Enabling security intelligence in mainframes, Part 2: Leverage the IBM approach

Explore an approach and tools to help implement mainframe security intelligence

Discover the approach and tools that IBM® provides to enable security intelligence in a mainframe environment. This article is part 2 of a two-part series.


developerWorks security editors, IBM staff, IBM

This article is brought to you by the editors of the developerWorks Security site.

09 August 2013

To survive and thrive in the current state of persistent threats to IT systems, the chief IT security officer requires more innovative and integrated approaches and products. That's where security intelligence comes in (SI).

This article details the IBM approach to enabling security intelligence in a mainframe environment and offers some tools to help with that implementation. (Part 1 explained IBM's concept of security intelligence, the security challenges of the mainframe environment, where mainframes intersect with SI, and four steps to enabling mainframe SI.)

The topics in this article are more fully explained in the IBM whitepaper "Get actionable insight with security intelligence for mainframe environments" (see Resources).

The path to security intelligence in mainframes

The IBM Security Framework has as a central concept the idea of security intelligence. The framework is a comprehensive approach that addresses key areas of security and compliance risk — people, data, applications, and infrastructure. The IBM approach ties the framework capabilities with other common capabilities for security intelligence and analytics to deliver a structure that lets you implement the policy management, event handling, and reporting that you need to build an enterprise, mainframe security program.

Integrating disparate security tasks (the traditional mainframe way of handling security) is the goal of IBM security intelligence. Two examples of how IBM supports its security intelligence concept in its products include QRadar® SIEM and IBM zSecure™ and Guardium® (from the original whitepaper).

Consolidate security intelligence with QRadar SIEM

QRadar SIEM provides enterprise security intelligence through full visibility and actionable insight; it lets you collect security events from the mainframe, but expands your reach by enabling you to collect from hundreds of other log and flow sources such as security devices, network devices, firewalls, operating systems, and applications.

QRadar provides a unified view of security and compliance risks. It delivers integrated log and threat management, configuration monitoring, vulnerability management, and compliance reporting using sophisticated correlation and anomaly detection analytics. QRadar SIEM can analyze events, network flows, vulnerabilities, user identities, and threat intelligence in a unified way. That way it can provide you with an exceptional level of context and insight into threats and compliance risks.

QRadar SIEM's real-time activity correlation of both events and network flows enables it to help reduce potential breaches by rapidly detecting suspicious activity that might otherwise be missed.

zSecure and Guardium database security provides insights

Tools in the IBM Security zSecure Suite feed real-time data to QRadar SIEM or other SIEM solutions to strengthen mainframe security and more easily comply with regulations — they do this by simplifying audit and reporting efforts. The zSecure consolidated view supports easier identification of and more effective reaction to threats; a forensically secure database stores event data.

The Guardium components support continuous, policy-based, real-time monitoring of database activities, including actions by privileged users, by scanning the database infrastructure for missing patches, misconfigured privileges, and other vulnerabilities.



Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.


  • Get involved in the developerWorks Community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Security on developerWorks

ArticleTitle=Enabling security intelligence in mainframes, Part 2: Leverage the IBM approach