Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe

Big Iron to Big Data Analytics for Security,
Compliance, and the Mainframe
Ed Hallock
Director of Product Marketing and
Management

Today’s Presenter
Syncsort Confidential and Proprietary - do not copy or distribute
Ed Hallock is a highly experienced Information Technology Professional
with a broad experience base in software product development, support,
product management, marketing, and business development. In his
diverse career Ed has benefited from working for some of the largest
independent software vendors, in a variety of roles, providing enterprise
solutions to Global 1000 corporations. Ed has extensive experience in
performance and availability management for systems and applications.
He holds a bachelor’s degree in Computer Science from Montclair State
University in Upper Montclair, New Jersey and has presented at numerous
industry events as well as corporate related conferences and seminars.

Agenda
Security Landscape
IBM z/OS Mainframe and Security
SIEM and Big Data Analytics
z/OS Security, Big Data Analytics, and SIEM
Wrap-up/Q&A

The Reality of Security
The number of detected security incidents in 2015 soared by 107% over the year before.
Financial losses from security breaches rose 33% from 2014 to 2015.
68% of organizations worldwide purchased cybersecurity insurance in 2015, an increase of
15% over the year before.
Average information security spending per organization jumped 51% in 2015.
Information provided by PricewaterhouseCoopers (PwC) Global State of Information Security®
Survey
5

Equifax Raided!
Impact is wide-spread and significant
Millions of people effected – SSN’s, credit card info, drivers license numbers
Effects could be felt for years
CIO and CSO forced to resign
6

What is a Breach?
In 2015, there were 781 breaches in the U.S., which exposed more than 169
million records.
– Leading sector for number of records exposed was in healthcare-
medical services
Of all classes of data breach, it’s widely believed that less than half are ever
publicly disclosed.
Among mainframe security experts, the consensus seems to be that the
number of mainframe breaches is substantially higher than the number of
mainframe breaches disclosed.
7
Identity Theft Resource Center (ITRC) defines a data
breach as an incident in which an individual name –
together with a Social Security number or driver’s
license number or medical record or financial record --
is potentially put at risk because of exposure.

Insiders: The Weakest Link
1/3 of all data breaches have been attributed to
insiders
– Employees, contractors, vendors, business
partners, or others who have been granted
privileged access to systems within the
organization
Employees come in many forms:
– employee who has privileged access but
neglects basic precautions
– disgruntled or misguided
– ex-employee that still has credentials
– employee who is duped by an outsider
8

Breach Detection
In 2015, Mandiant, a division of FireEye, in its annual trends report found the average number
of days between a breach and discovery of the breach was 204 days.
– Only 31% of breached enterprises discovered the breach themselves. The rest were all
discovered by outside third parties when it was noticed that the breached data was being
used outside the enterprise.
9

Breach Detection
In 2015, Mandiant, a division of FireEye, in its annual trends report found the average number
of days between a breach and discovery of the breach was 204 days.
– Only 31% of breached enterprises discovered the breach themselves. The rest were all
discovered by outside third parties when it was noticed that the breached data was being
used outside the enterprise.
10

C-Suite Has Taken Notice
Risk of non-compliance with the growing mass of
governmental regulations and industry standards is
causing loss of sleep
C-suite face more rigorous levels of responsibility for
the integrity of enterprise data than did their
predecessors
Potential penalties for failure of oversight are greater
– fines and potentially jail sentences
Not to mention the damage to the corporate brand
when a breach becomes public
11

Organizations Are Investing
J.P. Morgan Chase reported that it was planning to spend half a billion dollars on cybersecurity
in 2016 and 2017
» “The Firm and several other U.S. financial institutions have experienced significant distributed
denial-of-service attacks from technically sophisticated and well-resourced unauthorized parties
which are intended to disrupt online banking services. The Firm and its clients are also regularly
targeted by unauthorized parties using malicious code and viruses.”
Source: J.P. Morgan Chase & Co. 10-Q Quarterly Report
U.S. financial services -- cybersecurity market reached $9.5 billion in 2015, making it the
largest non-governmental cybersecurity market
Source: Homeland Security Research Corp. Banking & Financial Services Cybersecurity: U.S. Market
2015-2020 Report
12

Organizations Are Investing
IDG Security Priorities for 2017
– 46% of organizations will invest in new security needs related to
evolving business models over the next 12 months
– Organizations say that SIEM technology is critical/very important (76%)
when facing threats and attacks, with enterprise organizations
reporting a greater degree of importance (84%)
13

IBM z/OS Mainframe and Security
14

The IBM z/OS Mainframe
For high-volume transactional processing, the mainframe
is the platform favored by large enterprises
Up to 80% of the world’s enterprise data and transactions
reside on or pass through IBM z Systems
MIPS has been on a sharply upward trajectory while the
processing capacity of each individual mainframe keeps
growing…
But the number of actual mainframes within the IT
infrastructure is declining and with it so are the SMEs
Z/OS security has been taken for granted in a lot of cases
15

