This document discusses integrating IBM i security data with security information and event management (SIEM) solutions. It covers the basics of security monitoring and key areas to monitor on IBM i systems like user access, privileged users, system values and sensitive files. Integration with SIEM solutions provides enterprise-level visibility, advanced analysis capabilities, information sharing across teams and integration with ticketing systems. Precisely solutions can help extract insights from IBM i journal data and send it directly to SIEM platforms to monitor IBM i security alongside other platforms.
1. Making Sense of
Critical Security Data
IBM i Security SIEM Integration
Ian Hartley – Product Management Director
Bill Hammond – Product Marketing Director
2. Housekeeping
Webinar Audio
• Today’s webinar audio is streamed through your computer
speakers
• If you need technical assistance with the web interface or audio,
please reach out to us using the Q&A box
Questions Welcome
• Submit your questions at any time during the presentation using
the Q&A box
Recording and slides
• This webinar is being recorded. You will receive an email following
the webinar with a link to the recording and slides
2
3. Today’s Agenda
• Basics of security monitoring
• Key areas to monitor
• Integration with SIEM solutions
• How Precisely solutions can help
3
5. Enforcement date: January 1, 2020
• Requires organizations to comply with
CCPA if they collect data on residents
of California and have annual revenues
of $25 million, collect information on
over 50,000 people or have 50% of
annual revenue from selling/sharing
personal information
• Gives individuals the right to sue for
damages should a breach expose their
data and that data wasn’t encrypted or
otherwise made unreadable. Key
requirements include:
• Access control
• Restricted user privileges
• Sensitive data protection
• System activity logging
Regulations Require Monitoring
General Data Protection
Regulation
(GDPR)
Enforcement date: 25 May 2018
• Regulation in European Union law on data
protection and privacy for all individuals
within the European Union (EU) and the
European Economic Area (EEA)
• Applies to all organizations doing business
with EU citizens
• Aims primarily to provide protection and
control over their personal data to citizens
and residents, including
• Access control
• Sensitive data protection
• Restricted user privileges
• System activity logging
• Risk assessments
New York Dept. of Financial Services
Cybersecurity Regulation
(NYS 23 NYCRR 500)
Enforcement date: February 15, 2018
• Requires banks, insurance companies,
and other financial services institutions to
establish and maintain a cybersecurity
program designed to protect consumers
• Ensures the safety and soundness of New
York State's financial services industry.
• Requirements protect the confidentiality,
integrity and availability of information
systems, including
• Risk assessments
• Restricted user privileges
• Automatic logouts
• Antivirus
• Multi-factor authentication
• System activity logging
California Consumer
Protection Act
(CCPA)
5
6. Why we do log
collection and
monitoring?
Active
Monitoring
Catching the cybercriminals early
Forensics
Fixing the problem after a
security breach
6
7. Active Monitoring
Stop a Data Breach Before it Happens.
• Over 3,800 breaches in 2019
• 50% increase over last 5 years
• Billions of records every year
• Less than 1% of the breaches were
discovered through log analysis
• 69% of these breaches were detectible via
log evidence
Take Away: If you are monitoring
your logs, you can detect a breach
and stop it before data is lost.
7
8. Forensics
How did it happen, how do I clean it up?
• What servers are infected?
• How many are infected?
• Where did it start?
• How does the malware actually work?
• How do I clean it up?
Take Away: If you do not have logs you can’t
answer these questions and you are almost
certain to become re-infected with malware
8
10. Security Monitoring
You can’t monitor what you aren’t watching!
10
A strong IBM i security foundation requires solutions that draw a
perimeter around your system and its data – capturing security
data that you can monitor in log files
IBM i has powerful audit logs
• System Journal – QAUDJRN
• Database (Application) Journals – for Before and After
Images
• Other IBM Journals are available
• QHST Log Files – DSPLOG Command
• System Message Queues – QSYSOPR, QSYSMSG
Turn on auditing, save journal receivers, and take advantage of
everything the operating system can log for you
11. The State of Logging on
the IBM i
The state of logging on most IBM i’s is not good
• There is a ton of valuable information stored on your IBM i
• The IBM i logs are in proprietary format
• IBM i security logs are often an enclave inside the IT
organization
• No standardized syslog communications facility
• The essence of good security is externalizing the logs
• There is a requirement to remove the risk of tampering
• Compliance regulations recognize the need to watch all users
– including the most powerful users
11
12. Analyze IBM i Audit Logs
Tools help you extract insight from your logs
12
IBM i log files are comprehensive, unalterable, and
trusted by auditors BUT they are not easy to analyze.
