Abstract image of a woman sitting on books and studying on a laptop

Get Mainframe Visibility to Enhance SIEM Efforts in Splunk

Download as PDF, PPTX
Precisely, profile picture
Precisely

The document discusses the importance of mainframe security data in enhancing SIEM efforts using Splunk, highlighting the challenges related to data sources, integration, and security compliance. It introduces Ironstream as a solution for real-time visibility into mainframe security, addressing customer needs for monitoring, unauthorized access detection, and regulatory compliance. Customer success stories illustrate the effectiveness of Ironstream in providing comprehensive visibility and meeting auditing requirements.

Technology
1 of 32
Download as PDF, PPTX
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Get Mainframe Visibility to Enhance SIEM Efforts in Splunk Bill Hammond, Product Marketing Sid Isted, Product Management 1
• Why is Mainframe Security Data Important? • What are Customers Are Looking For? • Introduction to Ironstream • Visualizing & Reporting Security Data in Splunk • Customer Stories Agenda 2
Traditional mainframes continue to adapt and deliver increasing value with each new technology wave 91%of executives predict long-term viability of the mainframe as the platform continues evolving to meet digital business demands 80%Up to 80% of the world’s enterprise data and transactions reside on or pass through IBM z Systems 3 BMC 12th Annual Mainframe Research Results – Nov. 2017 Syncsort 2018 State of Resilience: The New IT Landscape for Executives: Threats, Opportunities and Best Practices.” Jan. 2018 that’s 2,500,000,000 -- business transactions per mainframe per day 2000+ organizations overall 2.5 B
Big Iron to Big Data Analytics Challenges So many data sources Mainframe: Systems Management Facility (SMF), Syslog, Log4j web and application logs, RMF, RACF, USS files and standard datasets Format of data Mainframe: • Complex data structures (SMF) with headers, product sections, data sections, variable length and self- describing • EBCDIC not recognized outside of the mainframe world • Binary flags and fieldsVolume of data Millions of log records generated daily • 9.7TB Average Daily Mainframe Log Data Difficulty to get the information in a timely manner • Not real-time, typically have to wait overnight for an offload • Typical daily FTP upload/downloads can’t get granular 4
Security and Compliance Focus • Detect and prevent security threats • Privileged activity • Ensure compliance • Ensure audits pass • Enterprise Security (Splunk ES) 5
• Incorrect definition of User IDs: weak passwords, default passwords with no expiration, incorrect or too high of a security privilege for user • Weak access controls and security administration for critical databases, datasets, files, and resources • Network intrusion including unwanted port scans, Denial of Service (DoS) attacks, network flood attacks, malformed network packets, and other intrusions • Data vulnerability exposures including incorrect/invalid data, including viruses, coming into the IBM system or secure data leaving the system • Privileged and non-privileged users neglecting basic security precautions mandated by the organization • Aggregating data from multiple sources in a way that helps drive faster, better decisions Top Security Challenges 6
What is SIEM? • Real-time analysis of security alerts generated by applications and network hardware • Holistic, unified view into infrastructure, workflow, policy compliance and log management • Monitor and manage user and service privileges as well as external threat data Security Information and Event Management
Customer Needs 8
Db2 9 Firewall Load Balancers, Web Servers MiddlewareUsers Supporting Servers Mainframe Example Multi-Tiered System – e.g. Online Banking
• High performance, low-cost, platform for collecting critical system information in real-time from the mainframe • Normalization of the z/OS data so it can be used off platform analytics engines • Full analytics, visualization, and customization with no limitations on what can be viewed • Ability to easily combine information from different data sources and systems • Address the SME challenge: use by network managers, security analysts, application analysts, enterprise architects without requiring mainframe access or expertise What Customers are Looking For... 10
Detect Data Movements • Inbound/Outbound FTP Dataset access operations • Determine potential security threats based on unauthorized access attempts • Ensure only authorized users are accessing critical datasets Privileged/non-privileged User Activity Monitoring • Unusual behavior pattern – off hours connections • High number of invalid logon attempts Attack Detection • Intrusion, Scans, Floods Authentication Anomalies • Entered the building at 08:30 but logged on from another country at 09:00 Network Traffic Analysis • High data volumes from a device/server What Can Mainframe Data Tell You? 11
Introduction to Ironstream 12
13 Ironstream® Architectural Considerations Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom Apps Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Smartphones and Devices RFID Call Detail Records On- Premises Private Cloud Public Cloud Ultra Light Weight • Minimal CPU impact even for billions of SMF records Non-intrusive • Collect data from critical system • Zero impact to throughput Fast • Collect data in real-time Secure and Reliable • Error recovery • Data loss prevention • Security • Load balancingIBM z Mainframe IBM i System Ironstream
Ironstream® for z/OS (Mainframe) 14 Assembler COBOL C, REXX ! IRONSTREAM DATA FORWARDER TCP/IP Ironstream Desktop DCE IDT Data Collection Extension SYSOUT Live/Stored SPOOL Data Db2 USS Alerts Networks Components ForwarderAPI Application Data SYSLOG SYSLOGD SMF RMF File Load Log4j Real-time Collection IMS Z/OS
• Real-time Visibility into Mainframe Security Event Data: • Authentication and access failures • Creation or deletion of users • Changes to user security information, passwords, and access rights • Log-in activity • Excessive data transmissions • Unusual movement of data • Intrusion detection, Denial of Service 15 Ironstream® provides…
16 Ironstream & Splunk for Security and Compliance (SIEM) Easier to identify unauthorized mainframe access or other security risks and ability to meet increasing compliance requirements Challenges Addressed • Tracking security related issues including password changes, login success and failures, account lock outs, dataset access, FTP activity • Identify changes in access patterns to detect potential security threats • Move from post event forensics to real-time monitoring of the security environment • Fulfillment of mandatory security and compliance audits to meet corporate and regulatory requirements • Eliminate manual reporting along with the delay required to get the information, by accessing it in real-time