Is the z/OS Mainframe Secure?
For a long time the platform was viewed as “inherently”
secure
Implied the platform is secure by virtue of its
foundational design
Led organizations to believe that hardly anything needs to
be done to augment it
The assumption that the mainframe is “bullet proof”
tends to make some compliance audits relatively lax
Slow but steady decline in mainframe-specific security
expertise
16

RSA Security Conference in 2016: 30,000 security specialists at RSA versus
80 at SHARE in San Antonio in 2016
500 vendors at RSA offering security and compliance solutions for the
networked and distributed systems versus fewer than 10 vendors at SHARE
Striking differences given the criticality of protecting mainframe systems
17

Most enterprise security monitoring tools do not natively
read mainframe log records.
Blind to security events that occur on the mainframe.
Compliance status of the mainframe at the enterprise
level is “unknown”.
“Security by obscurity” -- breaches of the mainframe
simply are not published very often.
Mainframe breaches are often attributed to a “network
security” failure.
18

The mainframe is not “inherently” secure!
The mainframe is the most “securable” commercially
available computing platform!
Requires sufficiently skilled personnel to implement
effective security controls.
Need efficient monitoring software that enables the
enterprise to receive real-time or near-real-time alerts on
the security and compliance posture of the mainframe.
19

SIEM & Big Data Analytics
20

What is SIEM?
21

What is SIEM?
Security Information and Event Management (SIEM) technology aggregates and provides real-
time analysis of security alerts.
– Event data is produced by security devices, network infrastructures, systems and
applications. The primary source is log data (i.e., SMF RACF records).
Analyze security event data in real time for internal and external threat detection and
management.
– Every organization fears potential hacks and data loss.
Collect, store, analyze and report on log data for incident response, forensics and regulatory
compliance.
– Meeting audit requirements is a key initiative in many vertical industries
SIEM products are gaining additional analytics capabilities around user behavior analytics (UBA)
– understanding user behavior and how it might impact security
22

Big Iron Trends: Increased interest for real-time access to mainframe
machine data (SMF, RMF, log data, etc.) for business analytics
23

Big Iron to Big Data Analytics Challenge
So many data sources
– SMF, Syslog, Log4j web and application logs, RMF,
RACF, USS files and standard datasets
Volume of data
– Millions of SMF records generated daily
Format of data
– Complex data structures (SMF) with headers, product
sections, data sections, variable length and self-
describing
– EBCDIC not recognized outside of the mainframe world
– Binary flags and fields
Difficult to get the information in a timely manner
– Not real-time, typically have to wait overnight for an
offload

z/OS Security, Big Data Analytics, and SIEM
25

Examples of SIEM Use Cases on z/OS
Detect Data Movements
– Inbound/Outbound FTP
Dataset access operations
– Determine potential security threats based on
unauthorized access attempts
– Ensure only authorized users are accessing critical
datasets
Privileged/non-privileged User Activity Monitoring
– Unusual behavior pattern – off hours connections
– High number of invalid logon attempts
Attack Detection
– Intrusion, Scans, Floods
Authentication Anomalies
– Entered the building at 08:30 but logged on from
another country at 09:00
Network Traffic Analysis
– High data volumes from a device/server
26

SIEM: TSO Account & FTP Activity
27
Job Initiations
TSO Account Activity
TSO Lockouts
FTP Session Activity
FTP Transfer Activity

SIEM: Intrusion Detection & TCP/IP Traffic
28
Intrusion Detection showing Port Scans and
Denial of Service Attacks
TCP/IP Network Traffic

SIEM: Dataset Access Analysis
29
Access by type for critical datasets by
user name

SIEM: RACF Violations and Message Trends
30
RACF Violations by type RACF Violations by user
Trend message volumes today vs. same time last week and 2 weeks ago

Integration of z/OS Security with an Enterprise SIEM
Map z/OS security data sources to a common data model within
the SIEM
z/OS security information correlated with security information
from other platforms
Provides an enterprise-wide, integrated view of security across
all platforms
31

Sample Intrusion Center Dashboard With Splunk Enterprise Security™
32
Now shows z/OS® intrusions
and anomalies along with
events from other platforms

Sample Security Posture Dashboard With Splunk Enterprise Security™
33
Now shows z/OS® intrusions
and anomalies along with
events from other platforms

Critical Mainframe Data 
Normalized and Streamed to Splunk with Ironstream®
Log4jFile
Load
SYSLOG
SYSLOGD
logs
security
SMF
50+
types
RMF
Up to
50,000
values
DB2SYSOUT
Live/Stored
SPOOL Data
Alerts
Network
Components
Ironstream
API
Application Data
Assembler
C
COBOL
REXX
USS

Get Ironstream® for SYSLOG for free
35
http://www.syncsort.com/en/TestDrive/Ironstream-Starter-Edition

Industry Leader in Mainframe
Software Products

Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe

Similar to Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe (20)

More from Precisely

More from Precisely (20)

Recently uploaded

Recently uploaded (20)

Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe