An Introduction to zOS Real-time Infrastructure and Security Practices

An Introduction to zOS Real-time Infrastructure and Security Practices

• 1.
  Copyright 2015 and2016 (©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. An Introduction to a z/OS Real-time Infrastructure and Security Practices Introduction: Today’s world of state sponsored computer-crime has greatly increased both the sophistication and volume of unauthorized attacks and theft of highly sensitive information both for the government and private corporations. It was reported by government officials that annual losses to U.S. firms attributed to hacking-related attacks alone amounted to billions. This malevolent hacking behavior amounts to Cyber war. In this world the CSO can’t assume that individual departments processing key company assets such as credit cards, or health and customer account records, etc. are safe unless the whole corporate enterprise has the proper protections in place. The Cyber- criminal will look for weaknesses throughout the whole IT enterprise as points of entry and z/OS systems are very large enticing targets. An equal if not greater challenge to the CSO is that of malicious activity by internal company employees. Many security practices and technologies have been designed to detect external cybersecurity threats to network security. However, they may not be sufficient enough to detect an employee with authorized access working with sensitive corporate data from conducting unauthorized activities. Employees with Sys/ID access if left unchecked may have the opportunity to divert company funds to their own accounts, alter data, down load confidential data and more. IBM mainframes running zSeries/Operating System (z/OS) play an important role within most corporations and government agencies. Web connections to data residing on the z/OS mainframe platform through z/OS Web Services, CICS and TSO have added functionality to legacy processing and brought transaction processing to new levels. It has also introduced a new perception of vulnerability. Mainframe z/OS Security Administrators sometimes view it as opening up the mainframe to “intruders.”
• 2.
  Copyright 2015 and2016 (©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Protecting z/OS systems and their data is as equally important as protecting all client operating systems, servers and firewalls. But regardless of the industry or the regulation mandate, every organization is at risk of losing information. (I know first-hand after receiving a letter from the US Office of Personnel Management on the status of my own personal information). Information security breaches may go beyond organizational boundaries and exposes them to unwanted legal actions. Security exposures derived from the theft of data has led to three class action law suits against the former Secretary of Veterans Affairs. The security breach affected 26.5 million records with a VA estimate of between $100 million and $500 million to prevent and cover possible losses from data theft. Unfortunately security is not always the highest priority in an organization until it is named in the lead story on the evening news or Wall Street Journal and you are requested to testify before Congress. Organizations must focus on ways to monitor z/OS security by thinking outside the box and to develop an efficient security framework to monitor security settings and protect confidential data from ‘bad guys’ in an effective and economical manner. They must explore the tools that are available for developing such a security framework. The Problem: There are three security products available on the IBM z/OS mainframe platform. These products are: IBM’s RACF (Resource Access Control Facility) and Computer Associates’ ACF2 (Access Control Facility 2) and TSS (Top Secret Security, not to be confused with Department of Defense top secret security clearances). RACF, ACF2 and TSS simply either allow or dis-allow access to a resource. They only provide auditing and monitoring processing by running a batch
• 3.
