IBM i Security SIEM Integration
Download as PPTX, PDF•0 likes•211 views
This document discusses integrating IBM i security data with security information and event management (SIEM) solutions. It covers the basics of security monitoring and key areas to monitor on IBM i systems like user access, privileged users, system values and sensitive files. Integration with SIEM solutions provides enterprise-level visibility, advanced analysis capabilities, information sharing across teams and integration with ticketing systems. Precisely solutions can help extract insights from IBM i journal data and send it directly to SIEM platforms to monitor IBM i security alongside other platforms.
IBM i Security SIEM Integration
- 1. Making Sense of Critical Security Data IBM i Security SIEM Integration Ian Hartley – Product Management Director Bill Hammond – Product Marketing Director
- 2. Housekeeping Webinar Audio • Today’s webinar audio is streamed through your computer speakers • If you need technical assistance with the web interface or audio, please reach out to us using the Q&A box Questions Welcome • Submit your questions at any time during the presentation using the Q&A box Recording and slides • This webinar is being recorded. You will receive an email following the webinar with a link to the recording and slides 2
- 3. Today’s Agenda • Basics of security monitoring • Key areas to monitor • Integration with SIEM solutions • How Precisely solutions can help 3
- 5. Enforcement date: January 1, 2020 • Requires organizations to comply with CCPA if they collect data on residents of California and have annual revenues of $25 million, collect information on over 50,000 people or have 50% of annual revenue from selling/sharing personal information • Gives individuals the right to sue for damages should a breach expose their data and that data wasn’t encrypted or otherwise made unreadable. Key requirements include: • Access control • Restricted user privileges • Sensitive data protection • System activity logging Regulations Require Monitoring General Data Protection Regulation (GDPR) Enforcement date: 25 May 2018 • Regulation in European Union law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA) • Applies to all organizations doing business with EU citizens • Aims primarily to provide protection and control over their personal data to citizens and residents, including • Access control • Sensitive data protection • Restricted user privileges • System activity logging • Risk assessments New York Dept. of Financial Services Cybersecurity Regulation (NYS 23 NYCRR 500) Enforcement date: February 15, 2018 • Requires banks, insurance companies, and other financial services institutions to establish and maintain a cybersecurity program designed to protect consumers • Ensures the safety and soundness of New York State's financial services industry. • Requirements protect the confidentiality, integrity and availability of information systems, including • Risk assessments • Restricted user privileges • Automatic logouts • Antivirus • Multi-factor authentication • System activity logging California Consumer Protection Act (CCPA) 5
- 6. Why we do log collection and monitoring? Active Monitoring Catching the cybercriminals early Forensics Fixing the problem after a security breach 6
- 7. Active Monitoring Stop a Data Breach Before it Happens. • Over 3,800 breaches in 2019 • 50% increase over last 5 years • Billions of records every year • Less than 1% of the breaches were discovered through log analysis • 69% of these breaches were detectible via log evidence Take Away: If you are monitoring your logs, you can detect a breach and stop it before data is lost. 7
- 8. Forensics How did it happen, how do I clean it up? • What servers are infected? • How many are infected? • Where did it start? • How does the malware actually work? • How do I clean it up? Take Away: If you do not have logs you can’t answer these questions and you are almost certain to become re-infected with malware 8
- 10. Security Monitoring You can’t monitor what you aren’t watching! 10 A strong IBM i security foundation requires solutions that draw a perimeter around your system and its data – capturing security data that you can monitor in log files IBM i has powerful audit logs • System Journal – QAUDJRN • Database (Application) Journals – for Before and After Images • Other IBM Journals are available • QHST Log Files – DSPLOG Command • System Message Queues – QSYSOPR, QSYSMSG Turn on auditing, save journal receivers, and take advantage of everything the operating system can log for you
- 11. The State of Logging on the IBM i The state of logging on most IBM i’s is not good • There is a ton of valuable information stored on your IBM i • The IBM i logs are in proprietary format • IBM i security logs are often an enclave inside the IT organization • No standardized syslog communications facility • The essence of good security is externalizing the logs • There is a requirement to remove the risk of tampering • Compliance regulations recognize the need to watch all users – including the most powerful users 11
- 12. Analyze IBM i Audit Logs Tools help you extract insight from your logs 12 IBM i log files are comprehensive, unalterable, and trusted by auditors BUT they are not easy to analyze. Monitoring and reporting tools are needed to: • Simplify the process of analyzing complex IBM i journals • Filter through the massive amount of information in your logs • Detect security incidents and raise alerts • Quickly highlight compliance deviations • Deliver reports in multiple formats to compliance and security auditors, partners, customers and your management team • Relieve your team of the burden of manual analysis
- 13. System Log Collection and Monitoring Core Principles • Centralize log collection from ALL servers, devices and PCs • Real time collection • Event correlation for pattern recognition • Real time monitoring and alerting • Historical archives for forensics • Query and reporting services 13