Visualizing & Reporting Security Data in Splunk 17
Ironstream z/OS Security Specific Data Collection Intrusion Detection (port scans, floods/DoS attacks, malformed data packets) • z/OS Traffic Regulation Management Daemon (TRMD) + SYSLOGD + Base network management component TSO logon tracking • SMF30 TSO account activity (create, update, delete, lockout) • SMF80 FTP authentications • SYSLOGD + Base network management component FTP change analysis (file create, read, update, delete) • SMF119 IP traffic analysis • SMF119 Network + user-defined Events (pre-defined + user-defined) • Base network management component 18
Syncsort z/OS Security Dashboard Job Initiations TSO Account Activity TSO Lockouts FTP Session Activity FTP Transfer Activity 19
Syncsort z/OS Security Dashboard TCP/IP Network Traffic Intrusion Detection showing Port Scans and Denial of Service Attacks 20
Ironstream Splunk Integrations Integrates with Splunk Enterprise Security (SIEM) • Splunk Enterprise Security is a premium app that provides an enterprise-wide view of security across all platforms Integrates with Splunk IT Service Intelligence (ITOA) • Splunk IT Service Intelligence (ITSI) is a premium app that delivers unique “service-centric” view of critical internal and customer-facing business services Ironstream Data Model for Mainframe • The Syncsort Ironstream Data Model for Mainframe provides a structured and logical view of mainframe log data elements in Splunk for faster searching, analysis and Splunk development
Ironstream z/OS Security & Splunk Enterprise Security All collected data sources can also be mapped to Splunk CIM for Enterprise Security and automatically exposed in ES dashboards along with security information from other platforms • This requires the Ironstream for Splunk Enterprise Security to be installed • This provides an enterprise-wide, integrated view of security across all platforms via ES dashboards provided by Splunk 22
Syncsort Confidential and Proprietary - do not copy or distribute Sample: Splunk Enterprise Security™ Security Posture Dashboard Now shows z/OS® intrusions and anomalies along with events from other platforms 23
Customer Stories 24
Federal law-enforcement agency The combination of Splunk and Ironstream® delivered the ability to obtain full visibility— in real time—into the most sensitive authentication procedures and data across its IT environment, ultimately enabling it to fulfill its audit obligations with ease. O B J E C T I V E • Ability to respond to ever-changing reporting requests from its auditors in order to prove compliance with information-security requirements. • Visibility into history as well as the current status of enterprise security information C H A L L E N G E • While they were using Splunk Enterprise, they were missing critical mainframe data • Mainframe logs had sensitive authentication information on password changes, log-in successes and failures and locked accounts S O L U T I O N • Syncsort Ironstream was chosen to provide access to necessary log data • Data is forwarded automatically and in real-time B E N E F I T • The customer for the first time now has full visibility into the most sensitive authentication procedures and data • Ironstream and Splunk combine to give them the ability to respond to reporting and compliance needs 25
U.S.-based Loan Service Provider Ironstream provided access to previously inaccessible data to help support one of their most critical monitoring efforts “If you’re asking us what the easier solution is to install and configure, it’s Ironstream” O B J E C T I V E • To monitor mainframe IT operations to track health of service delivery for Loan Service Providers • Capture mainframe business data in support of system and application monitoring in Splunk C H A L L E N G E • Required several data feeds including SMF, SYSLOG and SYSOUT for batch job monitoring • Filtering the log data to selected jobs • Required the ability to load business data from sequential files S O L U T I O N • Syncsort Ironstream was chosen over IBM CDP, particularly over its ease of installation and configuration • Now able to forward the required log data and filter it to specific messages and jobs B E N E F I T • Able to monitor Loan Service IT Operations via Splunk • Partnered with Winward for Splunk development who were familiar with Syncsort Ironstream 26
Ironstream Security and Compliance Benefits • Quickly detect fraudulent activity enabling faster remediation • Successfully comply with regulatory requirements and address security auditing and control policies • Integrate IBM system security events into the analytics Spunk’s SIEM solution for centralized analysis • Monitor and detect incorrect security definitions, weak access controls, as well as valid and invalid access to critical resources and data • Monitor data vulnerability issues including the movement of data onto and off IBM systems • Monitor, detect, and prevent network intrusions 27
Why Ironstream Less Complexity Collect mainframe and IBM i data; correlate with data from other platforms; no legacy system expertise required Clearer Security Information Identify unauthorized mainframe and IBM i server access, other security risks; prepares and visualizes key data for compliance audits Healthier IT Operations Real-time alerts identify problems in all key environments View latency, transactions per second, exceptions, etc. Effective Problem-Resolution Management Real-time views to identify real or potential failures earlier; view related 'surrounding' information to support triage repair or prevention Higher Operational Efficiency Enhanced event correlation across systems; Staff resolves problems faster; “do more with less” Eliminate Your Mainframe “Blind-Spots” Splunk/Elastic + Ironstream = Your 360ᵒ Enterprise View
Q & A 29
30
• Data from multiple sources • TSO logon tracking – SMF Type 30 • TSO account activity (create, update, delete, lockout) – SMF Type 80 • Port scans, DoS attacks, malformed data packets – TRMD and SyslogD • FTP authentications and file analysis (file create, access, update, delete) – SMF Type 119 Records and IP traffic analysis information • Network events – Ironstream® Network Monitoring Component Mainframe Security – Data Challenges
32 Gartner Magic Quadrant for SIEM • During the past year, demand for SIEM technology has remained strong. The SIEM market grew from $1.999 billion in 2016 to $2.180 billion in 2017 • Threat management is the primary driver, and general monitoring & compliance remains secondary • The SIEM market continues to be dominated by relatively few large vendors. Splunk, Micro Focus (including the ArcSight and Sentinel SIEMs) IBM, LogRhythm and McAfee command a significant share of market revenue.