Monitoring and reporting tools are needed to:
• Simplify the process of analyzing complex IBM i journals
• Filter through the massive amount of information in your logs
• Detect security incidents and raise alerts
• Quickly highlight compliance deviations
• Deliver reports in multiple formats to compliance and security
auditors, partners, customers and your management team
• Relieve your team of the burden of manual analysis
13. System Log Collection and
Monitoring
Core Principles
• Centralize log collection from ALL servers, devices and PCs
• Real time collection
• Event correlation for pattern recognition
• Real time monitoring and alerting
• Historical archives for forensics
• Query and reporting services
13
14. Enterprise-Level Visibility
Monitor IBM i security all the other platforms in your enterprise
14
Monitoring and reporting tools can forward IBM i security data to
a Security Information and Event Management (SIEM) solution to:
• Integrate IBM i security data with data from other IT platforms
• Enable advanced analysis of security data using advanced SIEM
technology for correlation, pattern matching, and threat detection
• Support information sharing and collaboration across teams
• Facilitate integration with case management and ticketing systems
16. What is SIEM?
Security Information and Event
Management
• Real-time analysis of security alerts
generated by applications and network
hardware
• Holistic, unified view into infrastructure,
workflow, policy compliance and log
management
• Monitor and manage user and service
privileges as well as external threat data
Log Collection
Log Analysis
Event Correlation
Log Forensics
IT Compliance
Application Log Monitoring
Object Access Auditing
Real-Time Alerting
User Activity Monitoring
Dashboards
Reporting
File Integrity Monitoring
System/Device Log Monitoring
Log Retention
SIEM
16
17. Enterprise Security Monitoring
• Monitoring and reporting tools can forward IBM i security
data to a Security Information and Event Management (SIEM)
solution to:
• Integrate IBM i security data with data from other IT
platforms
• Enable advanced analysis of security data using correlation,
pattern matching, and threat detection
• Sharing information across teams
• Integrate with case management and ticketing systems
Monitor IBM i security along with your other enterprise platforms
17
18. What Can Your SIEM Show You?
• Data movement – inbound/outbound FTP
• Dataset access operations
• Determine potential security threats based on unauthorized access
attempts
• Ensure only authorized users are accessing critical datasets
• Privileged/non-privileged user activity monitoring
• Unusual behavior pattern – off hours connections
• High number of invalid logon attempts
• Attack detection – intrusion, scans, floods
• Authentication anomalies – e.g. entered the building at 08:30 but
logged on from another country at 09:00
• Network Traffic Analysis – high data volumes from a device/server
• … and much more
18
19. What Can I Learn?
Examples that your SIEM solution can help identify
19
• File accesses outside business hours
• Accesses to sensitive database fields
• Changes of more than 10% to a credit limit field
• All accesses from a specific IP address
• Command line activity for powerful users (*ALLOBJ, *SECADM)
• Changes to system values, user profiles, and authorization lists
• Attempts to sign into a specific account
• Actions on a sensitive spool file, such as display or deletion of the
payroll spool file
20. Security is important – what about examples?
• Authorization Failures
• Login attempts
• Creating or deleting objects
• User profile events –
special authorities
• System Value changes
• Changes to sensitive files
20
21. Using Message Queue or History Data
• High-light critical events
• Look at trends, for example application errors
• Proactive analysis
• Long running jobs
• Hardware errors
• Application issues
21
22. Examples of application file monitoring
• Changes made to files
• Matching before/after field
changes
• Anomalies in file field changes
• Powerful search capability to
match and note exceptions.
index=eview72 JournalName="TESTJRN" ObjectName="PAYROLL"
(EntryType=UP OR EntryType=UB)
| rename SALARY AS "Salary"
| transaction EMPNUM maxspan=30s startswith=(EntryType=UB)
endswith=(EntryType=UP)
| eval befsalary=mvindex(Salary, 0)
| eval aftsalary=mvindex(Salary, 1)
| eval pctchange = round((aftsalary/befsalary*100)-100,0)
| where pctchange > $changepct$
22
25. Precisely SIEM Integration
Ironstream
• Integrate mainframe and IBM i
security data into leading IT
analytics and operations
platforms for an enterprise-
wide view of your security
Assure Security
• Extract insights from IBM i
journal data send data directly
to your enterprise SIEM solution
allowing IBM i security to be
monitored with all other
enterprise platforms.
HPE ArcSight
Splunk
LogRhythm
MacAfee
AlienVault
SolarWinds
Etc…
25
Bill
GDPR – Not only for Europe, It also addresses the export of personal data outside the EU (European Union) and EEA (European Economic Area) areas.
23 NYCRR 500 - Cybersecurity Requirements for Financial Services Companies requires banks, insurance companies, and other financial services institutions regulated by the New York Department of Financial Services.
Patrick
Patrick
Patrick
Bill
Patrick
Bill
Patrick
Bill will transition to Ian for this section
Thanks Bill…so let’s now look at SIEM solutions…what they are…integrating data into them…and why you would want to do that.
This is just a general … what is a SIEM solution slide
SIEM technology aggregates and provides real-time analysis of security alerts using event data produced by security devices, network infrastructure components, systems, and applications. A primary function of SIEM is to analyze security event data in real-time for internal and external threat detection to prevent potential hacks and data loss. This typically includes user behavior analytics (UBA) – understanding user behavior and how it might impact security. SIEM technologies also collect, store, analyze and report on data needed for regulatory compliance to ensure that audit requirements are met as dictated.
