mainframe siem log management in a distributed it security...
TRANSCRIPT
www.correlog.com
Whitepaper
Mainframe SIEM Log Management in a Distributed IT Security World
The mainframe might very well be less vulnerable to attack
but one thing is certain: There are a host of government,
fi nancial services and health care organizations that use
mainframe technology to store highly sensitive data – PCI,
HIPAA, FISMA, NERC, GLBA, etc... If you are an insider, and
want to steal data, money or generally throw a huge monkey
wrench in an organization’s compliance, you’d look for a way
to compromise mainframe data.
The mainframe is here to stay: What are you doing with its event log data?Mainframes have the greatest computing capacity, as
evidenced in how we measure the instructions they process –
by millions per second (MIPS). With such capacity to compute
and store information, it is no wonder mainframes are
employed by some of the largest corporate and government
entities across the globe. The bottom line is clear; mainframe
technology is not going away any time soon. It will continue to
co-exist with distributed systems in IT shops for many years to
come.
What is important to grasp here is the concept that your most
critical log data and applications are everywhere. In order
to protect your systems from intrusion, you have to protect
everything – mainframes, distributed servers, fi rewalls, routers
and other devices. Just like a thief will fi nd any vulnerable spot
to break into your home (front door, window, left-open garage,
basement door, etc…) a breach can come through any spot of
your organization’s IT environment. The key is to shore up all
avenues of intrusion, regardless of system or device. If you are
lucky enough to already be collecting log data and tracking
it in a SIEM (security information and event management)
system, the collecting of the log data is just the beginning of
best practice intrusion detection and compliance.
Seems like every day we see news headlines about yet another cyber-breach. Government agencies, local
municipalities, online gaming and social platforms, fi nancial institutions, even high-school records have been exposed in recent attacks.
Scour the web and you will be hard-pressed to fi nd the percentage of breaches occurring on mainframe versus distributed: the data just doesn’t seem to be there. Mainframe gurus will say that it is rare for a mainframe to be compromised, but the reality of it is that the data to confi rm or dismiss this is just too hard to come by. Unless you are an insider and know the details of the breach, all we know publicly is that there was a breach, the number of records compromised and maybe the dollars affected.
A three-pronged approach and 10 ‘to-dos’ to incorporate into your enterprise IT security management strategy
Let’s face it, the complexity of your IT infrastructure is
exploding. Forrester Research I&O industry guru J.P. Garbani
suggests a “saturation point” is reached when an IT shop’s
ability to manage the workload is compromised because no
amount of human resource can keep up with the complexity.
What does this have to do with IT security?
Much of the human resource needed to fi ght the complexity
problem overlaps as resources also needed to shore up
corporate/organizational IT security. It’s an exponential
problem that feeds on itself, leaving those who have to
manage the infrastructure and its security somewhat
overwhelmed. The bottom line is you have to simplify wherever
possible and a centralized SIEM is one area where you
can consolidate data and human resources to reduce the
complexity needed to secure your enterprise network.
The three-pronged approach…This will consist of a multi-pronged approach to 1) monitor
and manage people (user behavior), 2) manage the log data
linked to those users and the applications they use, and
3) to complete numbers 1 and 2 to an acceptable level of
organizational and industry compliance, factoring standards
such as PCI, HIPAA, SOX, FISMA, FERC, and NERC. The
acronym list can go on and on.
1. Monitor user behavior: Since 37% of all breaches in 2011
were “inside jobs” it is a no brainer to monitor user log
activity within your enterprise.
2. Manage the log data: What is not so apparent is what to
do with the data; you need to correlate the log data to
unearth patterns of user behavior that might be indicative
of threat. Change and confi guration management along
with fi le integrity monitoring (FIM) help establish baselines
of normal working system states where any deviation
from the baseline could indicate potential threat. And if
there is a threat detected, you need some type of ticketing
system to alert your help desk that a potential threat has
been unleashed so you can thoroughly
investigate.
3. Do 1 & 2 with compliance: Who gets
to investigate and how the forensic data
is stored is where compliance comes
into play. The data needs to be stored in
a separate server location than where it
originated with archiving and encryption
practices that adhere to compliance
guidelines. You then need to add clear,
global visibility into to all logs with the
ability to conduct high-speed search to
quickly jump to the precise information
at question in the event of a breach.
The complexity of your network is exploding, straining human and system resources.
Monitor Log Data
Monitor User Behavior
Be Compliant
‘Monitor everything’ means centralizing log data from all systems/platforms, with knowledge of user behavior and doing so within your organization’s compliance guidelines.
The 10 ‘to-do’s’Here are 10 to-do’s to factor into your organization’s SIEM
system that will help secure your enterprise across all
platforms and devices:
1. Centralize your data – we all know this and it sounds
simple but I’m amazed at how many clients tell us “having
the data in one place has saved a signifi cant amount of
time searching for logs when doing forensics.”
