Mainframe continues to power critical operations in enterprise IT – making it susceptible to external threats and attacks.
With Syncsort Ironstream, Splunk users can easily monitor and effectively resolve application, security and network problems on the mainframe, by opening up real-time operational data in Splunk Enterprise.
View this 15-minute webinar on-demand where we described the security and compliance challenges organizations face and how Ironstream® can work with Splunk to eliminate those security blindspots.
2. Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your computer speakers.
• If you need technical assistance with the web interface or audio,
please reach out to us using the chat window.
Questions Welcome
• Submit your questions at any time during the presentation
using the chat window.
• We will follow up after the session.
Recording and slides
• This webcast is being recorded. You will receive an
email following the webcast with a link to download
both the recording and the slides.
3. • Security Information and Event Management
• Real-time analysis of security alerts
• Vulnerability management
• Policy compliance
• External threat data
What is SIEM?
4. Log Analysis What is a Log?
• Logs are emitted by network
devices, operating systems,
applications and all manner of
intelligent or programmable device.
• A stream of messages in time-
sequence often comprise a log.
• Logs may be directed to files and
stored on disk, or directed as a
network stream to a log collector.
Organizations analyze
these logs to proactively
and reactively mitigate
different risks.
Typical reasons to perform
log analysis are:
• Performance and capacity issues
• Compliance with security policies
• Compliance with audit or regulation
• System Troubleshooting
5. Mainframe Challenges
• Mainframe a key component
of key IT services
• Huge amount of operations
data stored in logs on
mainframes
• No visibility, except by expert
mainframe teams
• Incomplete picture for
security teams
6. Big Iron to Big
Data Analytics
Challenges
So many data sources
Mainframe:
Systems Management Facility (SMF),
Syslog, Log4j web and application logs,
RMF, RACF, USS files and standard
datasets
IBM i:
QAUD Journal, QHIST, Message Queues,
Operational Logs
Format of data
Mainframe:
• Complex data structures (SMF) with
headers, product sections, data
sections, variable length and self-
describing
• EBCDIC not recognized outside of
the mainframe world
• Binary flags and fields
IBM i:
• Complex data structures with
unique journal entry types, headers,
product sections, data sections,
variable length and self-describing
• IBM i journals in DB2
• Collection Services
• IBM i information needs to be
converted to workable formats such
as Syslog, CEF, JSON, etc.
Volume of data
Millions of records generated daily
Difficulty to get the
information in a timely
manner
• Not real-time, typically have to wait
overnight for an offload
• Typical daily FTP upload/downloads
can’t get granular
7. • High performance, low-cost, platform for collecting critical
system information in real-time
• Normalization of the z/OS and data so it can be used off
platform analytics engines
• Full analytics, visualization, and customization with no limitations
on what can be viewed
• Ability to easily combine information from different data sources
and systems
• Address the SME challenge: use by network managers, security
analysts, application analysts, enterprise architects without
requiring mainframe access or expertise
What does Ironstream® provide?
8. Ironstream® Architectural Overview
Assembler
COBOL C,
REXX
!
IRONSTREAM DATA FORWARDER
TCP/IP
Ironstream Desktop
DCE IDT
Data Collection Extension
SYSOUT
Live/Stored
SPOOL Data
Db2 USS Alerts
Networks
Components
ForwarderAPI
Application Data
SYSLOG
SYSLOGGD
SMF RMF File Load Log4j
9. Use Cases - Problems Ironstream® solves
IT Operations Analytics/ITOA
• Bigger picture of what's happening in the environment
• Make better decisions to take control of the IT infrastructure
• Problem Detection & Isolation
• Ensure SLAs Met
Security and Compliance/SIEM
• Detect and prevent security threats
• Ensure compliance
• Ensure audits pass
10. • Data from multiple sources
• TSO logon tracking – SMF Type 30
• TSO account activity (create, update, delete, lockout) – SMF Type 80
• Port scans, DoS attacks, malformed data packets – TRMD and SyslogD
• FTP authentications and file analysis (file create, access, update, delete) – SMF Type 119 Records and IP
traffic analysis information
• Network events – Ironstream® Network Monitoring Component
Mainframe Security – Data Challenges
11. • Total visibility into:
• Authentication and access failures
• Creation or deletion of users
• Changes to user security information, passwords, and access rights
• All log-in activity
• Excessive data tramsmissions
• Unusual movement of data
• Intrusion detection
Ironstream® maps the data to the Splunk ES Common Information Model (CIM), enabling splunk ES
to provide a true enterprise-wide view of security activity, threats, and intrusions.
It’s a comprehensive view of their security environment from a single pane of glass!
Ironstream® and Splunk® Enterprise Security provide…