More Related Content

PDF
Self healing data
Uwe Friedrichsen
 
PDF
Introduction to IBM Spectrum Scale and Its Use in Life Science
Sandeep Patil
 
PDF
A Different Way to Perform zOS Maintenance.pdf
Fernandogetson
 
PDF
Virtualization in Cloud Computing
Pyingkodi Maran
 
PPTX
Emc isilon overview
solarisyougood
 
PPTX
Oracle hyperion financial management
Timothy J. Simkiss, CPA
 
PDF
Sap fscm training materials
Sreenatha Reddy
 
PPTX
Emc vplex deep dive
solarisyougood
 
Self healing data
Uwe Friedrichsen
 
Introduction to IBM Spectrum Scale and Its Use in Life Science
Sandeep Patil
 
A Different Way to Perform zOS Maintenance.pdf
Fernandogetson
 
Virtualization in Cloud Computing
Pyingkodi Maran
 
Emc isilon overview
solarisyougood
 
Oracle hyperion financial management
Timothy J. Simkiss, CPA
 
Sap fscm training materials
Sreenatha Reddy
 
Emc vplex deep dive
solarisyougood
 

Similar to Get Mainframe Visibility to Enhance SIEM Efforts in Splunk (20)

PDF
Enterprise Security in Mainframe-Connected Environments
Precisely
 
PDF
Ironstream for IBM i - Enabling Splunk Insight into Key Security and Operatio...
Precisely
 
