While mainframes are a securable platform, organizations may want to consider adopting Security Information Event Management (SIEM) solutions that bring mainframe data into an enterprise-wide context. IBM z/OS security relies on the use of an External Security Manager (ESM) solution, like IBM's RACF or Broadcom’s CA ACF2 or CA Top Secret. These solutions maintain mainframe security by allowing or preventing access by a user to resources, such as a dataset, transactions, volumes, or programs. However, while they provide terminal-based and batch monitoring and reporting for mainframe security events and other data, they don’t offer enterprise-wide perspectives with advanced graphical interfaces, real-time analytics, or integration with other such solutions for advanced real-time auditing or monitoring.^[1] SIEM can provide that real-time, enterprise-wide analysis of security alerts generated by applications and network hardware.

With typical enterprises collecting millions of monitoring records per day, Julie Bergh, lead security advisor at Rocket Software, points out that companies need the most effective way to sift through this data to determine what is most relevant. In the beginning, SIEM solutions weren't equipped to handle mainframe data, but this has changed, she says. As mainframe customers are still storing the majority of their business data on the mainframe, Bergh says, "It is critical to include this information in a SIEM solution to get an enterprise-wide view of what is happening at their organizations."

Customers from a variety of industries want to know more about Splunk products and other SIEMs and how they work with the mainframe. Generally, Bergh notes, they seek out more information about SIEMs when they need to collect data from the mainframe and send it out to another part of the enterprise.

What Do SIEMs Do?

• Gather and store security data from a wide variety of sources
• Correlate all of this data in real time, applying advanced analytics to determine when "bad things" are happening
• Generate alerts if suspicious activity is detected
• Store the data for a long time, providing rapid access when needed and supporting forensic investigations (of course, mainframe-based SMF security monitoring data as generated by RACF, CA ACF2, and CA Top Secret is often maintained on mainframe-accessible media for years or decades due to regulatory requirements)
• Aggregate and report on the information required to demonstrate compliance with many standards/regulations (e.g., the Health Insurance Portability and Accountability Act, Payment Card Industry Data Security Standard, the Sarbanes-Oxley Act, the General Data Protection Regulation)

SIEMs can be used for correlation, or linking events with common attributes together into meaningful bundles; for data aggregation or log management in which data is pulled from multiple sources (including network devices, security, servers, databases, and applications) to consolidate monitored data and avoid missing crucial events; and for alerting recipients of immediate issues after an automated analysis of correlated events.

Bergh explains that these functions enable users, through dashboards, to turn event data into informational charts that can be used to determine patterns or identify activity that does not conform to standard patterns. SIEMs are particularly helpful with regulatory compliance in that they can produce reports from the gathered data that can be used in customers' existing governance and auditing processes. Finally, she says, SIEMs provide long-term storage of data that enables users to review trends over time and in forensic investigations.

SIEM Challenges

There are some challenges in getting mainframe information, particularly in the data conversion (e.g., EBCDIC to ASCII), according to Bergh. "Usually customers use the z/OS Systems Management Facility (SMF) as a starting point to collect data and send that information into Splunk or another SIEM," she says. "SMF collects information on performance, security, and events that are happening in z/OS and technical operations." There are products like Syncsort Ironstream and IBM Common Data Provider (CDP) that provide the capability to gather this information and put the data into a format that Splunk or another SIEM can digest.

Some customers also use their chosen SIEM solution in the Security Operations Center (SOC). This is where playbooks become operative, and these guides often describe how to respond to certain alerts that may appear based on their SIEM. Customers, Bergh says, will want to develop their own playbooks on how to handle potential situations related to mainframe security event data. "SMF data is usually foreign to these people," she adds. "I usually work with them to determine how they deal with other areas and what other playbooks they have developed. I do this because the customers usually have an idea of what data they need from the mainframe, but they are not certain how or what to look for in that data." Customers simply need to understand that the mainframe is just another large server with a different log type, states Bergh.

Typical Use Cases for SIEM Monitoring, Alerting, and Reports

• Privileged user actions, someone with elevated privileges such as a z/OS systems programmer or even a bank teller that could approve a special transaction
• Security changes to their mainframe security product (e.g., RACF, CA ACF2, CA Top Secret)
• Changes to system software and/or configuration changes
• Access attempts to resources where any user was denied access
• Successful changes to system software and/or configuration by users that have the authority
• Attempts to elevate a user to a more privileged status

Bergh says that customers should choose one or two of the use cases to get started. She points out that privileged user actions are the most commonly selected starting point. "I work with customers to define what a privileged user is and what needs to be captured. We develop a test plan to capture this information and review how that information is being sent and consumed by the SIEM before determining what the appropriate response is," Bergh explains. "This could mean modifying their current privilege user playbook or developing one specific to the mainframe. Once they are comfortable with this scenario, we work on other ones so they understand what is required."

Security in today's environment requires a new approach, and having insights across the entire security event timeline can help organizations bolster their security efforts. Sensitive data needs to be protected and monitored in accordance with data processing standards because about 80% of the world's critical data resides on (IBM Z) mainframes, says Bergh. The burden is on the organizations using mainframes to employ the most modern security best practices in SIEMs to protect it.

[1] https://www.planetmainframe.com/2018/03/mainframes-dont-need-siems/