Today’s world of complex regulatory requirements and evolving security threats requires you to find simple ways to monitor all IBM i system and database activity, identify security threats and compliance issues in real time, produce clear and concise reports, and maintain an audit trail to satisfy security officers and auditors.
IBM i log files and journals are rich sources of system and database activity. However, they are in their own proprietary format, and they are not easy to manually analyze for security events. View this webinar on-demand to learn more about:
• Key IBM i log files and static data sources that must be monitored
• Automating real-time analysis of log files to identify threats to system and data security
• Integrating IBM i security data into SIEM solutions for a clear view of security across multiple platforms
2. Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your computer speakers.
• If you need technical assistance with the web interface or audio,
please reach out to us using the chat window.
Questions Welcome
• Submit your questions at any time during the presentation
using the chat window.
• We will answer them during our Q&A session following the
presentation.
Recording and slides
• This webcast is being recorded. You will receive an
email following the webcast with a link to download
both the recording and the slides.
Jeff Uehling
3. • Why monitoring and reporting is critical
• Key IBM i data sources that must be monitored
• Automating real-time analysis of log files with
Assure Security
• Integrating IBM i security data into SIEM solutions
• Next-level Monitoring of Db2 Data Views
• Q&A
Agenda
3
5. Monitoring changes to systems and data is necessary to
• Identify security incidents
• Identify deviations from compliance and security policies
Auditing and monitoring is best practice
• It gives you visibility into activity on your system – a great place to start
• It is a line of defense against an undetected breach
Regulations require that you track changes to your system and its data
• PCI DSS
• HIPAA
• GDPR
Monitoring IBM i Security
is Essential to Compliance
• SOX
• 23 NYCRR 500
• And more
5
6. Regulations
Require Monitoring
General Data Protection
Regulation (GDPR)
Enforcement date: 25 May 2018
Regulation in European Union law on data
protection and privacy for all individuals
within the European Union (EU) and the
European Economic Area (EEA)
Applies to all organizations doing business
with EU citizens
Aims primarily to provide protection and
control over their personal data to citizens
and residents, including
• Access control
• Sensitive data protection
• Restricted user privileges
• System activity logging
• Risk assessments
New York Dept. of Financial
Services Cybersecurity Regulation
NYS 23 NYCRR 500
Enforcement date: February 15, 2018
Requires banks, insurance companies, and
other financial services institutions to
establish and maintain a cybersecurity
program designed to protect consumers
Ensures the safety and soundness of New
York State's financial services industry.
Requirements protect the confidentiality,
integrity and availability of information
systems, including
• Risk assessments
• Restricted user privileges
• Automatic logouts
• Antivirus
• Multi-factor authentication
• System activity logging
Sarbanes–Oxley Act
Enacted July 30, 2002
United States federal law
Sets requirements for U.S. public companies.
Certain provisions apply to private companies
Requires corporates to assess the
effectiveness of internal controls and report
this assessment annually to the SEC.
Any review of internal controls would not be
complete with out addressing controls
around information security including
• Security Policy
• Security Standards
• Access and Authentication
• Network Security
• Monitoring
• Segregation of Duties
6
8. IBM i OS Audit Foundation
IBM i has powerful audit logs
• System Journal – QAUDJRN
• Database (Application) Journals – for Before and After Images
• QHST Log Files – DSPLOG Command
• System Message Queues – QSYSOPR, QSYSMSG
Turn on auditing, save journal receivers, and take advantage of
everything the operating system can log for you
Reporting capabilities in the OS are limited
8
9. QSYSOPR, QHST and QSYSMSG
QSYSOPR and QHST
• Message queue and history files
• DSPMSG and DSPLOG commands to view data
• Monitor on your own without a lot of detailed query capabilities
• Lots of information in the data
• Info on jobs, system configuration changes, system limits, system status
QSYSMSG
• Optional message queue
• DSPMSG to view data
• Monitor on your own without a lot of detailed query capabilities
• Important system status messages
• Critical conditions, Warnings and Failure messages
Vendor products can monitor and alert
on critical conditions
9
10. QAUDJRN – Security Audit Journal
System wide (applies to all users)
• Object create and delete
• Security/System functions
• Login failures
• Job auditing
• Network auditing
• Many, Many more audit record types….
Object specific auditing
• Object read and write (open of a *FILE, Call of a *PGM, etc.)
User specific auditing
• Security/System functions performed by the audited user
• Command auditing
• Object read and write
10
12. IBM i has a model outfile in QSYS for each audit journal entry type
• QASYxxJy where
• xx = the two-letter audit journal entry type
• y = the file format (use value 5)
CRTDUPOBJ OBJ(QASYAFJ5) FROMLIB(QSYS) OBJTYPE(*FILE) + TOLIB(QTEMP)
DSPJRN JRN(QSYS/QAUDJRN) RCVRNG(*CURCHAIN) +
FROMTIME('08/18/2019' '08:00:00') JRNCDE((T)) ENTTYP(AF) +
OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) + OUTFILE(QTEMP/QASYAFJ5)
CL Command – CPYAUDJRNE
• Performs CRTDUPOBJ QSYS/QASYxxJ5 model outfile and subsequent DSPJRN to outfile in one,
simplified step
DSPJRN to an Outfile –
Viewing QAUDJRN Audit Entries
See the Security Reference,
appendix F, in the Knowledge
Center for the layout of
all security audit records.