PDF
Government Agencies Using Splunk: Is Your Critical Data Missing?
Precisely
 
PDF
Big Data Analytics for Real-time Operational Intelligence with Your z/OS Data
Precisely
 
PDF
360-Degree View of IT Infrastructure with IT Operations Analytics
Precisely
 
PPTX
SplunkLive! - Splunk for Security
Splunk
 
PPTX
Improve IT Security and Compliance with Mainframe Data in Splunk
Precisely
 
PPTX
Utilizing Mainframe Machine Data in Security Operations
Precisely
 
PPTX
Downtime is Not an Option: Integrating IBM Z into ServiceNow and Splunk
Precisely
 
PDF
Old Dogs, New Tricks: Big Data from and for Mainframe IT
Precisely
 
PPTX
Splunk for Security Breakout Session
Splunk
 
PPTX
Legacy IBM Systems and Splunk: Security, Compliance and Uptime
Precisely
 
PDF
Digital Transformation: How to Run Best-in-Class IT Operations in a World of ...
Precisely
 
PPTX
Bringing Mainframe Security Information Into Your Splunk Security Operations ...
Precisely
 
PPTX
Don't Leave Your Traditional IBM Systems Out of Your IT Operations Efforts
Precisely
 
PDF
From the Splunk Front Lines: Unlocking Insights from IBM i Data
Precisely
 
PPTX
Financial Services Technology Leader Turns Mainframe Logs into Real-Time Insi...
Precisely
 
PPTX
Why Integrating IBM Z into ServiceNow and Splunk Is So Important
Precisely
 
PPTX
Learnings from 7 Years of Integrating Mission-Critical IBM Z® and IBM i with ...
Precisely
 
PPTX
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 
Enterprise Security in Mainframe-Connected Environments
Precisely
 
Ironstream for IBM i - Enabling Splunk Insight into Key Security and Operatio...
Precisely
 
Government Agencies Using Splunk: Is Your Critical Data Missing?
Precisely
 
Big Data Analytics for Real-time Operational Intelligence with Your z/OS Data
Precisely
 
360-Degree View of IT Infrastructure with IT Operations Analytics
Precisely
 
SplunkLive! - Splunk for Security
Splunk
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Precisely
 
Utilizing Mainframe Machine Data in Security Operations
Precisely
 
Downtime is Not an Option: Integrating IBM Z into ServiceNow and Splunk
Precisely
 
Old Dogs, New Tricks: Big Data from and for Mainframe IT
Precisely
 
Splunk for Security Breakout Session
Splunk
 
Legacy IBM Systems and Splunk: Security, Compliance and Uptime
Precisely
 
Digital Transformation: How to Run Best-in-Class IT Operations in a World of ...
Precisely
 
Bringing Mainframe Security Information Into Your Splunk Security Operations ...
Precisely
 
Don't Leave Your Traditional IBM Systems Out of Your IT Operations Efforts
Precisely
 
From the Splunk Front Lines: Unlocking Insights from IBM i Data
Precisely
 
Financial Services Technology Leader Turns Mainframe Logs into Real-Time Insi...
Precisely
 
Why Integrating IBM Z into ServiceNow and Splunk Is So Important
Precisely
 
Learnings from 7 Years of Integrating Mission-Critical IBM Z® and IBM i with ...
Precisely
 
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 
Ad

More from Precisely (20)

PDF
IEBCOPY and the Mysteries of Partitioned Datasets.pdf
Precisely
 
PDF
Overcoming Data Quality Challenges During Your SAP Modernization.pdf
Precisely
 
PDF
Modernizing Meter-to-Cash: Driving Efficiency and Customer Trust with Accurat...
Precisely
 
PDF
Modernizing Power Systems: Cloud Migration Strategies for IBM I and AIX with ...
Precisely
 
PDF
What Every Data Leader Should Know About Third-Party Data for AI and Analytic...
Precisely
 
PDF
The Future of Automation: AI, APIs, and Cloud Modernization.pdf
Precisely
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
Reimagining Insurance: Connected Data for Confident Decisions.pdf
Precisely
 
PDF
Introducing Syncsort™ Storage Management.pdf
Precisely
 
PDF
Enable Enterprise-Ready Security on IBM i Systems.pdf
Precisely
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
Solving the CIO’s Dilemma: Speed, Scale, and Smarter SAP Modernization.pdf
Precisely
 