SIEM stands for “Security Information and Event Management”…and it’s a software solution that gathers security-related information, events and activities into one place so that the they can be analyzed.
Data fed into a SIEM can come from many different software and hardware sources…and wherever possible the information is gathered in real-time. Let’s face it…in the context of security…a lot can happen in a short period of time…so you need to know what is happening…and where…as soon as possible…not 2 minutes after the data or system has been compromised.
A SIEM solution gives you the visibility across your infrastructure so you can ensure activities are in line with organizational policies…data regulations…and expected information management actions.
And this applies to both internal and external activities…that is activities taking place within your own community of employees…as well as threats coming from outside your organization.
Makes the point that you need to include your IBM i data alongside all the other platforms in order to have a complete and accurate picture of your security situation
One of the key aspects of any SIEM solution is to get information from across the entire enterprise. So, this means every source…including IBMi.
You need to see information side-by-side with data from other areas of your IT infrastructure and user community…and this means bringing together elements from a diverse set of sources.
Once you have this information all in one place…it needs to be examined as a whole…treated as a mass of information that works together to paint the picture of your security posture.
SIEM solutions carry out detailed analysis and correlations with this data…looking for anomalies…behavior patterns…outliers…indicators that can point to something you need to be aware of…whether that is something very obvious or something subtle…such as a behavior pattern spread over time.
By using a SIEM you are putting things like log data to work. The SIEM will process this information and identify notable items that you and the Security team may need pay attention to.
To help with this it is also possible to integrate case management and incident ticketing workflows to ensure those that need to know are aware as soon as possible.
Examples of SIEM data
A SIEM can categorize data into many different categories…each with their own security implications.
Looking at data…perhaps your most valuable and critical information…you need to be aware of where that information is going. Do you allow FTP? Should it be secured? Is data going to an unusual endpoint?
Is someone accessing or attempting to access protected data?
And every organization has users with privileged authority…and perhaps their system access should be watched even more closely. They have access to critical system elements and should be trusted, but…
And if your system happens to be connected to the outside world…then you may also need to more aware of external attacks…from intrusion detection to port scanning or even things like denial of service.
General system authentications and access should be routinely monitored with a SIEM. For example, someone swipes into the building at 8 30…but is then their account connects from another location at 9 am. Could be perfectly normal for your organization but may be highly suspicious activity. And a privileged user connecting at 3 am on a Sunday…may be something that is suspicious.
Even the volumes of network traffic across your infrastructure can be an indicator of something unusual and should be investigated.
There are many scenarios that a SIEM can capture…either out-of-the-box or that are specific to how your organization operates. What is normal for one…is not necessarily the case for another….but a SIEM needs to be able to cater for these needs.
What I can learn from using a SIEM solution
A SIEM can distill data to a point where you have sufficient information to decide whether something is suspicious or perfectly normal.
For example…is it OK that someone is accessing data outside regular business hours? It could be…but then again…circumstances will determine what…is or is not…OK.
Who…what…where…when…how…are all questions that need to be factored into making a decision about what needs further action.
Should that user account be issuing that specific command on your production LPAR?
Someone just got some extra account privileges…is this acceptable?
Multiple logon attempts for the same user have been observed over the last 6 hours…is this suspicious?
Activities around sensitive information…perhaps specific and unique to your organization…need to be monitored.
These types of actions, scenarios and activities can be detected…and a SIEM can help determine whether this is normal…or needs immediate attention.
But the list of items you should be monitoring…is long…
The next 3 slides are just specific IBM i examples of data that can be sent to SIEM solutions
Some of the sources of information needed by a SIEM solution can be pretty unfriendly. Often this is log or machine data that may not be so usable in its native format.
But within this data can lie very useful elements of information…such as the items listed here…
Authorizations
Login attempts
Actions around objects and user profiles
Or system settings and your sensitive data
And then looking specifically at the IBMi there are specific queues…logs…and journals…that need to be examined for…
Certain events
Trends
Patterns
…and even examining how jobs are running…perhaps running at abnormal times or running too long…
Even spotting hardware errors and application issues can be indicative of a situation that needs attention.
And your data also needs to be monitored.
Who is accessing what, when and why?
What changes are being made and are they legitimate?
You need something like a SIEM solution combined with powerful search and analysis to be able to get to grips with what is happening with your data and spot those anomalies that can point to an issue.
Security comes from a combination of many factors – both internal and external…and many things can influence what you need to pay attention to and look for.
Comment on how we can even populate dashboards in products like Splunk with security data
Fortunately…with the right tools…it is easy to get log…machine…and application data from your IBMi into something like Splunk.
Here…you can search, analyze and correlate this information in many ways to reveal insights like the ones we have already spoken about.
This data can be visualized on standard dashboards or even wired into Splunk’s award-winning Enterprise Security SIEM solution where out-of-the-box correlations and security workflow can help you ensure you have a good surveillance of your infrastructure.
With that…I’ll have back to Bill…
Ian will transition back to Bill to cover this section
Precisely has multiple solutions and the one that’s right for you will depend on your requirements, your SIEM solution choice and other factors. Talk to you Precisely account rep to learn more