To survive and thrive in the current state of persistent threats to IT systems, the chief IT security officer requires more innovative and integrated approaches and products. That's where security intelligence (SI) comes in.
This article explains IBM's concept of security intelligence, describes the security challenges of the mainframe environment and where mainframes intersect with SI, and details four steps to enabling mainframe SI. Part 2 will detail the IBM approach to enabling security intelligence in a mainframe environment and offer some tools to help with that implementation.
The topics in this article are more fully explained in the IBM whitepaper "Get actionable insight with security intelligence for mainframe environments" (see Resources).
What is security intelligence?
IBM defines security intelligence as:
- Threat analysis, real-time alerts, audit consolidation, and compliance reporting integrated into a single view of the risks affecting both mainframe and distributed systems
- Automated analysis and reporting that deals with complexity of event monitoring (involving people, data, apps, and infrastructure) without having to deal with log data
- Increased depth of insight and real-time anomaly detection
What are the security challenges in mainframe environments?
The set of security challenges, therefore, security intelligence, intersects the mainframe in the following areas:
- Complexity: The mainframe is an integral component of multiple, often large and complex, business services, which tends to make it difficult to identify and analyze threats.
- Visibility: Mainframe processes, procedures, and reports are often executed in silos; many roles, tasks, and responsibilities in mainframe administration are often highly compartmentalized. This can impede cross-enterprise information sharing that is necessary to combat threats.
- Compliance: Verification of compliance is frequently a manual task; problem alerts are often received only after the problem has occurred.
- Security change control: Change control procedures for security administration often are not followed or not even in place; this can threaten system availability.
The convergence of threat information, the analytics-assisted capabilities to deliver meaningful insights, and the automation of many complex security compliance and analytics tasks are the IT intersection points of security intelligence and the mainframe. There is a cost-oriented business advantage to mainframe security intelligence too; mainframe security management requires highly skilled administrators who may be in high demand and short supply. Automation, a single view of incoming event data, and analytics can act much like an administrator in expert pattern form, supplementing your staff.
How do I enable mainframe security intelligence?
These initial considerations are key to helping you plan how to enable mainframe security intelligence:
- Provide rich context that enables meaningful insights
- Reduce the complexities of mainframe security management
- Employ best practices to detect and prevent exposures
- Put security intelligence task-oriented operations into place
Figure 1 outlines a comprehensive approach based on security best practices that can help detect and prevent security and compliance exposures.
Figure 1. Security best practices approach
Enable meaningful insights
There aren't many security solutions that are broad and integrated enough to deliver insights that can make a difference. For example, information provided by log management and security information and event management (SIEM) solutions typically includes lots of data with limited context; the limited context limits the insight value of the data.
The goal (and the purpose of security intelligence) is to be able to identify who did what and when, recognize what's abnormal, and access the subtle connections between millions (maybe even billions) of data points. Integration (and the increased visibility it affords) helps you better uncover and respond to external, internal, and accidental threats. Integrated SI employs centralized logging, intelligent normalization of security data, visibility into network segments where logging may be problematic, and visibility into asset communication patterns.
Challenge complexities of mainframe security
In a large, cutting-edge, mainframe-based enterprise, it may be impossible for humans to keep up with the complexity and dynamic nature of the infrastructure. SI enables you to respond to a potential poor understanding of these complexities (mentioned previously) through automated monitoring, auditing, and reporting that can help distinguish between normal or baseline activities and suspicious events.
Detect and prevent exposures
Best practices are a useful part of the SI toolbox when it comes to detecting and preventing security exposures. Through advanced data collection, normalization, and analysis, activity outside of normal behavior ranges is flagged as an offense and is presented in a context that makes it easier to understand the incident so you can effect timely remediation.
You will generally try to apply these tools to achieve these three goals:
Accountability: Proving who did what and when comes from the ability to manage security-related information from networks, hosts, and applications across the IT infrastructure. Accountability correlates this information with an accurate picture of activity to achieve the forensic granularity necessary to investigate violations.
Transparency: Insight into business and IT assets that must be protected comes from visibility into security controls. Transparency enables the organization to assess its adherence to policies by extending visibility into network and application traffic and into the sensitive resources events governed by security rules.
Measurability: An understanding of your organization's security risk comes from the ability to assess and measure both compliance and threats. Measurability supports real-time awareness and responsiveness through interactive dashboards and reporting.
Put task operations into place
So how do you implement that accountability, transparency, and measurability triad? The operational tasks that many organizations perform to initially implement SI into their mainframe systems include the following:
- Collect and monitor data from initial data sources such as authentication events, operating system logs, anti-malware logs, firewalls, configurations, and file and directory auditing.
- Define use cases by examining key business challenges.
- Provide the security team and others with role-based access and customizable views into real-time analysis, incident management, and reporting so they can drill down into raw data and summarized security incidents.
- Provide management tools to summarize and analyze access control, remove unused access authorizations, and simulate the effect of new security rules before they are deployed.
- Role out additional data sources (like IDS/IPS data, database security logs, app logs, and physical security system logs) for a higher level of context and potential intelligence.
- Build activity baselines for key metrics and monitoring for meaningful anomalies.
- Deploy a risk management solution to analyze network and device vulnerabilities; this will help you shift your management style from reactive to proactive.
- The topics in this article are more fully explained in the IBM whitepaper "Get actionable insight with security intelligence for mainframe environments."
- The IBM Redbook Introduction to the New Mainframe: Security provides a wealth of security fundamentals for the latest generation of mainframe hardware and software.
- Explore the IBM Security Framework for cutting-edge knowledge on IT security issues.
- Visit the IBM Security QRadar SIEM site to learn more about the technology. Learn more at the developerWorks QRadar community.
- Visit the IBM Security zSecure site to learn more about the technology. Learn more at the developerWorks zSecure community.
- Visit the IBM Security Guardium site to learn more about the technology. Learn more at the developerWorks Guardium community.
- Start your journey to implement IT security through pragmatic, intelligent, and risk-based practices at Security on developerWorks.
- Attend a free developerWorks Live! briefing to get up-to-speed quickly on IBM products and tools as well as IT industry trends.
- Follow developerWorks on Twitter.
- Watch developerWorks on-demand demos ranging from product installation and setup demos for beginners, to advanced functionality for experienced developers.
Get products and technologies
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.
- Get involved in the developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.