compliance and event monitoring with powersc tools for ibm i

Using the PowerSC Tools for IBM iCompliance and Event Monitoring Tool

Compliance and Event Monitoring

© 2016 IBM Corporation

Compliance and Event Monitoring Tool

Terry FordSenior Managing Consultant

[email protected]

February 1, 2016

Statement of Good Security Practices

IT system security involves protecting systems and information through prevention,detection and response to improper access from within and outside your enterprise.Improper access can result in information being altered, destroyed, misappropriated ormisused or can result in damage to or misuse of your systems, including for use in attackson others. No IT system or product should be considered completely secure and nosingle product, service or security measure can be completely effective in preventingimproper use or access. IBM systems, products and services are designed to be part of alawful, comprehensive security approach, which will necessarily involve additionaloperational procedures, and may require other systems, products or services to be most

2© 2016 IBM Corporation

operational procedures, and may require other systems, products or services to be mosteffective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICESARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

“Some organizations will be a

target regardless of what they do,

but most become a TARGET because


but most become a TARGET because

of what they do (or don’t do)”

Monitoring – Compliance and Monitoring to What?

Company Policy and/or Standards

These should define how systems shouldbe built, maintained, monitored, andinteracted with by its custodians andusers. Another way of thinking about it,they are a Service Level Agreement(SLA) between Owners, Managementand the people they have hired to “work”the business. Owners and Management


the business. Owners and Managementderive a “sense of security” knowing thatits employees are managing the businessaccording to this agreement. Owners andManagement must be involved in thecreation and maintenance of thesedocuments. Compliance monitoring thenis simply demonstrating that theemployees (and management) are doingwhat they have been hired to do.

Compliance and Event Monitoring – Inhibitors

Security setup inherited from the past - previous owners / application designers nolonger are available

For many IBM i IT departments, security is performed by an individual withmultiple responsibilities – operations, administration, programming, etc.

Security implementation “how to” is often not understood, is neglected or notmonitored due to time constraints.

Security policies/standards often do not exist. If they do, monitoring of complianceto the policy is not done or understood and deviation from the policies/standards


to the policy is not done or understood and deviation from the policies/standardsacross the enterprise is unknown.

Gathering of security information is time consuming andscattered in multiple places on the system. The analysisof this data or monitoring of security changes is oftendated by the time it is read.

How do you measure security? What are Key RiskIndicators (KRI) ? How do I prove due diligence tosecurity monitoring?

Compliance and Event Monitoring – Measuring Security

“If you can’t measure it, how can you improve or fix it ?”

Provide evidence that risk is being managed according to enterprise defined riskthresholds empowering Senior Management to make informed risk managementdecisions on where best to allocate resource.

REQUIREMENTS:

Centralized view of Security Compliance status across the enterprise

• No access to remote machines required• Maintain segregation of duties


• Maintain segregation of duties• Provide management visibility, meaningful reports that drive action

Customizable Control Tests

• Measurable Results• Ability to define Key Risk Indicators (KRI’s)• Traceability back to Security Standards and Company Policies

Dashboard Style Reporting

• Red, Yellow (Amber), Green (RAG) Metrics• ‘Clickable’ reports – to drill down to the issue• Trending – to measure improvements (hopefully) over time

Compliance Assessment and Event Monitoring Tool

“I just want to arrive in the morning, get a cup of coffee, and have a view of what systemsare in compliance and which are not.”



Provides “out of the box” assessment of systems for security compliance and exposures

Profile Analysis: Special Authorities / Inherited Privileges

Group Profiles / Ambiguous Profiles

Default Passwords / Password Expiration

Inactive Accounts

Administration / Configuration: System Values / Audit Control Settings

Invalid Signon attempts

*PUBLICLY Authorized Profiles

Privately Authorized Profiles

Initial Programs, Menus, and Attention Programs

Command Line Access

DDM Password Requirements

Registered Exit Points / Exit Programs


Invalid Signon attempts

Work Management Analysis

Service Tools (SST) Security

PTF Currency

Network Settings: Network attributes / Time Server

NetServer Configuration

TCP/IP servers / Autostart values

Digital Certificate Expiration

SNMP / SSH / SSL Configuration

Registered Exit Points / Exit Programs

Function Usage

Library Analysis / *ALLOBJ Inheritance

Customer Defined Items

Listening ports / Network Encryption

IP Datagram Forwarding

IP Source Routing

APPN Configuration (yes – for many it is still there)

Server Authentication Entries


High Level Architecture

ETL Process toLoad Data Mart onCentral System

DB2 for i Reporting Data Mart

DAILY

HISTORY

Remote systems Data Mart system

PROFILES


Central System

DB2 Web Query Meta Data

DAILY SUMMARY TABLECreated by the ComplianceAssessment ToolCollection Agent(One for every LPAR)

DB2 Web QueryDashboards/Reports


Data Mart Tables

DB2 for i Reporting Data Mart


Detailed history ofsystem security andcompliance grading

System Attributes Security Attributes Best Practice Policy / Policy Exception User Profiles

How currentis the data Iam viewing?

