staying vigilant with security intelligence for mainframes
TRANSCRIPT
© 2012 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
Staying Vigilant with Security Intelligence for Mainframes
© 2014 IBM Corporation
IBM Security Systems
2
A new security reality is here
61%
data theft and cybercrimeare their greatest threats2012 IBM Global Reputational Risk & IT Study
of organizations say
Average cost of adata breach
2014 Cost of Data Breach, Ponemon Institute
$3.5M
70%of security
executives have cloud and mobile security concerns2013 IBM CISO Survey
Mobile malware growthin just one year
2012 - 2013 Juniper Mobile Threat Report
614% security tools from
vendors
85
45IBM client example
83%of enterprises
have difficulty finding the security skills they need2012 ESG Research
© 2014 IBM Corporation
IBM Security Systems
3
Sophisticated attackers break through safeguards every day
SQL injection
Watering hole
Physical access
MalwareThird-party software
DDoSSpear phishing
XSS Undisclosed
Attack types
Note: Size of circle estimates relative impact of incident in terms of cost to business Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014
2011Year of the breach
201240% increase
2013500,000,000+ records breached
61% of organizations say data theft and cybercrime are their greatest threats2012 IBM Global Reputational Risk & IT Study
$3.5M+ average cost of a data breach
2014 Cost of Data Breach, Ponemon Institute
© 2014 IBM Corporation
IBM Security Systems
4
Security leaders are more accountable than ever before
Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series
Loss of market share and reputation
Legal exposure
Audit failure
Fines and criminal charges
Financial loss
Loss of data confidentiality, integrity and/or
availability
Violation of employee privacy
Loss of customer trust
Loss of brand reputation
CEO CFO/COO CIO CHRO CMO
Your board and CEO demand a strategy
5 © 2014 IBM Corporation
Mainframe Security Landscape
© 2014 IBM Corporation
IBM Security Systems
6
IBM System z is a highly securable environment
Security is embedded into the System z architecture
Processor
Hypervisor
Operating system
Communications
Storage
Applications
System z security addresses regulatory compliance for:
Extensive security event logging and reporting capabilities
Extensive security certifications including EAL5+ (e.g., Common Criteria and FIPS 140)
Identity and access management
Hardware and software encryption
Communication security capabilities
© 2014 IBM Corporation
IBM Security Systems
7
Today’s technologies have eliminated “mainframe isolation”
The increasingly desirable target of the mainframe
Sou
%of all active coderuns on the mainframe80 %
of enterprise data ishoused on the mainframe80
Internet
Cloud
Social
Mobile
Big Data
Business Innovation
© 2014 IBM Corporation
IBM Security Systems
8
Security challenges specific to the mainframe
Monitoring of security events from System z is often performed by the people that implement security changes!
Poor Separation of duties
Window of opportunity to commit fraud
Out dated practices
Staff unable to focus on improving security
Silo approach . . . System z isolated from the Enterprise Security Monitoring practice
Security Monitoring no longer fit for purpose, often running reports that were written 20 years ago . . . the threat and compliance landscape has changed significantly!
Existing SIEM solution does not handle events from the mainframe very well
Many events are not logged or reviewed
Too many critical events are being reported 24+ hours later
Security Monitoring does not meet compliance requirements
© 2014 IBM Corporation
IBM Security Systems
9
and more challenges …..
The mainframe can be difficult to hack from the outside world, however it has been done!
Biggest threat to the mainframe is the insider / internal attacks
Those employees with detailed knowledge of the systems – they also know how to
circumvent controls
Many Security Monitoring implementations would not detect suspicious/inappropriate
activities
Attackers can avoid detection for months/years
© 2014 IBM Corporation
IBM Security Systems
10
Addressing those challenges with IBM Security zSecure
zSecure AdminEnables more efficient and effective RACF administration, tracking and statistics using significantly fewer resources
zSecure VisualHelps reduce the need for scarce, RACF-trained expertise through a Microsoft Windows–based GUI for RACF administration
zSecure CICS ToolkitProvides access RACF command and APIs from a CICS environment, allowing additional administrative flexibility
zSecure Manager for RACF z/VMCombined audit and administration for RACF in the VM environment including auditing Linux on System z
zSecure Command VerifierPolicy enforcement solution that helps enforce compliance to company and regulatory policies by preventing erroneous commands
zSecure AlertReal-time mainframe threat monitoring of intruders and alerting to identify misconfigurations that could hamper compliance
zSecure Adapters for QRadarCollects, formats and sends enriched mainframe System Management Facility (SMF) audit records to IBM Security QRadar SIEM
zSecure AuditVulnerability analysis for the mainframe infrastructure; automatically analyze and report on security events and monitor compliance
© 2014 IBM Corporation
IBM Security Systems
11
Prioritized incidents
Integrated to improve Security Intelligence
Automated offense identificationReal-time correlation and analytics
Anomaly detectionIndustry and geo trending
Network and virtual activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
Servers and mainframes
Data activity
Application activity
Servers and mainframes
Data activity
Application activity
Servers and mainframes
IBM Security zSecure
z/OS
RACF
ACF2, TSS
CICS, MQ
Data activity
IBM InfoSphere Guardium
DB2
IMS
VSAM
Application activity
IBM Security AppScan
Web apps
Mobile apps
Web services
Desktop apps
IBM Security QRadar
Embedded Intelligence
© 2014 IBM Corporation
IBM Security Systems
12
The zSecure products that enable integration with QRadar
RACFCA ACF2
CA Top Secretz/OS
CICSDB2
Event sources from System z . . .