PDF
Solving the Data Disconnect: Why Success Hinges on Pre-Linked Data.pdf
Precisely
 
PDF
Cooking Up Clean Addresses - 3 Ways to Whip Messy Data into Shape.pdf
Precisely
 
PDF
Building Confidence in AI & Analytics with High-Integrity Location Data.pdf
Precisely
 
PDF
SAP Modernization Strategies for a Successful S/4HANA Journey.pdf
Precisely
 
PDF
Precisely Demo Showcase: Powering ServiceNow Discovery with Precisely Ironstr...
Precisely
 
PDF
The 2025 Guide on What's Next for Automation.pdf
Precisely
 
PDF
Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Precisely
 
IEBCOPY and the Mysteries of Partitioned Datasets.pdf
Precisely
 
Overcoming Data Quality Challenges During Your SAP Modernization.pdf
Precisely
 
Modernizing Meter-to-Cash: Driving Efficiency and Customer Trust with Accurat...
Precisely
 
Modernizing Power Systems: Cloud Migration Strategies for IBM I and AIX with ...
Precisely
 
What Every Data Leader Should Know About Third-Party Data for AI and Analytic...
Precisely
 
The Future of Automation: AI, APIs, and Cloud Modernization.pdf
Precisely
 
Unlock new opportunities with location data.pdf
Precisely
 
Reimagining Insurance: Connected Data for Confident Decisions.pdf
Precisely
 
Introducing Syncsort™ Storage Management.pdf
Precisely
 
Enable Enterprise-Ready Security on IBM i Systems.pdf
Precisely
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
Solving the CIO’s Dilemma: Speed, Scale, and Smarter SAP Modernization.pdf
Precisely
 
Solving the Data Disconnect: Why Success Hinges on Pre-Linked Data.pdf
Precisely
 
Cooking Up Clean Addresses - 3 Ways to Whip Messy Data into Shape.pdf
Precisely
 
Building Confidence in AI & Analytics with High-Integrity Location Data.pdf
Precisely
 
SAP Modernization Strategies for a Successful S/4HANA Journey.pdf
Precisely
 
Precisely Demo Showcase: Powering ServiceNow Discovery with Precisely Ironstr...
Precisely
 
The 2025 Guide on What's Next for Automation.pdf
Precisely
 
Outdated Tech, Invisible Expenses – How Data Silos Undermine Operational Effi...
Precisely
 
Ad

Recently uploaded (20)

PPTX
CRM(Customer Relationship Managmnet) Presentation
udaykiranuk1822
 
PDF
Rooftops detection with YOLOv8 from aerial imagery and a brief review on roof...
IAESIJAI
 
PDF
FASHION-DRIVEN TEXTILES AS A CRYSTAL OF A NEW STREAM FOR STAKEHOLDER CAPITALI...
IJMIT JOURNAL
 
PDF
Applying Agentic AI in Enterprise Automation
DianaGray10
 
PDF
Addressing the challenges of harmonizing law and artificial intelligence tech...
IAESIJAI
 
PDF
eBook Outline_ AI in Cybersecurity – The Future of Digital Defense.pdf
samalmaheswar155
 
PPTX
Report in SIP_Distance_Learning_Technology_Impact.pptx
KahelCaponesPamitang
 
PDF
Secure Java Applications against Quantum Threats
Ana-Maria Mihalceanu
 
PPTX
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
PPTX
Introduction-to-Artificial-Intelligence (1).pptx
MohammadkhalidshFaq
 
PDF
Ebook - The Future of AI A Comprehensive Guide.pdf
baljeethmata
 
PDF
ment.tech-How to Develop an AI Agent Healthcare App like Sully AI (1).pdf
thomasnova26
 
PDF
Optimizing bioinformatics applications: a novel approach with human protein d...
IAESIJAI
 
PDF
Altius execution marketplace concept.pdf
Wandor
 
PPT
Overviiew on Intellectual property right
Ritu Maity
 
PDF
Revolutionizing recommendations a survey: a comprehensive exploration of mode...
IAESIJAI
 
PDF
“Introduction to Designing with AI Agents,” a Presentation from Amazon Web Se...
Edge AI and Vision Alliance
 
PDF
【AI論文解説】高速・高品質な生成を実現するFlow Map Models(Part 1~3)
Sony - Neural Network Libraries
 
PDF
NewMind AI Journal Monthly Chronicles - August 2025
NewMind AI
 
PDF
Child-friendly e-learning for artificial intelligence education in Indonesia:...
IAESIJAI
 