  Copyright 2015 and2016 (©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. process the following day or by special request if a specific event is being investigated (after the fact). It is common practice for corporations and federal agencies to license Security Information Event Monitoring (SIEM) products like HP Arcsight and security log collection software like Splunk. Some organizations may have SIEM software but are not sending their z/OS security logs to the SIEM product. Instead they remain dependent on a z/OS security administrator to run batch jobs to monitor security events or breaches. This is what we refer to as the “fox guarding the hen house” scenario. It violates good security practices and federal mandates for separation of duty. SIEM products allow for the monitoring of security logs and events by receiving client server and firewall security logs in Real-Time1 . However, the software vendors have failed to provide the same Real-Time capabilities from z/OS. Instead they mostly use an interval scheduled batch process followed by an FTP to move the data across the network to the security log collector. This design often overloads the network and prolongs the analysis of a possible security breach. All of these examples violate a host of regulations and demonstrate a bad continuous z/OS security monitoring practice. Hardening Your Organizations’ z/OS Real-Time Infrastructure An attack, especially on DB2 z/OS to obtain the privilege settings of the DB2 System Administrator, allows for a stealthy security breach. Therefore, it is no longer efficient or safe to rely solely on batch reporting and mainframe security systems that work strictly inside the mainframe, only recording incidents where security has been violated. It is now possible to use products to monitor z/OS mainframe security from outside the mainframe itself and to track events EVEN IF THE USER HAS THE PROPER AUTHORITIES. Companies should not wait for the incident to happen and make newspaper headlines before they consider their own security issues. Although the cost of protecting data effectively is high, the cost of a security breach is even higher considering the new laws governing the compromise of data. Companies can breathe a sigh of relief now that there is cost effective and comprehensive mainframe software available in the market. Some products meet the current needs of the corporations in the area of securing confidential records of their own businesses as well as of their clients, and 1 Definition of Real-Time Computing: of or relating to a system in which input data is processed within milliseconds so that it is available
• 4.
  Copyright 2015 and2016 (©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. have all the qualities that are required to counter today’s security threats. They work efficiently with existing z/OS security products and make use of SMF and console messages in appropriate ways. They are capable of tracking audited events, several types of insider threats, delivering mainframe alerts in Real-Time and easily integrating with other existing security monitors. Here are some criteria that you may consider when evaluating a z/OS security monitoring product for your organization: • Scalable • Ease of use • Real-Time 24/7 access to resources and other event monitoring • Eliminating unwanted events by employing customer defined filters • Promotes true audit independence and analysis, with decimal data presented in a clear- text format so it may be interpreted by non-technical personnel within the IT organization. • Facilitates spot security checks ‘anytime’ outside of the standard quarterly security audit • Ease of configuration and installation • Small footprint of mainframe processing and minimum performance impact on mainframe systems So, don’t let data breaches derail your career, or more importantly, your boss’s. Proactive companies, having a track record of monitoring security logs from outside the box, are in the forefront of Government requirements and have a solid framework in place to manage z/OS data and its associated risks. Doing so puts you, regardless of your industry, in a better competitive position, with an ideal security posture that will allow them to participate in the very important data-sharing evolution taking place. The Solution: Type80 Security Software, Inc. (Type80) develops and markets proprietary Real-Time event notification software for insider threats and intrusion detection against IBM mainframe computers running on z/OS. Type80’s primary software product is called Security Monitor Alerts in Real-Time (SMA_RT). SMA_RT enhances the collection and analysis of the insider and foreign threat to organizations and our national infrastructure by: • Detecting malicious activity, including an insider’s actions that have been authorized by existing security settings • Protecting against insider threats unlike any other commercial mainframe software available • Identifying internal patterns of abuse • Meeting Government Security Requirements and Mandates for continuous monitoring of computer systems, separation of duties, and file integrity monitoring
• 5.
  Copyright 2015 and2016 (©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. • Working in tandem with all other client, server and firewall security monitoring products already deployed to provide complete Real-Time enterprise-wide threat management coverage • Saving hundreds of hours searching through batch reports when investigating a security breach The delivery of security events in Real-Time is an important aspect of any robust security program, and may be required to maintain compliance with the various continuous monitoring initiatives within your organization. Type80’s SMA_RT software does exactly that by enabling the Security Operations Center (SOC) to know the true security state of mainframe security moment by moment and when working in concert with a SIEM product, allows authorized SOC personnel to take the appropriate actions associated with the level of the security breach. SMA_RT does this by Real-Time capturing system management function (SMF) log data, operating system messages, application program messages, database messages, TSO (time- sharing option) messages and customer-specific events generated by using our API (application programming interface for customized event monitoring within an application program running on the mainframe). These input streams are used to determine possible security attacks or customer defined event violations on the mainframe by using a combination of configurable security rules and basic anomaly detection abilities. It is possible to have organizations running multiple z/OS mainframes using different security products (RACF, ACF2 or TSS) along with different SIEM and security log collection products (HP Arcsight, Splunk, Dell SecureWorks, LogRhythm, etc.). How would one central Cyber Security Center be able to oversee and monitor mainframe logs from all of the various products?