- 14. Enterprise-Level Visibility Monitor IBM i security all the other platforms in your enterprise 14 Monitoring and reporting tools can forward IBM i security data to a Security Information and Event Management (SIEM) solution to: • Integrate IBM i security data with data from other IT platforms • Enable advanced analysis of security data using advanced SIEM technology for correlation, pattern matching, and threat detection • Support information sharing and collaboration across teams • Facilitate integration with case management and ticketing systems
- 15. Integration with Security Information and Event Management (SIEM) solutions
- 16. What is SIEM? Security Information and Event Management • Real-time analysis of security alerts generated by applications and network hardware • Holistic, unified view into infrastructure, workflow, policy compliance and log management • Monitor and manage user and service privileges as well as external threat data Log Collection Log Analysis Event Correlation Log Forensics IT Compliance Application Log Monitoring Object Access Auditing Real-Time Alerting User Activity Monitoring Dashboards Reporting File Integrity Monitoring System/Device Log Monitoring Log Retention SIEM 16
- 17. Enterprise Security Monitoring • Monitoring and reporting tools can forward IBM i security data to a Security Information and Event Management (SIEM) solution to: • Integrate IBM i security data with data from other IT platforms • Enable advanced analysis of security data using correlation, pattern matching, and threat detection • Sharing information across teams • Integrate with case management and ticketing systems Monitor IBM i security along with your other enterprise platforms 17
- 18. What Can Your SIEM Show You? • Data movement – inbound/outbound FTP • Dataset access operations • Determine potential security threats based on unauthorized access attempts • Ensure only authorized users are accessing critical datasets • Privileged/non-privileged user activity monitoring • Unusual behavior pattern – off hours connections • High number of invalid logon attempts • Attack detection – intrusion, scans, floods • Authentication anomalies – e.g. entered the building at 08:30 but logged on from another country at 09:00 • Network Traffic Analysis – high data volumes from a device/server • … and much more 18
- 19. What Can I Learn? Examples that your SIEM solution can help identify 19 • File accesses outside business hours • Accesses to sensitive database fields • Changes of more than 10% to a credit limit field • All accesses from a specific IP address • Command line activity for powerful users (*ALLOBJ, *SECADM) • Changes to system values, user profiles, and authorization lists • Attempts to sign into a specific account • Actions on a sensitive spool file, such as display or deletion of the payroll spool file
- 20. Security is important – what about examples? • Authorization Failures • Login attempts • Creating or deleting objects • User profile events – special authorities • System Value changes • Changes to sensitive files 20
- 21. Using Message Queue or History Data • High-light critical events • Look at trends, for example application errors • Proactive analysis • Long running jobs • Hardware errors • Application issues 21
- 22. Examples of application file monitoring • Changes made to files • Matching before/after field changes • Anomalies in file field changes • Powerful search capability to match and note exceptions. index=eview72 JournalName="TESTJRN" ObjectName="PAYROLL" (EntryType=UP OR EntryType=UB) | rename SALARY AS "Salary" | transaction EMPNUM maxspan=30s startswith=(EntryType=UB) endswith=(EntryType=UP) | eval befsalary=mvindex(Salary, 0) | eval aftsalary=mvindex(Salary, 1) | eval pctchange = round((aftsalary/befsalary*100)-100,0) | where pctchange > $changepct$ 22
- 25. Precisely SIEM Integration Ironstream • Integrate mainframe and IBM i security data into leading IT analytics and operations platforms for an enterprise- wide view of your security Assure Security • Extract insights from IBM i journal data send data directly to your enterprise SIEM solution allowing IBM i security to be monitored with all other enterprise platforms. HPE ArcSight Splunk LogRhythm MacAfee AlienVault SolarWinds Etc… 25
- 26. Q & A
Editor's Notes
- #4: Bill
- #6: Bill GDPR – Not only for Europe, It also addresses the export of personal data outside the EU (European Union) and EEA (European Economic Area) areas. 23 NYCRR 500 - Cybersecurity Requirements for Financial Services Companies requires banks, insurance companies, and other financial services institutions regulated by the New York Department of Financial Services.
- #7: Patrick
- #8: Patrick
- #9: Patrick
- #11: Bill
- #12: Patrick
- #13: Bill
- #14: Patrick
- #16: Bill will transition to Ian for this section Thanks Bill…so let’s now look at SIEM solutions…what they are…integrating data into them…and why you would want to do that.
- #17: This is just a general … what is a SIEM solution slide SIEM technology aggregates and provides real-time analysis of security alerts using event data produced by security devices, network infrastructure components, systems, and applications. A primary function of SIEM is to analyze security event data in real-time for internal and external threat detection to prevent potential hacks and data loss. This typically includes user behavior analytics (UBA) – understanding user behavior and how it might impact security. SIEM technologies also collect, store, analyze and report on data needed for regulatory compliance to ensure that audit requirements are met as dictated. SIEM stands for “Security Information and Event Management”…and it’s a software solution that gathers security-related information, events and activities into one place so that the they can be analyzed. Data fed into a SIEM can come from many different software and hardware sources…and wherever possible the information is gathered in real-time. Let’s face it…in the context of security…a lot can happen in a short period of time…so you need to know what is happening…and where…as soon as possible…not 2 minutes after the data or system has been compromised. A SIEM solution gives you the visibility across your infrastructure so you can ensure activities are in line with organizational policies…data regulations…and expected information management actions. And this applies to both internal and external activities…that is activities taking place within your own community of employees…as well as threats coming from outside your organization.
