The Who, What, Where, When, and Why for Mainframe Security

Trevor Eddolls Trevor Eddolls
January 6, 2020 Big Data, Cloud & DevOps

For most people, security is a bit of a nuisance. No-one likes having to keep updating their password and then needing to remember the new one. And then there’s all the different passwords that need to be remembered for different things. It all just seems like an administrative nightmare. It just makes getting a day’s work done harder. That’s what most users think right up until the moment there’s a breach. And suddenly the mood has changed. Now everyone wants to know exactly what’s happened. They want to know who has done what, where they’ve done it, when it occurred, how they got in, and a million other questions. Your phone is ringing off the hook. Your e-mail is filling up faster than usual. What can you do? Where can you access the information you need? How do you respond to the incident?

Although you may have just discovered there’s been a breach, the big question is when did the breach actually occur? Was that just a few seconds ago, or did happen yesterday, or longer ago than that? A 2018 study by The Ponemon Institute on behalf of IBM ("Cost of a Data Breach Study": https://www.ibm.com/security/data-breach) reported that the average time to detect a breach is an unacceptable 197 days, with a further 69 days taken to control the breach. Plenty of time for malicious hackers to cause mayhem AND cover their tracks. And it’s not just mainframes, this can happen on open systems where there are SIEMs and other advanced tools.

This 13th annual "Cost of a Data Breach Study" also reported that the global average cost of a data breach is US$3.86 million, while the average cost for each lost or stolen record containing sensitive and confidential information now stands at $148. Plus, there’s the cost of the damage to your brand/company’s reputation. And, of course, it may cost you your job!

Appreciating just how much a breach is going to cost makes finding out all the details about the breach even more pressing. So, what are you going to do? The great thing about a mainframe is that SMF (System Management Facility) data will tell you pretty much everything that has occurred. The only problem is that there are lots and lots of records to look through. Is it only one program that has been modified? How many things are you going to end up looking for? Just how long is this going to take you? All this while, senior management are breathing down your neck and everyone wants to know whether this is a real breach or just a false alarm.

We all remember A Christmas Carol, the 1843 novel by Charles Dickens that had Scrooge visited by three ghosts. The third ghost, the Ghost of Christmas Yet to Come, shows Scrooge the future, where he is dead and unmissed. You can think of this as the view of your systems programmers pouring over pages and pages of SMF data. When Scrooge wakes up, he determines to change his future and ends up sharing Christmas with Bob Cratchit, Tiny Tim, and their family. This could be you making the most of File Integrity Management (FIM) software, which is used on Windows and Unix platforms for this very purpose, is available on mainframes. FIM software provides a way of detecting changes by comparing the current contents of components to their trusted state. That way you have a lot of answers instead of just a lot of questions. And that trusted snapshot is safely stored in an encrypted vault.

FIM software can tell you who made the changes. They do that by accessing data in SMF and searching it to see what userid changed the files during the attack interval. It can then display the information in a 3270 or GUI interface so you can see all the information required, in one place, in seconds. Since FIM data can be sent to your SIEM or enterprise security console, like Splunk or QRadar, you could also look there and get all the information as well if you want to.

FIM software can tell you what has changed. FIM tools can identify every file that was modified, added, or deleted. FIM isn’t fooled. It shows you not just where the problem started (a suspicious update) but every component that was accessed. It can also identify altered log files that would cloak a hacker’s tracks. However, if the content matches the trusted state, then you very quickly know it was just a false alarm. 

FIM software can tell you what LINE was changed. FIM tools can be instructed to keep a baseline copy of files and members. For config members, source, and text files that can be read by humans, state of the art FIM tools can automatically invoke your existing file comparison tool to show you a side-by-side picture. So not only do you know what components changed but can see the actual lines that are different.

FIM software can tell you when it changed. FIM software records every successful scan, it knows the last time each component was correct. Now it can give you the attack interval (from the last good date to incident time) so you can focus your research on the exact actions during the interval. Knowing the last good date will also be important in deciding when the recovery process should be started too.

FIM software can tell you why it changed. By querying change management products like Remedy and ServiceNow, advanced FIM products can determine whether the change was authorized or not. This can avoid many false alarms and ensure only validated alerts become an incident.

Modern tools can automate every step of this incident response process. So now, when the phone rings, you can confidently tell management when a situation started and that recovery steps are being implemented. Additionally, you know who should be on the recovery team because you already know all the systems and applications affected.

By simply knowing who, what, when where and even why changes took place, you can control an incident before things get out of hand. Clearly, with the size of a mainframe prize for would be hackers, you need to be ready to respond, to either individuals or nation states, before they attack.

  • Experfy Insights

    Top articles, research, podcasts, webinars and more delivered to you monthly.

  • Trevor Eddolls

    Tags
    Big Data & Technology
    Leave a Comment
    Next Post
    How Systemic Approaches to ITOps Impact the Business Culture?

    How Systemic Approaches to ITOps Impact the Business Culture?

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    More in Big Data, Cloud & DevOps
    Big Data, Cloud & DevOps
    Cognitive Load Of Being On Call: 6 Tips To Address It

    If you’ve ever been on call, you’ve probably experienced the pain of being woken up at 4 a.m., unactionable alerts, alerts going to the wrong team, and other unfortunate events. But, there’s an aspect of being on call that is less talked about, but even more ubiquitous – the cognitive load. “Cognitive load” has perhaps

    5 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    How To Refine 360 Customer View With Next Generation Data Matching

    Knowing your customer in the digital age Want to know more about your customers? About their demographics, personal choices, and preferable buying journey? Who do you think is the best source for such insights? You’re right. The customer. But, in a fast-paced world, it is almost impossible to extract all relevant information about a customer

    4 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    3 Ways Businesses Can Use Cloud Computing To The Fullest

    Cloud computing is the anytime, anywhere delivery of IT services like compute, storage, networking, and application software over the internet to end-users. The underlying physical resources, as well as processes, are masked to the end-user, who accesses only the files and apps they want. Companies (usually) pay for only the cloud computing services they use,

    7 MINUTES READ Continue Reading »

    About Us

    Incubated in Harvard Innovation Lab, Experfy specializes in pipelining and deploying the world's best AI and engineering talent at breakneck speed, with exceptional focus on quality and compliance. Enterprises and governments also leverage our award-winning SaaS platform to build their own customized future of work solutions such as talent clouds.

    Join Us At

    Contact Us

    1700 West Park Drive, Suite 190
    Westborough, MA 01581

    Email: support@experfy.com

    Toll Free: (844) EXPERFY or
    (844) 397-3739

    © 2023, Experfy Inc. All rights reserved.