• 6.
  Copyright 2015 and2016 (©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. The SMA_RT software runs independent of each of the corporations’ or federal agencies z/OS mainframe security products, their selection of SIEM and security log collection software, and sends mainframe logs and event notifications to multiple locations. This transparency allows the local mainframe Security Administrators to perform their normal duties, the local SOC to perform theirs, and permits a Managed Services Cyber Security Center to monitor mainframe logs and events from several customers in Real-Time. DB2®, CICS®, SMF®, and z/OS® are registered trademarks of International Business Machines. All references to them and field names remain the property of International Business Machines Corporation. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. While we take every care to ensure the accuracy of the information contained in this material, the facts estimates and opinions stated are based on information and sources which, while we believe them to be reliable, are not guaranteed. In particular, it should not be relied upon as the sole source of reference in relation to the subject matter. No liability can be accepted by the authors for any loss occasioned to any person or entity acting or failing to act as a result of anything contained in or omitted from the content of this material, or our conclusions as stated. About the Authors Stephen D. Rubin Stephen D. Rubin is the founder and president of MMI. Under his leadership MMI has a track record of 20 years of financial success in creating business markets for information technology services (IT) across North America. Areas of business include training, consulting services, and software. MMI has trained over 3,000 IT students representing over 400 corporations in database design, information security, capacity planning and distributed application development. Professional service engagements have included information security, server consolidation, and the auditing of capacity planning and chargeback methodologies for both public and private sectors. Stephen has authored white papers to drive market recognition and helped create the United States marketplace for a European software start-up client. William Buriak William Buriak has over 25 years of information technology experience with an extensive background in financial services, healthcare, and technical and management consulting. Bill is a Senior Executive with demonstrated experience in planning, developing, and implementing cost effective, innovative solutions to address complex business problems. He has broad recognized experience in managing mainframe systems, Web based, and distributed systems. He has extensive qualifications including vendor management, consensus building, and strategic
• 7.
  Copyright 2015 and2016 (©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. planning skills. Currently working in the Security Engineering area of a major world bank, Mr. Buriak is responsible for compliance and control of a large number of global products. Jerry Harding Jerry Harding is CEO of Type80 Security Software, Inc. He has over 25 years of mainframe Systems Programming experience, providing professional services to commercial clients and government agencies. He also has over 15 years of security experience including providing training to NATO’s Counterintelligence Agency (ACE CI), the Supreme Headquarters Allied Powers Europe (SHAPE), as well as other public and private organizations. About Type80: Type80 Security Software is an IBM Business Partner in software development and was founded by experts in the areas of mainframe z/OS Systems Programming and Information Security. The company draws from a diverse background, from providing cybersecurity training to NATO counter intelligence, conducting enterprise-wide security assessments for companies maintaining the nation's critical infrastructure, and developing high-level mainframe applications for major financial institutions. Our primary software product is called SMA_RT (Security Monitor Alerts in Real-Time). Our SMA_RT software development began in 1998, the product availability was announced in 2002, and awarded a US Patent in 2007, making it the first Real-Time mainframe intrusion detection, z/OS SIEM agent and log event processing software of its kind. SMA_RT has been deployed across four continents with commercial customers in the Financial, Banking, Payment Card Processing, Automobile Importers, Retail Sales, International Hotel/Travel, Corporate Management, HealthCare, Insurance, Educational, Telecommunications and Home Security industries. Please visit our website at www.type80.com and contact us or one of our preferred reseller partners for additional information or if you have any questions on our software.