Security Information & Event Management Blog | SIEM

Guest blog post, z/OS security, from Barry Schrager Part 7 of 7: Monitoring the Security of Your z/OS System

Posted by Barry Schrager on May 4, 2016 11:00:00 AM

Every day, after you get your first cup of coffee, do you scan the mainframe security system violation and logging reports looking for abnormal behavior, strange activity, etc.?  Given the size of these, do you do a thorough job of it?  How much time has elapsed from the time any activity occurred to the time you got to this?

When I first developed these reports for ACF2 (dataset and resource) we had systems that ran at a rate of a few MIPS – maybe 10-20.  The current IBM z13™ will process 110,000 MIPS.  The volume of processing has grown exponentially and so has the volume of security incidents – either loggings or violations – produced each day.  Remember that the violations and loggings are there to highlight activity which may affect sensitive data – either the organization’s sensitive data or the z/OS system itself – for, if the z/OS system is modified illicitly, this may be the vehicle for actually accessing or modifying sensitive data by bypassing the z/OS security system controls.  In case you didn’t realize this – if someone can modify the z/OS system and libraries by doing something as simple as link editing a program with the Authorized Program attribute and storing it in an Authorized Library, they can then execute that program and utilize that authorization with relatively simple code to bypass whatever controls you have in place in ACF2, RACF or Top Secret.  

Read More

Topics: insider threat, compliance standards, network security, security threat, z/OS security, mainframe security

Guest blog post, z/OS security, from Barry Schrager Part 6 of 7: Is the network connected to your mainframe secure?

Posted by Barry Schrager on Apr 20, 2016 12:00:00 PM

This segment of my series was authored by Peter Hager and Earl Rasmussen of Net’Q (www.net-q.com). I thank them for their input since the network connected to our mainframes must also be secured.

In today’s world we are all connected. There was a time that mainframe access was reserved to the datacenter. Those days are long gone….

Read More

Topics: insider threat, compliance standards, network security, security threat, z/OS security, mainframe security

Guest blog post, z/OS security, from Barry Schrager Part 5 of 7: Monitoring Access to Sensitive Data

Posted by Barry Schrager on Apr 7, 2016 11:56:03 AM

Now that you have eliminated all the z/OS system integrity vulnerabilities you could find, re-evaluated your user validation to minimize the possibility of credentials being stolen, found all your sensitive data and eliminated unneeded copies and implemented a test data management solution, and validated the users who have access to the remaining data and transactions, it is time to evaluate how accesses by authorized users are being monitored.

Remember, there are two different scenarios that can harm your organization. One is the obvious one – a trusted employee goes rogue, obtains sensitive data and uses it in a manner that either profits him and/or harms the organization – Edward Snowden of the NSA is the poster child for this type of calamity. The other is that a loyal employee has their identity stolen and the hacker misuses it. Note that even though you have gone through the steps of securing your z/OS system, nothing is perfect and there are still vulnerabilities in the network configuration and usage that allow Userids and passwords to be passed in the clear, people doing silly things like writing down their passwords on a post-it note, someone looking over a valid user’s shoulder, etc.

Read More

Topics: insider threat, compliance standards, network security, security threat, z/OS security, mainframe security

Mainframe Myth-Busting: File Integrity Monitoring is only for Windows/UNIX security systems.

Posted by Tony Perri on Feb 8, 2016 2:00:00 PM

That’s the thing about myths: they’re only partly true.

Yes, File Integrity Monitoring (FIM) has been part of the distributed computing landscape for a few years now. And yes, real-time enterprise security monitoring is harder to accomplish in a mainframe environment. But as attacks become more sophisticated, FIM needs to be a key component of the entire network, including your mainframe.

There’s a well-known software vendor that has an antivirus “sandbox” that is used to explode viruses in much like a police bomb squad would do with a suspicious package at a crime scene.

Read More

Topics: network security, PCI DSS compliance, Log Management, managing corporate IT security and compliance, z/OS security, mainframe security

Guest blog post, z/OS security, from Barry Schrager Part 4 of 7: Who has access to your sensitive data?

Posted by Barry Schrager on Nov 19, 2015 11:00:00 AM


Now that we’ve gone through verifying that your system has no known integrity vulnerabilities, users are validated in a manner that will minimize the chance of someone stealing their identity and located all the sensitive data on your systems, remediating the copies that should not have been there in the first place, it is time to focus on who has access to your organization’s sensitive data.

Read More

Topics: compliance standards, network security, security threat, z/OS security, mainframe security

PCI DSS Myth-Busting: When PCI DSS references File Integrity Monitoring, they are just talking about Windows/UNIX.

Posted by Tony Perri on Oct 14, 2015 2:00:00 PM


Not so fast…what about MFIM.

File Integrity Monitoring (FIM) has been part of the distributed landscape for years, generally as a component of an enterprise anti-malware strategy. But as attacks become more sophisticated and nearly undetectable, FIM needs to be a key component across the entire network, mainframe included.

Read More

Topics: network security, PCI DSS compliance, Log Management, z/OS security, mainframe security

The Crux of Cybercrime Event Logging... from a car alarm???

Posted by Tony Perri on Mar 23, 2012 11:00:00 AM

Five things you should be thinking about before someone tries to “break in” to your IT systems

It was 3:49 a.m. last Thursday. Car alarm was going nuts and my dog was wildly barking out on the lanai right next to my bedroom window. Just waking from a real deep sleep, I was unsure if it was my car or a neighbor’s then the familiar sound of my 2001 Ford Ranger horn had me up and out the door with dog leading the way as fast as my arthritic bones would let me.

Read More

Topics: network security, automated threat detection; event log management;

Log Management Lesson: Confessions of a Security Systems Admin

Posted by Tony Perri on Feb 29, 2012 3:30:00 PM

“We thought we could handle all of the user’s problems without analyzing every single log message. Now I'm a news headline!”

Read More

Topics: automated threat detection, network security, PCI DSS compliance, Log Management

5 Security Policies to Help Counter Insider Threat

Posted by Jeff Davison on Aug 25, 2011 6:24:00 PM

All of our customers have policies in place to counter insider threats. Some are better than others. Below is a quick and dirty list of five techniques that I have seen customers use to keep it honest and secure in their corporate environments.

Read More

Topics: insider threat, network security

Subscribe via Email

Connect with CorreLog