The document discusses enterprise security in mainframe-connected environments, focusing on the use of security information and event management (SIEM) for real-time analysis and vulnerability management. It highlights challenges related to log analysis on mainframes, including complex data structures and the need for timely information extraction. Ironstream® is presented as a solution that normalizes mainframe data for effective use in analytics, offering visibility into IT operations, security threats, and compliance needs.

1. Enterprise Security in Mainframe-
Connected Environments
Rich Fronheiser

2. Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your computer speakers.
• If you need technical assistance with the web interface or audio,
please reach out to us using the chat window.
Questions Welcome
• Submit your questions at any time during the presentation
using the chat window.
• We will follow up after the session.
Recording and slides
• This webcast is being recorded. You will receive an
email following the webcast with a link to download
both the recording and the slides.

3. • Security Information and Event Management
• Real-time analysis of security alerts
• Vulnerability management
• Policy compliance
• External threat data
What is SIEM?

4. Log Analysis What is a Log?
• Logs are emitted by network
devices, operating systems,
applications and all manner of
intelligent or programmable device.
• A stream of messages in time-
sequence often comprise a log.
• Logs may be directed to files and
stored on disk, or directed as a
network stream to a log collector.
Organizations analyze
these logs to proactively
and reactively mitigate
different risks.
Typical reasons to perform
log analysis are:
• Performance and capacity issues
• Compliance with security policies
• Compliance with audit or regulation
• System Troubleshooting

5. Mainframe Challenges
• Mainframe a key component
of key IT services
• Huge amount of operations
data stored in logs on
mainframes
• No visibility, except by expert
mainframe teams
• Incomplete picture for
security teams

6. Big Iron to Big
Data Analytics
Challenges
So many data sources
Mainframe:
Systems Management Facility (SMF),
Syslog, Log4j web and application logs,
RMF, RACF, USS files and standard
datasets
IBM i:
QAUD Journal, QHIST, Message Queues,
Operational Logs
Format of data
Mainframe:
• Complex data structures (SMF) with
headers, product sections, data
sections, variable length and self-
describing
• EBCDIC not recognized outside of
the mainframe world
• Binary flags and fields
IBM i:
• Complex data structures with
unique journal entry types, headers,
product sections, data sections,
variable length and self-describing
• IBM i journals in DB2
• Collection Services
• IBM i information needs to be
converted to workable formats such
as Syslog, CEF, JSON, etc.
Volume of data
Millions of records generated daily
Difficulty to get the
information in a timely
manner
• Not real-time, typically have to wait
overnight for an offload
• Typical daily FTP upload/downloads
can’t get granular

7. • High performance, low-cost, platform for collecting critical
system information in real-time
• Normalization of the z/OS and data so it can be used off
platform analytics engines
• Full analytics, visualization, and customization with no limitations
on what can be viewed
• Ability to easily combine information from different data sources
and systems
• Address the SME challenge: use by network managers, security
analysts, application analysts, enterprise architects without
requiring mainframe access or expertise
What does Ironstream® provide?

8. Ironstream® Architectural Overview
Assembler
COBOL C,
REXX
!
IRONSTREAM DATA FORWARDER
TCP/IP
Ironstream Desktop
DCE IDT
Data Collection Extension
SYSOUT
Live/Stored
SPOOL Data
Db2 USS Alerts
Networks
Components
ForwarderAPI
Application Data
SYSLOG
SYSLOGGD
SMF RMF File Load Log4j

9. Use Cases - Problems Ironstream® solves
IT Operations Analytics/ITOA
• Bigger picture of what's happening in the environment
• Make better decisions to take control of the IT infrastructure
• Problem Detection & Isolation
• Ensure SLAs Met
Security and Compliance/SIEM
• Detect and prevent security threats
• Ensure compliance
• Ensure audits pass

10. • Data from multiple sources
• TSO logon tracking – SMF Type 30
• TSO account activity (create, update, delete, lockout) – SMF Type 80
• Port scans, DoS attacks, malformed data packets – TRMD and SyslogD
• FTP authentications and file analysis (file create, access, update, delete) – SMF Type 119 Records and IP
traffic analysis information
• Network events – Ironstream® Network Monitoring Component
Mainframe Security – Data Challenges

11. • Total visibility into:
• Authentication and access failures
• Creation or deletion of users
• Changes to user security information, passwords, and access rights
• All log-in activity
• Excessive data tramsmissions
• Unusual movement of data
• Intrusion detection
Ironstream® maps the data to the Splunk ES Common Information Model (CIM), enabling splunk ES
to provide a true enterprise-wide view of security activity, threats, and intrusions.
It’s a comprehensive view of their security environment from a single pane of glass!
Ironstream® and Splunk® Enterprise Security provide…

12. SIEM: z/OS Security

13. SIEM: Splunk® Enterprise Security