12
13. Quick View of the Audit Data
RUNQRY QRY(*NONE) QRYFILE(QTEMP/QAUDITAF)
Detailed Analysis of the Audit Data
SQL or STRQRY
View Audit Journal Data
in an OUTFILE
13
17. New
Assure Security
A comprehensive solution that addresses all
aspects of IBM i security and helps to ensure
compliance with cybersecurity regulations.
Whether your business needs to implement a
full set of security capabilities, or you need to
address a specific vulnerability, Assure
Security is the solution.
17
18. Data Privacy
Protect the privacy of data at-rest
or in-motion to prevent data
breaches
Access Control
Ensure comprehensive control of
unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Compliance Monitoring
Gain visibility into all security activity
on your IBM i and optionally
feed it to an enterprise console
Security Risk Assessment
Assess your security threats
and vulnerabilities
Assure Security
addresses the issues on every
security officer and IBM i
administrator’s radar screen
18
19. Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Security Risk
Assessment
Assure Compliance
Monitoring
Assure Monitoring and
Reporting monitors IBM i
system and database activity
and produces clear, concise
alerts and reports that
identify compliance
deviations and security
incidents
19
20. Two modules are sold separately or together
• Assure Monitoring and Reporting – Database Module
• Assure Monitoring and Reporting – System Module
SIEM option
• Assure Monitoring and Reporting SIEM Add-on forwards security data
to a variety of Security Information and Event Management solutions
Assure Monitoring and
Reporting Modules
20
21. Assure Monitoring & Reporting
Comprehensive monitoring of system and database activity
• Powerful query engine with extensive filtering
• Includes out-of-the-box, customizable models for ERP applications or GDPR
compliance
• Provides security and compliance event alerts via e-mail popup or syslog
• Produces easy-to-read reports continuously, on a schedule or on-demand
• Supports multiple report formats including PDF, XLS, CSV and PF formats
• Distributes reports via SMTP, FTP or the IFS
• Optionally forwards security data to Security Information and Event Management
(SIEM) consoles such as IBM QRadar, ArcSight, LogRhythm, LogPoint, and Netwrix
• No application modifications required
21
22. Expand Your Visibility
Assure Security will create a complete audit trail of security events on
your system, such as:
• System and data access attempts
• Actions of powerful user profiles
• Failed login attempts
• Data decryption
• And more
Plus, Monitor and report on static security information
• Users, Groups, System values, Security Configuration, etc.
Extract data from the security logs for better defense against breach
22
23. Analyzing IBM i Audit Logs
IBM i log files are comprehensive, unalterable, and trusted by
auditors BUT they are not easy to analyze
Monitoring and reporting tools are needed to:
• Simplify the process of analyzing complex IBM i journals
• Filter through the massive amount of information in your logs
• Detect security incidents and raise alerts
• Quickly highlight compliance deviations
• Deliver reports in multiple formats to compliance and security
auditors, partners, customers and your management team
• Relieve your team of the burden of manual analysis
Assure Security – will help you extract insight from your logs
23
24. Benefits of Assure
Monitoring and Reporting
• Comprehensively monitors system and database activity
• Enables quick identification of security incidents and
compliance deviations when they occur
• Monitors the security best practices you have implemented
• Enables you to meet regulatory requirements for GDPR, SOX,
PCI DSS, HIPAA and others
• Satisfies requirements for a journal-based audit trail
• Simplifies the process of analyzing complex journals
• Provides real segregation of duties and enforces the
independence of auditors
24
25. Assure Monitoring and Reporting
Advantages
IBM i security monitoring is a mature discipline with many products
that offer:
• Detailed audit journal (QAUDJRN) monitoring and reporting
• Monitoring of unusual changes made to files outside normal
application flow
• Detailed filtering to eliminate “noise” from the journal data
• Complete reporting capabilities
Assure Monitoring and Reporting has unique strengths in:
• Dynamic mapping capabilities that make it easy to reformat and
manipulate values in reports
• Choices for reporting frequency (year, month, day, hour, minute, second
on-demand or any combination)
• SIEM integration, including IBM QRadar certification
25
26. These are just a handful of the reports you could create
with Assure Monitoring and Reporting
• File accesses outside business hours
• Accesses to sensitive database fields
• Changes of more than 10% to a credit limit field
• All accesses from a specific IP address
• Command line activity for powerful users (*ALLOBJ, *SECADM)
• Changes to system values, user profiles, and authorization lists
• Attempts to sign into a specific account
• Actions on a sensitive spool file, such as display or deletion of the
payroll spool file
Sample Reports
26
35. Security Information and Event
Management
Real-time analysis of security alerts
generated by applications and network
hardware
Holistic, unified view into infrastructure,
workflow, policy compliance and log
management
Monitor and manage user and service
privileges as well as external threat data
What is SIEM?