CRM(Customer Relationship Managmnet) Presentation
udaykiranuk1822
 
Rooftops detection with YOLOv8 from aerial imagery and a brief review on roof...
IAESIJAI
 
FASHION-DRIVEN TEXTILES AS A CRYSTAL OF A NEW STREAM FOR STAKEHOLDER CAPITALI...
IJMIT JOURNAL
 
Applying Agentic AI in Enterprise Automation
DianaGray10
 
Addressing the challenges of harmonizing law and artificial intelligence tech...
IAESIJAI
 
eBook Outline_ AI in Cybersecurity – The Future of Digital Defense.pdf
samalmaheswar155
 
Report in SIP_Distance_Learning_Technology_Impact.pptx
KahelCaponesPamitang
 
Secure Java Applications against Quantum Threats
Ana-Maria Mihalceanu
 
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
Introduction-to-Artificial-Intelligence (1).pptx
MohammadkhalidshFaq
 
Ebook - The Future of AI A Comprehensive Guide.pdf
baljeethmata
 
ment.tech-How to Develop an AI Agent Healthcare App like Sully AI (1).pdf
thomasnova26
 
Optimizing bioinformatics applications: a novel approach with human protein d...
IAESIJAI
 
Altius execution marketplace concept.pdf
Wandor
 
Overviiew on Intellectual property right
Ritu Maity
 
Revolutionizing recommendations a survey: a comprehensive exploration of mode...
IAESIJAI
 
“Introduction to Designing with AI Agents,” a Presentation from Amazon Web Se...
Edge AI and Vision Alliance
 
【AI論文解説】高速・高品質な生成を実現するFlow Map Models(Part 1~3)
Sony - Neural Network Libraries
 
NewMind AI Journal Monthly Chronicles - August 2025
NewMind AI
 
Child-friendly e-learning for artificial intelligence education in Indonesia:...
IAESIJAI
 

