IBM Security Z Security

 View Only

IBM Security zSecure 2.4: Event correlation and (yet more) compliance automation enhancements

By Jeroen Tiggelman posted Sat May 08, 2021 07:53 AM

  
On April 30, 2021 a new service stream enhancement (SSE) to zSecure 2.4 has become generally available, providing additional compliance automation, tape data set, and event correlation enhancements, and more.

Background

Mainframes continue to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance mainframe security capabilities.

IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting event log records from the System Management Facilities (SMF) and by running evaluations against compliance standards such as the Security Technical Implementation Guides (STIGs) from the United States Defense Information Systems Agency (DISA). zSecure Audit also supports CA ACF2 and CA Top Secret, two alternatives to RACF. The IBM Security zSecure Adapters for SIEM provide a functional subset of zSecure Audit to send enriched SMF information to Security Information and Event Management (SIEM) solutions such as IBM QRadar SIEM. IBM Security zSecure Alert is a real-time monitor for security events.  IBM Security zSecure Admin boosts productivity for RACF administrators. The Access Monitor component of zSecure Admin can also see security events that are not being logged and summarize all access requests.

The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for SIEM is called the CARLa Auditing and Reporting Language (CARLa).

Benefits

The SSE for zSecure 2.4 released in April 2021 provides
- end to end event correlation between IBM z/OS Connect, CICS and Db2 events
- new out-of-the-box alerts for logons to TSO from IP addresses that have not been allow-listed
- greatly extended support for tape data sets, including recognition of sensitive tape data sets
- more STIG control automation (for all external security managers, but with a slight focus on CA ACF2)
- ability to use a Site Security Plan approach to manage started tasks for STIG compliance purposes (for RACF)
- additional reporting about Integrated Cryptographic Service Facility (ICSF) settings in the system settings report
- performance improvements for CA ACF2 reporting
- and other small enhancements and fixes

A technote has been made available to describe the details.

These enhancements primarily apply to zSecure Audit and zSecure Alert, and secondarily to zSecure Admin and zSecure Adapters for SIEM.

Prerequisites

To fully benefit from these enhancements the following is required:
* IBM Security zSecure 2.4, or one of the zSecure Compliance solutions

* PTF UJ05461 for APAR OA61058 (this updates code shared among most zSecure components)
* PTF UJ05462 for APAR OA61059 (this updates code specific to the ACF2 features)


Migration

There are no special considerations for migrating to this code level. If you are upgrading to this level from an "older" code level than the previous one from December 2020, also review the migration considerations for the other steps you are taking.


If you have any questions, please ask them here or on the zSecure support forum. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.

3 comments
65 views

Permalink

Comments

Thu May 27, 2021 11:13 AM

Hi Jeroen,

Thank you very much for your reply!
Yes, I have submit a RFE for the use I mentioned. Please go ahead for the publishing, this kind of information is helpful and we need a channel to have those information.
Sorry for my interrupting and the trouble if I made.

Thu May 27, 2021 05:27 AM

Hi Chao,

Thanks for your feedback.

This is a complex subject overall, where additional use cases might exist that are not covered by the current rules or underlying infrastructure. In general, customers can reach out to their IBM representative or contact IBM support, or directly raise a Request For Enhancement where they believe they have particular use cases that might need more attention. IBMers have some internal routes they can use.

I will, however, not generally comment on future product plans in this public forum, as we strive not to evoke the illusion of covering use cases for which we might not actually have a solution today.

Furthermore it is my understanding you have meanwhile been able to exchange information for your particular case of interest via another channel.

Best regards,
--Jeroen

Fri May 21, 2021 04:36 AM

Hi Jeroen,

  

- new out-of-the-box alerts for logons to TSO from IP addresses that have not been allow-listed

 

This is the function customer needs very much! Just one more comment that, so far only directly user logon to LPAR’s ip address can be collected by this rule, while customer usually cross lpar and sysplex to logon. Hope this scenario can also be covered.

Thanks!