2. Have a correlation engine that relates seemingly
unrelated logs (anomalous user behavior) into the picture
of a potential breach. One anomaly (bad logon) does
not necessarily constitute a breach. Multiple errors (bad
logon, and at 1am on a Saturday, and from a device the
user never accesses) may signal a potential threat.
3. Implement your correlation engine into a helpdesk
ticketing system so you can issue immediate action with
priority assignments.
4. Incorporate a File Integrity Monitoring (FIM) process to
track changes in windows system directories, a typical
initial target of intrusion.
5. Incorporate a Change Management process to track any
and all changes to servers, routers, switches, fi rewalls,
databases, and applications. Also enforce confi guration
policies that keep you in compliance with PCI, HIPAA,
FISMA, SOX, etc… This used to be a painstaking process
but there are software tools today that simplify this
process.
6. Secure all log data remotely and compress with an
encrypted MD5 checksum. Securing the data away from
the system that generates it limits user access control,
and the encrypted archive also helps maintain PCI
compliance.
Tips 7 and 8 come from a Network World article written by
Linda Musthaler (Best practices for
SIEM deployments, Linda Musthaler,
November 12, 2010)
7. Investigate abnormal increase or
decrease in log data. Investigators
sometimes see log entries
increase by 500% following a
breach. Consequently, when
an attacker turns off logging,
sometimes those logs disappear
for months.
8. Investigate abnormal length of
lines within logs. When SQL is
modifi ed to facilitate a breach the
attack leaves abnormal length of
lines in the log fi le.
Since SIEM systems use syslog fi les
to track and manage intrusion, as
long as you can get a syslog fi le on
demand and in real time, you should be able to know the
security status of your network at any point in time. However,
this poses a problem for mainframe and Windows computing
because these systems don’t natively generate syslog fi les.
There has to be another computing component that translates
The explosion of complexity is manageable if you centralize your log data and provide the visibility to manage cyber threats and compliance.
www.correlog.comCopyright © 2015 CorreLog, Inc. All rights reserved.
About CorreLog, Inc.CorreLog, Inc. delivers security information and event management (SIEM) combined with deep correlation functions.
CorreLog’s fl agship product, the CorreLog Security Correlation Server, combines log management, Syslog, Syslog-NG, SNMP,
auto-learning functions, neural network technology, proprietary semantic correlation techniques and highly interoperable
ticketing and reporting functions into a unique security solution. CorreLog furnishes an essential viewpoint on the activity
of users, devices, and applications to proactively meet regulatory requirements, and provide verifi able information security.
CorreLog automatically identifi es and responds to network attacks, suspicious behavior and policy violations by collecting,
indexing and correlating user activity and event data to pinpoint security threats, allowing organizations to respond quickly
to compliance violations, policy breaches, cyber attacks and insider threats. CorreLog provides auditing and forensic
capabilities for organizations concerned with meeting SIEM requirements set forth by PCI/DSS, HIPAA, SOX, FISMA, GLBA,
NCUA, and others. Maximize the effi ciency of existing compliance tools through CorreLog’s investigative prowess and
detailed, automated compliance reporting. CorreLog markets its solutions directly and through partners.
Visit www.correlog.com for more information.
1004 Collier Center Way, 1st FLoor · Naples, Florida 34110 · 1-877-CorreLog · 239-514-3331 · [email protected]
these native fi les (mainframe SMF and Windows event logs)
in to syslog format for inclusion to your SIEM. This brings us to
the ninth and tenth “to do’s”.
9. Incorporate real-time syslog fi le conversion from your
mainframe to SIEM. We’re not talking about the
mainframe “SYSLOG” (see article on SYSLOG versus
Syslog) rather, we speak here of the native syslog format
that all SIEM systems use to track and store log fi les.
Real-time mainframe event message-to-syslog conversion
is critical to track because of the nature of the data stored
in these systems as mentioned above (credit card, HIPAA,
FISMA, SOX, etc…).
10. Have a system that can convert a Windows event log, in
real time, to syslog format for inclusion into your SIEM.
CorreLog provides one free of charge and with a license
that never expires. Go to http://correlog.com/download
for the download.
As CISO or IT security department head, the task of securing
an enterprise is surely daunting but you give yourself a
running start with the ability to collect log data from all devices
and across all operating platforms and then manage it in a
centralized SIEM system. The key is to avoid biting off more
than you can chew with the resources you currently have
in place. Above all, have specifi c requirements aligned to
what needs to be accomplished with threat detection and
compliance. Start small with just a group of devices and
applications, and understand what you are up against before
a system-wide rollout. And be sure your SIEM system has
organizational-wide visibility into user behavior, application
state and compliance, with search capabilities so you can
be proactive with your threat detection and then provide fast
resolution with forensic data in the event of a breach. And, do
not be afraid to ask for help. The software vendor community
offers multiple options for free solutions on a trial basis.
And the analyst community (Gartner, Forrester, 451 Group,
and others) is a great resource to turn to for advice on any
technology issue.
About the author: Tony Perri, Perri Marketing and [email protected]