35
36. Monitoring and reporting tools can forward IBM i security data to a
Security Information and Event Management (SIEM) solution to:
• Integrate IBM i security data with data from other IT platforms
• Enable advanced analysis of security data using correlation,
pattern matching, and threat detection
• Sharing information across teams
• Integrate with case management and ticketing systems
Enterprise Security Monitoring
Monitor IBM i security along with the other platforms in your enterprise
36
37. • Data movement – inbound/outbound FTP
• Dataset access operations
• Determine potential security threats based on unauthorized access attempts
• Ensure only authorized users are accessing critical datasets
• Privileged/non-privileged user activity monitoring
• Unusual behavior pattern – off hours connections
• High number of invalid logon attempts
• Attack detection – intrusion, scans, floods
• Authentication anomalies – e.g. entered the building at 08:30 but logged
on from another country at 09:00
• Network Traffic Analysis – high data volumes from a device/server
• And much more
What Can You Detect with a SIEM?
37
38. ............SOURCES...............
Assure System Access
Manager
Exit Point Control
Assure Monitoring
and Reporting
System and Database Activity
and Static Data Sources
Assure Elevated Authority
Manager
Privileged Access Management
Assure Multi-Factor
Authentication
Reinforced Login Management
Filters the
events
Selects the
message format:
*LEEF, *CEF,
*RFC3164, *RFC5424,
user-defined Builds the
message
Categorizes the
message
Sends Syslog,
Db2 file,
stream file
Secures &
encrypts
SSL/TLS
Enriches the
message
Optimizes
Connects to the
different log
sources
HPE ArcSight
Splunk
LogRhythm
MacAfee
AlienVault
SolarWinds
Etc…
SIEM
DSM
Event
properties
Assure Security
for IBM i
Heartbeat
Assure
Security
Gateway
38
40. Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Security Risk
Assessment
Assure Compliance
Monitoring
Assure Db2 Data Monitor
audits views of sensitive
records in Db2 databases
and optionally blocks data
from view
40
41. The latest regulations require that “Read” access to sensitive data is
monitored
• GDPR
• New regulations may follow GDPR’s lead
Other regulations suggest the benefits of tracking access to data without
specifically requiring it:
• PCI DSS
• HIPAA
Monitoring exactly who read highly confidential corporate data is best
practice, for example:
• Executive compensation
• Employee payroll information
• Customer lists
Why Monitor Data Access?
41
42. Bank
Customer Story
A bank’s databases contain highly confidential
financial information. When a user viewed a very
critical file, to which they should not have had
access, the bank was very concerned. The user
claimed to have exited without viewing the data,
but there was no proof.
Assure Db2 Data Monitor gives the bank
confidence that they will be alerted to views of
critical data and that a log will be maintained that
they can show to auditors.
42
44. Assure Db2 Data Monitor
Enables highly confidential data to be blocked from view
• Administrators configure what users are authorized to view
• Only the records that a user is allowed to see are visible to them
Prevents accidental disclosure of highly confidential data, data theft
and abuse of administrative power
• The owner of the file can always see its data
• Those granted the right to view can see their specific records
• Everyone else, including administrators, sees no records in the file
Blocks data views at the record/row level, not by field/column
44
45. Powerful Configuration Options
The Assure Db2 Data Monitor administrator has powerful configuration
options for:
• The owner(s) of the file – who will always have access
• The field(s) in records that flag it as a sensitive record
• The field(s) in a record that uniquely identify it when access is logged
Additional criteria are available to grant users the ability to view records
based on:
• IP address
• Day of the week
• Time of day
• Program stack
• And more
45
46. Example
Before Assure Db2 Data Monitor,
the user could see all the financial
data in the file for all companies
in the database
After Assure Db2 Data Monitor,
the user only sees the financial
transaction information for
company 405, the only company
they are authorized to see
46
47. Logging and Alerting
Assure Db2 Data Monitor logs views of sensitive data rows
• Information is logged to identify the data read, including:
• The file that was read
• The unique identifier of the row
• The field that flagged the row as sensitive
• The user’s name and program they were running
• Other basic system information
• The sensitive data itself is not placed in the log (if not the sensitive record flag)
Alerts can also be sent via popup or email
Object: CustomerDB
User: JoeUser
Job: TEST001
Time: 9:45:39
47
49. • Regulations and security best practice require that you monitor the activity
on your IBM i
• IBM i offers rich sources of audit data, but the information is voluminous
and cryptic
• Tools are available to help you automate the analysis of IBM i audit data
and generate alerts or reports on security and compliance incidents
• Integrating IBM i security data into SIEM solutions gives you visibility into
security across your entire enterprise
• Beyond monitoring database changes, monitoring views of highly sensitive
Db2 data is now possible
• Syncsort is here to help with your IBM i security and compliance needs
Recap
49
50. Helpful Resources
To read more about IBM i security monitoring and
reporting, download our ebook!
Learn more about IBM i Security in
“The Essential Layers of IBM i Security”
50