IBM Destination Z - Group home

What Is SIEM and Why Should I Care?

By Destination Z posted Mon December 23, 2019 03:41 PM


Let’s answer the first question quickly and simply: Security Information and Event Management (SIEM) software products and services combine Security Information Management (SIM) and Security Event Management (SEM). SIEM software provides real-time analysis of security alerts generated by applications and network hardware. Some SIEM products that you may have already encountered include ArcSight IBM QRadar, Splunk, LogRhythm, McAfee Enterprise Security Manager, Dell RSA Security Analytics or Dell SecureWorks.

But, I hear you saying under your breath, none of those run on a mainframe. And besides, mainframes are super secure, with RACF (and similar external security managers) controlling who can access what from where, along with what they can do to the things they can access.

Security by Obscurity

Let’s unpack that a little. Mainframes are secure—it’s often referred to as security by obscurity because most hackers understand Linux and Windows, but not z/OS. But that logic ignores the hackers who happen to be mainframers.

You might also argue that mainframes create so many messages that it’s easy to see who has done what, and when—making mainframes pretty much unhackable. Again, that’s true, but when do you run any kind of analytics against all those messages? Is it A) Sometime during the night; or B) All the time? If your answer is A), it’s like leaving the door to the safe open all day and just running through the video feed early the following morning to see who walked out with handfuls of cash.

But what about situations where the systems programmer who looks after security is also the person who is accessing data they shouldn’t? What if a list of your best customers, their names and email addresses is now on its way to your main competitor, and your trusted systems programmer deletes all records of their activity? How would you ever know what happened?

Or what about the employee who isn’t quite sure what he’s doing, and does something that alters or deletes important data—and again, any alerts don’t come up until the batch run checks through those messages early the next day?

You can imagine how any of the scenarios above could cost your organization plenty in terms of lost customers or lost revenue. But there’s an even worse situation that might emerge. Your company could break whatever regulations apply to your industry. These regulations might be FISMA, GLBA, HIPAA, PCI, SOX or the new E.U. regulation, General Data Protection Regulation (GDPR). GDPR applies to any company storing information about an E.U. citizen, so that includes airlines, car companies and anyone else that swipes an E.U. resident's credit card.

You Can’t Afford Not to Have SIEM Software

Once a regulator is involved, the whole world knows what’s been going on. At that point, you’re in a situation where, in addition to losing data or confidential business-critical plans, you’re probably losing earnings along with business confidence. You’re also contravening regulations, which will lead to massive fines—and the maximum fine for contravening GDPR is 4 percent of turnover, or 20 million euro. This makes the argument that SIEM software is unaffordable seem rather ridiculous because with fines that size, you can’t afford not to have SIEM software!

SIEM products work in near real time and can monitor security logs and events. Administrators can define specific items of interest for extra levels of monitoring—for example, for files that contain credit information or health care details. Messages from z/OS and subsystems such as CICS and Db2 can be sent to SIEM software, and anomalous actions can be identified and alerts sent out straight away, rather than very early the following morning.

As well as gathering intelligence from all z/OS systems and LPARs in the network, mainframe data can then be consolidated with security intelligence from other systems in the enterprise, such as Unix, Windows and Cisco, for total visibility into the z/OS environment as well as distributed and open-systems environments.

This wasn’t so important when the mainframe was pretty much an island of activity that didn’t link to other platforms, but now CICS and IMS transactions can be started from a browser running on a phone or tablet, or even from an Internet of Things (IoT) device. Similarly, changes to Db2 data can be initiated from off the mainframe. Using SIEM software allows all these activities to be put together so that the whole picture can be seen.

Enterprise-wide monitoring of security events is critical, not only for tracking malicious activity, but also for meeting stringent compliance requirements. Once the data is in the SIEM software, it can then be indexed, searched, analyzed and visualized across the spectrum. That means organizations no longer need multiple security teams to guard their enterprise’s multiple platforms.

That’s what SIEM is, and that’s why you should care!