Logging of successor failure ofscheduled ETLprocesses withremote systems

How do I wishto filter on andview the data?

System descriptiveinformation suchas location, usage,VRM level,Template, etc.

How is Red, Yellow(Amber), andGreen defined?

User definedthresholds foraggregate securityattribute grading.

Compliance Assessment and Event Monitoring Tool – Typical Use

Demonstrating to auditors that control measures are in place

Observing and highlighting deviation from corporate security standards andpolicies

Demonstrating when observed deviations have occurred

Reporting defined security standards upon request by system or for the entireestate of systems

Quickly observing and assessing a broad range of security attributes (commonlyknown and unknown to administrators)


known and unknown to administrators)

Quickly looking across the corporate estate for consistency in administration

Adding customer-defined items for monitoring inventory,auditing, status, etc. with incorporated scoringmechanisms provided by the tool

Deploying fixes, enhancements or changes to individualLPARs or all LPARs for compliance or alignment withstandards

Monitoring PTF currency

Terry Ford, Team Lead Office: 1-507-253-7241

Help is always just an email or call away!


Terry Ford, Team LeadSenior Managing ConsultantSecurity Services DeliveryIBM Systems Lab Services

Office: 1-507-253-7241Mobile: [email protected]

3605 Highway 52 NBldg. 025-3 C113Rochester, MN 55901USA

Examples and Backup


Examples and Backup

Enterprise Dashboard- Summary of Overall System Status of all systems in the enterprise by various system attributes.- Information is based on last successful collection for each system.



Regional Review (Drill down to overall grading and details)



System DashboardKey System and data collection information- Status of last collection attempt (Success or Fail)- Key System attributes – VRM, Location, etc.- Overall and detailed system grading based upon last successful collection.



Cross System AnalysisHorizontal or vertical presentation of risk indicators across LPARs



Cross System AnalysisPTF Inventory…



Cross System AnalysisPTF Currency…



Cross System AnalysisCertificate Stores …



Monitoring Vulnerabilities



Profile AnalysisHorizontal or vertical presentation of user profiles across LPARs



Profile AnalysisAggregation of user profiles across LPARs



Profile AnalysisDrill down into user profiles as configured across LPARs



Event MonitoringEarly Detection of Administrative Mistakes or Malicious Activity



Performance and Availability AnalysisUnderstand Risk of Outage due to Performance or Availability constraints



Our Mission and Profile

IBM Systems Lab Services and Training

Support the IBM Systems Agenda and accelerate the adoption of newproducts and solutions

Maximize performance of our clients’ existing IBM systems

Deliver technical training, conferences, and other services tailored tomeet client needs

Team with IBM Service Providers to optimize the deployment of IBMsolutions (GTS, GBS, SWG Lab Services and our IBM BusinessPartners)

Our Competitive Advantage

Leverage relationships with the IBM development labs to build deep

Mainframe Systems

Power Systems

System Storage

IT Infrastructure Optimization

27© 2016 IBM Corporation27

Successful Worldwide History

18 years in Americas

10 years in Europe/Middle East/Africa

6 years in Asia Pacific

Leverage relationships with the IBM development labs to build deeptechnical skills and exploit the expertise of our developers

Combined expertise of Lab Services and the Training for Systemsteam

Skills can be deployed worldwide to assure client requests can be met

www.ibm.com/systems/services/[email protected]

IT Infrastructure Optimization

Data Center Services

Training Services

http://www.ibm.com/systems/services/labservices

mailto:[email protected]

Leverage the skills and expertise of IBM's technical consultants toimplement projects that achieve faster business value

IBM Systems Lab Services and Training

Ensure a smooth upgrade

Improve your availability

Design for efficient virtualization

Reduce management complexity

Assess your system security

Optimize database performance

How to contact us

email us at [email protected]

Follow us at @IBMSLST

Learn more ibm.com/systems/services/labservices


Optimize database performance

Modernize applications for iPad

Deliver training classes & conferences

The image part with relationship ID rId14 was not found in the file.

mailto:[email protected]

https://twitter.com/IBMSLST

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attackson others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require othersystems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISEIMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of anykind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, norshall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the useof IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / orcapabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future productor feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countriesor both. Other company, product, or service names may be trademarks or service marks of others.

compliance and event monitoring with powersc tools for ibm i

Documents