- #18: Makes the point that you need to include your IBM i data alongside all the other platforms in order to have a complete and accurate picture of your security situation One of the key aspects of any SIEM solution is to get information from across the entire enterprise. So, this means every source…including IBMi. You need to see information side-by-side with data from other areas of your IT infrastructure and user community…and this means bringing together elements from a diverse set of sources. Once you have this information all in one place…it needs to be examined as a whole…treated as a mass of information that works together to paint the picture of your security posture. SIEM solutions carry out detailed analysis and correlations with this data…looking for anomalies…behavior patterns…outliers…indicators that can point to something you need to be aware of…whether that is something very obvious or something subtle…such as a behavior pattern spread over time. By using a SIEM you are putting things like log data to work. The SIEM will process this information and identify notable items that you and the Security team may need pay attention to. To help with this it is also possible to integrate case management and incident ticketing workflows to ensure those that need to know are aware as soon as possible.
- #19: Examples of SIEM data A SIEM can categorize data into many different categories…each with their own security implications. Looking at data…perhaps your most valuable and critical information…you need to be aware of where that information is going. Do you allow FTP? Should it be secured? Is data going to an unusual endpoint? Is someone accessing or attempting to access protected data? And every organization has users with privileged authority…and perhaps their system access should be watched even more closely. They have access to critical system elements and should be trusted, but… And if your system happens to be connected to the outside world…then you may also need to more aware of external attacks…from intrusion detection to port scanning or even things like denial of service. General system authentications and access should be routinely monitored with a SIEM. For example, someone swipes into the building at 8 30…but is then their account connects from another location at 9 am. Could be perfectly normal for your organization but may be highly suspicious activity. And a privileged user connecting at 3 am on a Sunday…may be something that is suspicious. Even the volumes of network traffic across your infrastructure can be an indicator of something unusual and should be investigated. There are many scenarios that a SIEM can capture…either out-of-the-box or that are specific to how your organization operates. What is normal for one…is not necessarily the case for another….but a SIEM needs to be able to cater for these needs.
- #20: What I can learn from using a SIEM solution A SIEM can distill data to a point where you have sufficient information to decide whether something is suspicious or perfectly normal. For example…is it OK that someone is accessing data outside regular business hours? It could be…but then again…circumstances will determine what…is or is not…OK. Who…what…where…when…how…are all questions that need to be factored into making a decision about what needs further action. Should that user account be issuing that specific command on your production LPAR? Someone just got some extra account privileges…is this acceptable? Multiple logon attempts for the same user have been observed over the last 6 hours…is this suspicious? Activities around sensitive information…perhaps specific and unique to your organization…need to be monitored. These types of actions, scenarios and activities can be detected…and a SIEM can help determine whether this is normal…or needs immediate attention. But the list of items you should be monitoring…is long…
- #21: The next 3 slides are just specific IBM i examples of data that can be sent to SIEM solutions Some of the sources of information needed by a SIEM solution can be pretty unfriendly. Often this is log or machine data that may not be so usable in its native format. But within this data can lie very useful elements of information…such as the items listed here… Authorizations Login attempts Actions around objects and user profiles Or system settings and your sensitive data
- #22: And then looking specifically at the IBMi there are specific queues…logs…and journals…that need to be examined for… Certain events Trends Patterns …and even examining how jobs are running…perhaps running at abnormal times or running too long… Even spotting hardware errors and application issues can be indicative of a situation that needs attention.
- #23: And your data also needs to be monitored. Who is accessing what, when and why? What changes are being made and are they legitimate? You need something like a SIEM solution combined with powerful search and analysis to be able to get to grips with what is happening with your data and spot those anomalies that can point to an issue. Security comes from a combination of many factors – both internal and external…and many things can influence what you need to pay attention to and look for.
- #24: Comment on how we can even populate dashboards in products like Splunk with security data Fortunately…with the right tools…it is easy to get log…machine…and application data from your IBMi into something like Splunk. Here…you can search, analyze and correlate this information in many ways to reveal insights like the ones we have already spoken about. This data can be visualized on standard dashboards or even wired into Splunk’s award-winning Enterprise Security SIEM solution where out-of-the-box correlations and security workflow can help you ensure you have a good surveillance of your infrastructure. With that…I’ll have back to Bill…
- #25: Ian will transition back to Bill to cover this section
- #26: Precisely has multiple solutions and the one that’s right for you will depend on your requirements, your SIEM solution choice and other factors. Talk to you Precisely account rep to learn more