Get Mainframe Visibility to Enhance SIEM Efforts in Splunk

  • 1. Get Mainframe Visibility to Enhance SIEM Efforts in Splunk Bill Hammond, Product Marketing Sid Isted, Product Management 1
  • 2. • Why is Mainframe Security Data Important? • What are Customers Are Looking For? • Introduction to Ironstream • Visualizing & Reporting Security Data in Splunk • Customer Stories Agenda 2
  • 3. Traditional mainframes continue to adapt and deliver increasing value with each new technology wave 91%of executives predict long-term viability of the mainframe as the platform continues evolving to meet digital business demands 80%Up to 80% of the world’s enterprise data and transactions reside on or pass through IBM z Systems 3 BMC 12th Annual Mainframe Research Results – Nov. 2017 Syncsort 2018 State of Resilience: The New IT Landscape for Executives: Threats, Opportunities and Best Practices.” Jan. 2018 that’s 2,500,000,000 -- business transactions per mainframe per day 2000+ organizations overall 2.5 B
  • 4. Big Iron to Big Data Analytics Challenges So many data sources Mainframe: Systems Management Facility (SMF), Syslog, Log4j web and application logs, RMF, RACF, USS files and standard datasets Format of data Mainframe: • Complex data structures (SMF) with headers, product sections, data sections, variable length and self- describing • EBCDIC not recognized outside of the mainframe world • Binary flags and fieldsVolume of data Millions of log records generated daily • 9.7TB Average Daily Mainframe Log Data Difficulty to get the information in a timely manner • Not real-time, typically have to wait overnight for an offload • Typical daily FTP upload/downloads can’t get granular 4
  • 5. Security and Compliance Focus • Detect and prevent security threats • Privileged activity • Ensure compliance • Ensure audits pass • Enterprise Security (Splunk ES) 5
  • 6. • Incorrect definition of User IDs: weak passwords, default passwords with no expiration, incorrect or too high of a security privilege for user • Weak access controls and security administration for critical databases, datasets, files, and resources • Network intrusion including unwanted port scans, Denial of Service (DoS) attacks, network flood attacks, malformed network packets, and other intrusions • Data vulnerability exposures including incorrect/invalid data, including viruses, coming into the IBM system or secure data leaving the system • Privileged and non-privileged users neglecting basic security precautions mandated by the organization • Aggregating data from multiple sources in a way that helps drive faster, better decisions Top Security Challenges 6
  • 7. What is SIEM? • Real-time analysis of security alerts generated by applications and network hardware • Holistic, unified view into infrastructure, workflow, policy compliance and log management • Monitor and manage user and service privileges as well as external threat data Security Information and Event Management
  • 10. • High performance, low-cost, platform for collecting critical system information in real-time from the mainframe • Normalization of the z/OS data so it can be used off platform analytics engines • Full analytics, visualization, and customization with no limitations on what can be viewed • Ability to easily combine information from different data sources and systems • Address the SME challenge: use by network managers, security analysts, application analysts, enterprise architects without requiring mainframe access or expertise What Customers are Looking For... 10
  • 11. Detect Data Movements • Inbound/Outbound FTP Dataset access operations • Determine potential security threats based on unauthorized access attempts • Ensure only authorized users are accessing critical datasets Privileged/non-privileged User Activity Monitoring • Unusual behavior pattern – off hours connections • High number of invalid logon attempts Attack Detection • Intrusion, Scans, Floods Authentication Anomalies • Entered the building at 08:30 but logged on from another country at 09:00 Network Traffic Analysis • High data volumes from a device/server What Can Mainframe Data Tell You? 11
  • 13. 13 Ironstream® Architectural Considerations Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom Apps Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Smartphones and Devices RFID Call Detail Records On- Premises Private Cloud Public Cloud Ultra Light Weight • Minimal CPU impact even for billions of SMF records Non-intrusive • Collect data from critical system • Zero impact to throughput Fast • Collect data in real-time Secure and Reliable • Error recovery • Data loss prevention • Security • Load balancingIBM z Mainframe IBM i System Ironstream
  • 14. Ironstream® for z/OS (Mainframe) 14 Assembler COBOL C, REXX ! IRONSTREAM DATA FORWARDER TCP/IP Ironstream Desktop DCE IDT Data Collection Extension SYSOUT Live/Stored SPOOL Data Db2 USS Alerts Networks Components ForwarderAPI Application Data SYSLOG SYSLOGD SMF RMF File Load Log4j Real-time Collection IMS Z/OS
  • 15. • Real-time Visibility into Mainframe Security Event Data: • Authentication and access failures • Creation or deletion of users • Changes to user security information, passwords, and access rights • Log-in activity • Excessive data transmissions • Unusual movement of data • Intrusion detection, Denial of Service 15 Ironstream® provides…
  • 16. 16 Ironstream & Splunk for Security and Compliance (SIEM) Easier to identify unauthorized mainframe access or other security risks and ability to meet increasing compliance requirements Challenges Addressed • Tracking security related issues including password changes, login success and failures, account lock outs, dataset access, FTP activity • Identify changes in access patterns to detect potential security threats • Move from post event forensics to real-time monitoring of the security environment • Fulfillment of mandatory security and compliance audits to meet corporate and regulatory requirements • Eliminate manual reporting along with the delay required to get the information, by accessing it in real-time
  • 18. Ironstream z/OS Security Specific Data Collection Intrusion Detection (port scans, floods/DoS attacks, malformed data packets) • z/OS Traffic Regulation Management Daemon (TRMD) + SYSLOGD + Base network management component TSO logon tracking • SMF30 TSO account activity (create, update, delete, lockout) • SMF80 FTP authentications • SYSLOGD + Base network management component FTP change analysis (file create, read, update, delete) • SMF119 IP traffic analysis • SMF119 Network + user-defined Events (pre-defined + user-defined) • Base network management component 18
