www.correlog.com

Whitepaper

Mainframe SIEM Log Management in a Distributed IT Security World

The mainframe might very well be less vulnerable to attack

but one thing is certain: There are a host of government,

fi nancial services and health care organizations that use

mainframe technology to store highly sensitive data – PCI,

HIPAA, FISMA, NERC, GLBA, etc... If you are an insider, and

want to steal data, money or generally throw a huge monkey

wrench in an organization’s compliance, you’d look for a way

to compromise mainframe data.

The mainframe is here to stay: What are you doing with its event log data?Mainframes have the greatest computing capacity, as

evidenced in how we measure the instructions they process –

by millions per second (MIPS). With such capacity to compute

and store information, it is no wonder mainframes are

employed by some of the largest corporate and government

entities across the globe. The bottom line is clear; mainframe

technology is not going away any time soon. It will continue to

co-exist with distributed systems in IT shops for many years to

come.

What is important to grasp here is the concept that your most

critical log data and applications are everywhere. In order

to protect your systems from intrusion, you have to protect

everything – mainframes, distributed servers, fi rewalls, routers

and other devices. Just like a thief will fi nd any vulnerable spot

to break into your home (front door, window, left-open garage,

basement door, etc…) a breach can come through any spot of

your organization’s IT environment. The key is to shore up all

avenues of intrusion, regardless of system or device. If you are

lucky enough to already be collecting log data and tracking

it in a SIEM (security information and event management)

system, the collecting of the log data is just the beginning of

best practice intrusion detection and compliance.

Seems like every day we see news headlines about yet another cyber-breach. Government agencies, local

municipalities, online gaming and social platforms, fi nancial institutions, even high-school records have been exposed in recent attacks.

Scour the web and you will be hard-pressed to fi nd the percentage of breaches occurring on mainframe versus distributed: the data just doesn’t seem to be there. Mainframe gurus will say that it is rare for a mainframe to be compromised, but the reality of it is that the data to confi rm or dismiss this is just too hard to come by. Unless you are an insider and know the details of the breach, all we know publicly is that there was a breach, the number of records compromised and maybe the dollars affected.

A three-pronged approach and 10 ‘to-dos’ to incorporate into your enterprise IT security management strategy

Let’s face it, the complexity of your IT infrastructure is

exploding. Forrester Research I&O industry guru J.P. Garbani

suggests a “saturation point” is reached when an IT shop’s

ability to manage the workload is compromised because no

amount of human resource can keep up with the complexity.

What does this have to do with IT security?

Much of the human resource needed to fi ght the complexity

problem overlaps as resources also needed to shore up

corporate/organizational IT security. It’s an exponential

problem that feeds on itself, leaving those who have to

manage the infrastructure and its security somewhat

overwhelmed. The bottom line is you have to simplify wherever

possible and a centralized SIEM is one area where you

can consolidate data and human resources to reduce the

complexity needed to secure your enterprise network.

The three-pronged approach…This will consist of a multi-pronged approach to 1) monitor

and manage people (user behavior), 2) manage the log data

linked to those users and the applications they use, and

3) to complete numbers 1 and 2 to an acceptable level of

organizational and industry compliance, factoring standards

such as PCI, HIPAA, SOX, FISMA, FERC, and NERC. The

acronym list can go on and on.

1. Monitor user behavior: Since 37% of all breaches in 2011

were “inside jobs” it is a no brainer to monitor user log

activity within your enterprise.

2. Manage the log data: What is not so apparent is what to

do with the data; you need to correlate the log data to

unearth patterns of user behavior that might be indicative

of threat. Change and confi guration management along

with fi le integrity monitoring (FIM) help establish baselines

of normal working system states where any deviation

from the baseline could indicate potential threat. And if

there is a threat detected, you need some type of ticketing

system to alert your help desk that a potential threat has

been unleashed so you can thoroughly

investigate.

3. Do 1 & 2 with compliance: Who gets

to investigate and how the forensic data

is stored is where compliance comes

into play. The data needs to be stored in

a separate server location than where it

originated with archiving and encryption

practices that adhere to compliance

guidelines. You then need to add clear,

global visibility into to all logs with the

ability to conduct high-speed search to

quickly jump to the precise information

at question in the event of a breach.

The complexity of your network is exploding, straining human and system resources.

Monitor Log Data

Monitor User Behavior

Be Compliant

‘Monitor everything’ means centralizing log data from all systems/platforms, with knowledge of user behavior and doing so within your organization’s compliance guidelines.

The 10 ‘to-do’s’Here are 10 to-do’s to factor into your organization’s SIEM

system that will help secure your enterprise across all

platforms and devices:

1. Centralize your data – we all know this and it sounds

simple but I’m amazed at how many clients tell us “having

the data in one place has saved a signifi cant amount of

time searching for logs when doing forensics.”

