Enabling security intelligence in mainframes, Part 1: Understanding the challenge

Mainframes have complex security requirements; discover the key considerations

Discover the challenges of implementing security intelligence in a mainframe environment, then follow the additional references to explore the details of how to complete the tasks. This article is Part 1 of a two-part series.


developerWorks security editors, IBM staff, IBM

This article is brought to you by the editors of the developerWorks Security site.

06 August 2013

To survive and thrive in the current state of persistent threats to IT systems, the chief IT security officer requires more innovative and integrated approaches and products. That's where security intelligence (SI) comes in.

This article explains IBM's concept of security intelligence, describes the security challenges of the mainframe environment and where mainframes intersect with SI, and details four steps to enabling mainframe SI. Part 2 will detail the IBM approach to enabling security intelligence in a mainframe environment and offer some tools to help with that implementation.

The topics in this article are more fully explained in the IBM whitepaper "Get actionable insight with security intelligence for mainframe environments" (see Resources).

What is security intelligence?

IBM defines security intelligence as:

  • Threat analysis, real-time alerts, audit consolidation, and compliance reporting integrated into a single view of the risks affecting both mainframe and distributed systems
  • Automated analysis and reporting that deals with complexity of event monitoring (involving people, data, apps, and infrastructure) without having to deal with log data
  • Increased depth of insight and real-time anomaly detection

What are the security challenges in mainframe environments?

The set of security challenges, therefore, security intelligence, intersects the mainframe in the following areas:

  • Complexity: The mainframe is an integral component of multiple, often large and complex, business services, which tends to make it difficult to identify and analyze threats.
  • Visibility: Mainframe processes, procedures, and reports are often executed in silos; many roles, tasks, and responsibilities in mainframe administration are often highly compartmentalized. This can impede cross-enterprise information sharing that is necessary to combat threats.
  • Compliance: Verification of compliance is frequently a manual task; problem alerts are often received only after the problem has occurred.
  • Security change control: Change control procedures for security administration often are not followed or not even in place; this can threaten system availability.

The convergence of threat information, the analytics-assisted capabilities to deliver meaningful insights, and the automation of many complex security compliance and analytics tasks are the IT intersection points of security intelligence and the mainframe. There is a cost-oriented business advantage to mainframe security intelligence too; mainframe security management requires highly skilled administrators who may be in high demand and short supply. Automation, a single view of incoming event data, and analytics can act much like an administrator in expert pattern form, supplementing your staff.

How do I enable mainframe security intelligence?

These initial considerations are key to helping you plan how to enable mainframe security intelligence:

  • Provide rich context that enables meaningful insights
  • Reduce the complexities of mainframe security management
  • Employ best practices to detect and prevent exposures
  • Put security intelligence task-oriented operations into place

Figure 1 outlines a comprehensive approach based on security best practices that can help detect and prevent security and compliance exposures.

Figure 1. Security best practices approach
Security best practices approach

Enable meaningful insights

There aren't many security solutions that are broad and integrated enough to deliver insights that can make a difference. For example, information provided by log management and security information and event management (SIEM) solutions typically includes lots of data with limited context; the limited context limits the insight value of the data.

The goal (and the purpose of security intelligence) is to be able to identify who did what and when, recognize what's abnormal, and access the subtle connections between millions (maybe even billions) of data points. Integration (and the increased visibility it affords) helps you better uncover and respond to external, internal, and accidental threats. Integrated SI employs centralized logging, intelligent normalization of security data, visibility into network segments where logging may be problematic, and visibility into asset communication patterns.

Challenge complexities of mainframe security

In a large, cutting-edge, mainframe-based enterprise, it may be impossible for humans to keep up with the complexity and dynamic nature of the infrastructure. SI enables you to respond to a potential poor understanding of these complexities (mentioned previously) through automated monitoring, auditing, and reporting that can help distinguish between normal or baseline activities and suspicious events.

Detect and prevent exposures

Best practices are a useful part of the SI toolbox when it comes to detecting and preventing security exposures. Through advanced data collection, normalization, and analysis, activity outside of normal behavior ranges is flagged as an offense and is presented in a context that makes it easier to understand the incident so you can effect timely remediation.

You will generally try to apply these tools to achieve these three goals:

  • Accountability
  • Transparency
  • Measurability

Accountability: Proving who did what and when comes from the ability to manage security-related information from networks, hosts, and applications across the IT infrastructure. Accountability correlates this information with an accurate picture of activity to achieve the forensic granularity necessary to investigate violations.

Transparency: Insight into business and IT assets that must be protected comes from visibility into security controls. Transparency enables the organization to assess its adherence to policies by extending visibility into network and application traffic and into the sensitive resources events governed by security rules.

Measurability: An understanding of your organization's security risk comes from the ability to assess and measure both compliance and threats. Measurability supports real-time awareness and responsiveness through interactive dashboards and reporting.

Put task operations into place

So how do you implement that accountability, transparency, and measurability triad? The operational tasks that many organizations perform to initially implement SI into their mainframe systems include the following:

  • Collect and monitor data from initial data sources such as authentication events, operating system logs, anti-malware logs, firewalls, configurations, and file and directory auditing.
  • Define use cases by examining key business challenges.
  • Provide the security team and others with role-based access and customizable views into real-time analysis, incident management, and reporting so they can drill down into raw data and summarized security incidents.
  • Provide management tools to summarize and analyze access control, remove unused access authorizations, and simulate the effect of new security rules before they are deployed.
  • Role out additional data sources (like IDS/IPS data, database security logs, app logs, and physical security system logs) for a higher level of context and potential intelligence.
  • Build activity baselines for key metrics and monitoring for meaningful anomalies.
  • Deploy a risk management solution to analyze network and device vulnerabilities; this will help you shift your management style from reactive to proactive.



Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.


  • Get involved in the developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Security on developerWorks

ArticleTitle=Enabling security intelligence in mainframes, Part 1: Understanding the challenge