  • 19. Syncsort z/OS Security Dashboard Job Initiations TSO Account Activity TSO Lockouts FTP Session Activity FTP Transfer Activity 19
  • 20. Syncsort z/OS Security Dashboard TCP/IP Network Traffic Intrusion Detection showing Port Scans and Denial of Service Attacks 20
  • 21. Ironstream Splunk Integrations Integrates with Splunk Enterprise Security (SIEM) • Splunk Enterprise Security is a premium app that provides an enterprise-wide view of security across all platforms Integrates with Splunk IT Service Intelligence (ITOA) • Splunk IT Service Intelligence (ITSI) is a premium app that delivers unique “service-centric” view of critical internal and customer-facing business services Ironstream Data Model for Mainframe • The Syncsort Ironstream Data Model for Mainframe provides a structured and logical view of mainframe log data elements in Splunk for faster searching, analysis and Splunk development
  • 22. Ironstream z/OS Security & Splunk Enterprise Security All collected data sources can also be mapped to Splunk CIM for Enterprise Security and automatically exposed in ES dashboards along with security information from other platforms • This requires the Ironstream for Splunk Enterprise Security to be installed • This provides an enterprise-wide, integrated view of security across all platforms via ES dashboards provided by Splunk 22
  • 23. Syncsort Confidential and Proprietary - do not copy or distribute Sample: Splunk Enterprise Security™ Security Posture Dashboard Now shows z/OS® intrusions and anomalies along with events from other platforms 23
  • 25. Federal law-enforcement agency The combination of Splunk and Ironstream® delivered the ability to obtain full visibility— in real time—into the most sensitive authentication procedures and data across its IT environment, ultimately enabling it to fulfill its audit obligations with ease. O B J E C T I V E • Ability to respond to ever-changing reporting requests from its auditors in order to prove compliance with information-security requirements. • Visibility into history as well as the current status of enterprise security information C H A L L E N G E • While they were using Splunk Enterprise, they were missing critical mainframe data • Mainframe logs had sensitive authentication information on password changes, log-in successes and failures and locked accounts S O L U T I O N • Syncsort Ironstream was chosen to provide access to necessary log data • Data is forwarded automatically and in real-time B E N E F I T • The customer for the first time now has full visibility into the most sensitive authentication procedures and data • Ironstream and Splunk combine to give them the ability to respond to reporting and compliance needs 25
  • 26. U.S.-based Loan Service Provider Ironstream provided access to previously inaccessible data to help support one of their most critical monitoring efforts “If you’re asking us what the easier solution is to install and configure, it’s Ironstream” O B J E C T I V E • To monitor mainframe IT operations to track health of service delivery for Loan Service Providers • Capture mainframe business data in support of system and application monitoring in Splunk C H A L L E N G E • Required several data feeds including SMF, SYSLOG and SYSOUT for batch job monitoring • Filtering the log data to selected jobs • Required the ability to load business data from sequential files S O L U T I O N • Syncsort Ironstream was chosen over IBM CDP, particularly over its ease of installation and configuration • Now able to forward the required log data and filter it to specific messages and jobs B E N E F I T • Able to monitor Loan Service IT Operations via Splunk • Partnered with Winward for Splunk development who were familiar with Syncsort Ironstream 26
  • 27. Ironstream Security and Compliance Benefits • Quickly detect fraudulent activity enabling faster remediation • Successfully comply with regulatory requirements and address security auditing and control policies • Integrate IBM system security events into the analytics Spunk’s SIEM solution for centralized analysis • Monitor and detect incorrect security definitions, weak access controls, as well as valid and invalid access to critical resources and data • Monitor data vulnerability issues including the movement of data onto and off IBM systems • Monitor, detect, and prevent network intrusions 27
  • 28. Why Ironstream Less Complexity Collect mainframe and IBM i data; correlate with data from other platforms; no legacy system expertise required Clearer Security Information Identify unauthorized mainframe and IBM i server access, other security risks; prepares and visualizes key data for compliance audits Healthier IT Operations Real-time alerts identify problems in all key environments View latency, transactions per second, exceptions, etc. Effective Problem-Resolution Management Real-time views to identify real or potential failures earlier; view related 'surrounding' information to support triage repair or prevention Higher Operational Efficiency Enhanced event correlation across systems; Staff resolves problems faster; “do more with less” Eliminate Your Mainframe “Blind-Spots” Splunk/Elastic + Ironstream = Your 360ᵒ Enterprise View
  • 30. 30
  • 31. • Data from multiple sources • TSO logon tracking – SMF Type 30 • TSO account activity (create, update, delete, lockout) – SMF Type 80 • Port scans, DoS attacks, malformed data packets – TRMD and SyslogD • FTP authentications and file analysis (file create, access, update, delete) – SMF Type 119 Records and IP traffic analysis information • Network events – Ironstream® Network Monitoring Component Mainframe Security – Data Challenges
  • 32. 32 Gartner Magic Quadrant for SIEM • During the past year, demand for SIEM technology has remained strong. The SIEM market grew from $1.999 billion in 2016 to $2.180 billion in 2017 • Threat management is the primary driver, and general monitoring & compliance remains secondary • The SIEM market continues to be dominated by relatively few large vendors. Splunk, Micro Focus (including the ArcSight and Sentinel SIEMs) IBM, LogRhythm and McAfee command a significant share of market revenue.