2. Have a correlation engine that relates seemingly

unrelated logs (anomalous user behavior) into the picture

of a potential breach. One anomaly (bad logon) does

not necessarily constitute a breach. Multiple errors (bad

logon, and at 1am on a Saturday, and from a device the

user never accesses) may signal a potential threat.

3. Implement your correlation engine into a helpdesk

ticketing system so you can issue immediate action with

priority assignments.

4. Incorporate a File Integrity Monitoring (FIM) process to

track changes in windows system directories, a typical

initial target of intrusion.

5. Incorporate a Change Management process to track any

and all changes to servers, routers, switches, fi rewalls,

databases, and applications. Also enforce confi guration

policies that keep you in compliance with PCI, HIPAA,

FISMA, SOX, etc… This used to be a painstaking process

but there are software tools today that simplify this

process.

6. Secure all log data remotely and compress with an

encrypted MD5 checksum. Securing the data away from

the system that generates it limits user access control,

and the encrypted archive also helps maintain PCI

compliance.

Tips 7 and 8 come from a Network World article written by

Linda Musthaler (Best practices for

SIEM deployments, Linda Musthaler,

November 12, 2010)

7. Investigate abnormal increase or

decrease in log data. Investigators

sometimes see log entries

increase by 500% following a

breach. Consequently, when

an attacker turns off logging,

sometimes those logs disappear

for months.

8. Investigate abnormal length of

lines within logs. When SQL is

modifi ed to facilitate a breach the

attack leaves abnormal length of

lines in the log fi le.

Since SIEM systems use syslog fi les

to track and manage intrusion, as

long as you can get a syslog fi le on

demand and in real time, you should be able to know the

security status of your network at any point in time. However,

this poses a problem for mainframe and Windows computing

because these systems don’t natively generate syslog fi les.

There has to be another computing component that translates

The explosion of complexity is manageable if you centralize your log data and provide the visibility to manage cyber threats and compliance.

www.correlog.comCopyright © 2015 CorreLog, Inc. All rights reserved.

About CorreLog, Inc.CorreLog, Inc. delivers security information and event management (SIEM) combined with deep correlation functions.

CorreLog’s fl agship product, the CorreLog Security Correlation Server, combines log management, Syslog, Syslog-NG, SNMP,

auto-learning functions, neural network technology, proprietary semantic correlation techniques and highly interoperable

ticketing and reporting functions into a unique security solution. CorreLog furnishes an essential viewpoint on the activity

of users, devices, and applications to proactively meet regulatory requirements, and provide verifi able information security.

CorreLog automatically identifi es and responds to network attacks, suspicious behavior and policy violations by collecting,

indexing and correlating user activity and event data to pinpoint security threats, allowing organizations to respond quickly

to compliance violations, policy breaches, cyber attacks and insider threats. CorreLog provides auditing and forensic

capabilities for organizations concerned with meeting SIEM requirements set forth by PCI/DSS, HIPAA, SOX, FISMA, GLBA,

NCUA, and others. Maximize the effi ciency of existing compliance tools through CorreLog’s investigative prowess and

detailed, automated compliance reporting. CorreLog markets its solutions directly and through partners.

Visit www.correlog.com for more information.

1004 Collier Center Way, 1st FLoor · Naples, Florida 34110 · 1-877-CorreLog · 239-514-3331 · info@correlog.com

these native fi les (mainframe SMF and Windows event logs)

in to syslog format for inclusion to your SIEM. This brings us to

the ninth and tenth “to do’s”.

9. Incorporate real-time syslog fi le conversion from your

mainframe to SIEM. We’re not talking about the

mainframe “SYSLOG” (see article on SYSLOG versus

Syslog) rather, we speak here of the native syslog format

that all SIEM systems use to track and store log fi les.

Real-time mainframe event message-to-syslog conversion

is critical to track because of the nature of the data stored

in these systems as mentioned above (credit card, HIPAA,

FISMA, SOX, etc…).

10. Have a system that can convert a Windows event log, in

real time, to syslog format for inclusion into your SIEM.

CorreLog provides one free of charge and with a license

that never expires. Go to http://correlog.com/download

for the download.

As CISO or IT security department head, the task of securing

an enterprise is surely daunting but you give yourself a

running start with the ability to collect log data from all devices

and across all operating platforms and then manage it in a

centralized SIEM system. The key is to avoid biting off more

than you can chew with the resources you currently have

in place. Above all, have specifi c requirements aligned to

what needs to be accomplished with threat detection and

compliance. Start small with just a group of devices and

applications, and understand what you are up against before

a system-wide rollout. And be sure your SIEM system has

organizational-wide visibility into user behavior, application

state and compliance, with search capabilities so you can

be proactive with your threat detection and then provide fast

resolution with forensic data in the event of a breach. And, do

not be afraid to ask for help. The software vendor community

offers multiple options for free solutions on a trial basis.

And the analyst community (Gartner, Forrester, 451 Group,

and others) is a great resource to turn to for advice on any

technology issue.

About the author: Tony Perri, Perri Marketing and Communicationswww.perrimarketing.comtony@perrimarketing.com