You remember the old days, when you didn’t know what had happened on your mainframes until late at night when the batch job ran and pieced together all the bits of information. It may seem like a different age when that was acceptable, but now you not only want to know what’s going on as it happens, you also want to ensure that only authorized people are doing it!
The term, Security Information and Event Management (SIEM), was coined by Mark Nicolett and Amrit Williams of Gartner in 2005. It refers to products providing real-time analysis of security alerts generated by network hardware and applications. These products can also be used to log security data and generate reports for compliance purposes. This all sounds very good, but first, you need some way to get to information (log data) to the SIEM software.
One way to do that is to use SMA_RT for z/OS SIEM from SDS. SMA_RT is an acronym for Security Monitoring and Alert in Real-Time. What happens is that SMA_RT agents acquire messages from your z/OS system console (Write To Operator – WTO messages) and z/OS SMF (System Management Facility), and pass the critical security information to your central enterprise SIEM tools in real time. It’s not just SIEM technology that can be used, the SMA_RT software agents convert mainframe logs to syslog format for delivery to any other software that makes use of SYSLOG protocol.
What makes SMA_RT even more useful for an organization is that most companies don’t just have mainframes, they make use of a number of other platforms too. So, not only can SMA_RT agents provide intelligence from each z/OS system and LPAR in your network, it can also provide security intelligence from all the other systems including Unix, Windows, Cisco, etc. This means that your security people get a central, enterprise-wide view of all the events they need to capture, and all the security threats they need to recognize.
And that enterprise-wide monitoring of security events is critical, not only for tracking malicious activity, but also for meeting compliance requirements. By using SMA_RT, administrators can define specific items of interest for deeper-than-normal monitoring: files that hold credit information, for example, or health care details. This makes SMA_RT an invaluable tool for SOX, PCI, and HIPAA compliance.
So let’s drill down a bit, let’s see what we actually get with SMA_RT. The list includes:
- Monitors z/OS and Unix System Services (USS)
- Gathers intelligence from z/OS SMF and the system operator interface
- Delivers mainframe data to all widely used SIEM products: for example IBM QRadar®, McAfee ESM, SPLUNK, ArcSight, enVision.
- Connects with standard z/OS security products: ACF2™, RACF®, and Top Secret®.
- Uses both signature- and anomaly-based attack detection
- Provides real time alerts managed, filtered, routed, and searchable via SIEM software
- Profiles TSO users, then watches for anomalies during TSO sessions
- APIs allow for defining and filtering TSO, CICS, and batch events
- Batch jobs can process SMF archives
- Easy installation does not require z/OS IPLs
- A small footprint in each LPAR, with little CPU overhead
- Simple monitoring rules easily defined through a TSO interface
By using SMA_RT software agents running on every computing platform in your organization, it becomes very easy to integrate the mainframe data (from every LPAR on every z/OS system) with data from these other platforms, and, using SIEM software, ensure your security people are aware of what’s happening on these various platforms almost as soon as it happens. There’s no need to wait until the following day to see what has happened. And, therefore, appropriate action can be initiated immediately. It also means that there is a record (and that can be quite detailed) of what happened for compliance purposes. Finally, your IT staff are in a position to say that they know what’s going on.