© 2014 IBM Corporation
IBM Security Systems
13
What does the enabling zSecure products deliver?
5655-N17 - IBM Security zSecure Audit for RACF or CA ACF2 or CA Top Secret *
5655-AD8 - IBM Security zSecure Adapters for QRadar SIEM *
5655-N21 - IBM Security zSecure Alert for RACF or CA ACF2 **
Log file based (send events collected over time . . hours or days) *
Real time (send event seconds after it occurs) **
© 2014 IBM Corporation
IBM Security Systems
14
How about if you could transform this . . .
© 2014 IBM Corporation
IBM Security Systems
15
Into this . . .
© 2014 IBM Corporation
IBM Security Systems
16
Scenario # 1 – Inappropriate access to sensitive data on z/OS
Systems Programmer accesses a Payroll file on
the mainframe
© 2014 IBM Corporation
IBM Security Systems
17
Scenario # 1 – Monitoring inappropriate access to sensitive data
Who accessed the sensitive resource
What they accessed
Resource is sensitive for read access
© 2014 IBM Corporation
IBM Security Systems
18
Scenario # 1 – Monitoring inappropriate access to sensitive data
Drill down into event detail
zSecure has enriched event data – assists the Security Officer to understand the user involved
and what they accessed
© 2014 IBM Corporation
IBM Security Systems
19
Scenario # 2 – Privileged User Activities occurring on System z
Assigning powerful RACF
attributes
Modifying the Trusted
Computing BaseLogon with powerful
emergency user IDs
© 2014 IBM Corporation
IBM Security Systems
20
Scenario # 2 – Monitoring Privileged User activities in QRadar
Events sent to QRadar, seconds
later
Collected and sent to QRadar
by zSecure Alert
© 2014 IBM Corporation
IBM Security Systems
21
Scenario # 2 – Monitoring Privileged User activities in QRadar
Drill down into event detail
Detailed information alerts us to the fact that an emergency user ID has been used – big problem
for mainframe customers!
© 2014 IBM Corporation
IBM Security Systems
22
Scenario # 3 – Security Administrator activities occurring on System z
Executing RACF Commands
Security Administrator is creating new security
definitions on the mainframe
© 2014 IBM Corporation
IBM Security Systems
23
Scenario # 3 – Monitoring Security Administrator activities
A view of the RACF commands that have been executed over a 24 hour period – mainframe customers
typically run this type of report on a daily basis!Event data collected by
zSecure Audit
© 2014 IBM Corporation
IBM Security Systems
24
Scenario # 3 – Monitoring Security Administrator activities
Drill down
The actual RACF command that was
executed by the Security Administrator
© 2014 IBM Corporation
IBM Security Systems
25
Scenario # 4 – Monitoring your Systems Programmers
Highly sensitive resource – keys to the
kingdom!
Could be used to circumvent system
security
© 2014 IBM Corporation
IBM Security Systems
26
Scenario # 4 – Monitoring your System Programmers
Drill down
© 2014 IBM Corporation
IBM Security Systems
27
Scenario # 5 – Keeping track of Security Violations
A view of security violation for sensitive application datasets
Application data is sensitive for read access
© 2014 IBM Corporation
IBM Security Systems
28
Scenario # 6 – Spot trends in behaviour amongst infrastructure staff
Is this normal for the user?
© 2014 IBM Corporation
IBM Security Systems
29
Scenario # 7 – Who used FTP to transfer sensitive data?
© 2014 IBM Corporation
IBM Security Systems
30
Scenario # 8 – Daily (scheduled) reporting Customers typically run scheduled monitoring
reports
© 2014 IBM Corporation
IBM Security Systems
31
Scenario # 8 – Daily (scheduled) reporting
Schedule a report to monitor who
has been reading your sensitive files
© 2014 IBM Corporation
IBM Security Systems
32
Value of zSecure integration with QRadar
Plugs a hole in the Enterprise Security Monitoring practice
Provides a holistic, centralised approach for Security Monitoring
Supports separation of duties – stop the legacy practice of self-policing!
Maximise QRadar capabilities for:
– Log management
– Security Information and Event Management
– Anomaly detection
– Incident forensics
– Configuration Management
– Vulnerability Management
– Risk management
Enhances the monitoring experience with graphical displays and user friendly reporting
Extend best practices and comply with regulatory/legal/compliance requirements
© 2014 IBM Corporation
IBM Security Systems
33
Visit our blog:www.securityintelligence.com
Learn more about IBM Security QRadar SIEM
Download the 2014 Gartner Magic Quadrant for SIEM : http://ibm.co/U7Syom
Visit the IBM QRadar Website: http://ibm.co/QRadar
Visit our Website
Follow us on Twitter: @ibmsecurity
Learn about IBM Security zSecureAdapters for QRadar SIEM LINK
© 2014 IBM Corporation
IBM Security Systems
34
Learn more about IBM Security zSecure solutions
zSecure website
zSecure product library
zSecure information center
zSecure latest release
zSecure forum
zSecure Redbook
© 2014 IBM Corporation
IBM Security Systems
35
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY