the organization just as much as the production versions. Examples are Social Security Numbers, medical diagnosis or treatments, credit information, and, of course, credit card numbers which should never be stored unencrypted in the first place. One example that comes to mind is an insurance company discovering a series of database query results, stored under an individual user’s high-level index that correlated medical treatments with diagnosis, but also contained the patient’s identification. When investigated, it turns out that the employee was asked by an executive to do this analysis, but, never bothered checking with the security people on where and how to temporarily store this information and never cleaned it up afterwards.

Read More

Topics: insider threat, compliance standards, collect log data, Log Management, enterprise SIEM system

Guest blog post, z/OS security, from Barry Schrager Part 2 of 7: User Authentication

Posted by Barry Schrager on Jun 30, 2015 12:10:00 PM

Mainframe Security Part 2: User Authentication

How can a system accurately determine whether access to data should be allowed when it is not certain who the user is? We have seen this in the NSA - Edward Snowden case – he borrowed other administrators’ User IDs and passwords in order to gain access to data that he was not authorized for. Also, people working together sometimes share this information for convenience. But, what does that do for security and accountability? It destroys it. This is a critical situation for any user with access to some segment of an organization’s sensitive data, which is almost everyone these days.

I raised the idea of two-factor identification in my 1974 papers, but the world was different then. 

Read More

Topics: insider threat, automated threat detection; event log management;, Log Management, enterprise SIEM system, indexing and storing data

10 Step FIM Approach for Reliability, Data Security and Compliance

Posted by Tony Perri on Sep 26, 2012 2:14:00 PM

One area that you shouldn’t overlook that can derail your ability to hit IT service level agreements (SLAs) is file integrity monitoring (FIM). Your inability to uphold file integrity compromises your ability to deliver critical applications/services and also puts your organization’s security and compliance at risk. Why is FIM so important to SLAs and compliance?
  • FIM ensures file compliance by scanning files in configuration-specified directories and then checks for unauthorized changes.
  • FIM creates a baseline file configuration to be compared to any future configuration state. If there are any deviations from the baseline, an alert of potential threat can be issued.
  • Good FIM practice allows for archiving to compliance standards - PCI DSS, FISMA, SOX, HIPAA, NERC, GLBA, etc... - in the event you need the data for forensics.
Read More

Topics: insider threat, compliance standards, automated threat detection, Log Management, enterprise SIEM system

Log Management Language Barrier Pt. 3: Where to Find Mainframe Events

Posted by Charles Mills on Jun 22, 2012 3:32:00 PM

Over the last few weeks I have written that mainframe people and enterprise security people use “Syslog” to mean two different things and that z/OS SYSLOG is not a good source for the kinds of security incident and event data that enterprise security people need. So when a large retailer came to us and wanted their mainframe security events forwarded to a Managed Security Service Provider (MSSP) for PCI DSS compliance, where did we go for that mainframe security event data? What data is in a mainframe that is a good source of security events?

Read More

Topics: insider threat, automated threat detection, PCI DSS compliance, Log Management

Locking Down your Files Systems? – 10 File Integrity Rules to Live By

Posted by Tony Perri on Jan 13, 2012 11:48:00 AM

We hear every day of different viruses and attacks almost as if they were coming off an assembly line. They come in all shapes, sizes and forms, and they are becoming more sophisticated and harder to detect. The source of the attacks often comes EXTERNALLY but vulnerability can also be exposed from INTERNAL activities, for instance a disgruntled employee or stolen passwords.

Read More

Topics: insider threat, compliance standards, automated threat detection

Utilizing Self-aware, Neural Network Technology for Threat Detection

Posted by Tony Perri on Dec 19, 2011 3:00:00 PM

The key to enabling actionable intelligence in your SIEM strategy is to have recurrent neural network capability to help manage events. Take this example for instance: If I react to an event, is that reaction sufficient? If the same event occurs again, I can react in the same way I did the first time. Is that enough?

Read More

Topics: insider threat, automated threat detection, collect log data, Log Management

5 Security Policies to Help Counter Insider Threat

Posted by Jeff Davison on Aug 25, 2011 6:24:00 PM

All of our customers have policies in place to counter insider threats. Some are better than others. Below is a quick and dirty list of five techniques that I have seen customers use to keep it honest and secure in their corporate environments.

Read More

Topics: insider threat, network security

Subscribe via Email

Connect with CorreLog