This presentation discusses IBM i security monitoring and integration with SIEM solutions. It covers the basics of security monitoring on IBM i, including key areas to monitor like user access, privileged users, network traffic, and database activity. It emphasizes the importance of centralized log collection and correlation through a SIEM for advanced security monitoring, threat detection, and compliance. Finally, it outlines how Precisely's Assure Monitoring and Reporting solution can help organizations by comprehensively monitoring IBM i system and database activity, generating alerts and reports, and integrating IBM i security data with other platforms in the SIEM.
IBM i Security: Identifying the Events That Matter Most
1. IBM i Security:
Identifying the Events
that Matter Most
Making Sense of Critical Security Data
Patrick Townsend - Townsend Security
Bill Hammond - Precisely
2. The global leader in data integrity
Trust your data. Build your possibilities.
Our data integrity software and data enrichment products
deliver accuracy and consistency to power confident
business decisions.
Brands you trust, trust us
Data leaders partner with us
of the Fortune 100
90
Customers in more than
100
2,000
employees
customers
12,000
countries
3. Better decisions, better data
Data Integration
Security
High Availability
Mainframe Sort &
Optimization
Integrate
Data Discovery
Data Cleansing
Data Lineage
Governance
Verify
Spatial Analysis
Geocoding
Routing
Visualization
Locate
Location Enrichment
Boundaries
Points of Interest
Property Attributes
Demographics
Enrich
4. Townsend Security
ENCRYPTION KEY MANAGEMENT
4
Townsend Security creates data privacy solutions
that help organizations meet evolving compliance
requirements and mitigate the risk of data breaches
and cyber-attacks. The company’s solutions easily
integrate with Precisely’s Assure Security products.
Companies worldwide trust Townsend Security’s
NIST and FIPS 140-2 compliant solutions to meet
encryption and key management requirements in
PCI DSS, GDPR, CCPA, HIPAA/HITECH, FISMA,
and other regulatory compliance requirements.
Technology Partners Include
5. Today’s Agenda
• Basics of security monitoring
• Key areas to monitor
• Integration with SIEM solutions
• How Precisely can help
5
7. Basics of Security Monitoring
You can’t monitor what you aren’t watching!
7
A strong IBM i security foundation requires solutions that draw a
perimeter around your system and its data – capturing security
data that you can monitor in log files
IBM i has powerful audit logs
• System Journal – QAUDJRN
• Database (Application) Journals – for Before and After
Images
• Other IBM Journals are available
• QHST Log Files – DSPLOG Command
• System Message Queues – QSYSOPR, QSYSMSG
Turn on auditing, save journal receivers, and take advantage of
everything the operating system can log for you
8. Alerts and Reporting
Full visibility into security issues!
8
Security tools generate the log entries required to create a
complete audit trail of events on your system. By leveraging that
information to generate alerts and reports, those tools will also:
• Simplify the process of analyzing complex IBM i journals
• Detect security incidents when they occur
• Quickly highlight compliance deviations
• Raise alerts and deliver reports in multiple formats
• Distribute reports via SMTP, FTP, IFS, SIEM
9. Enterprise-Level Visibility
Monitor IBM i security all the other platforms in your enterprise
9
Monitoring and reporting tools can forward IBM i security data to
a Security Information and Event Management (SIEM) solution to:
• Integrate IBM i security data with data from other IT platforms
• Enable advanced analysis of security data using advanced SIEM
technology for correlation, pattern matching, and threat detection
• Support information sharing and collaboration across teams
• Facilitate integration with case management and ticketing systems
10. Analyze IBM i Audit Logs
Tools help you extract insight from your logs
10
IBM i log files are comprehensive, unalterable, and
trusted by auditors BUT they are not easy to analyze.
Monitoring and reporting tools are needed to:
• Simplify the process of analyzing complex IBM i journals
• Filter through the massive amount of information in your logs
• Detect security incidents and raise alerts
• Quickly highlight compliance deviations
• Deliver reports in multiple formats to compliance and security
auditors, partners, customers and your management team
• Relieve your team of the burden of manual analysis
11. Enforcement date: January 1, 2020
• Requires organizations to comply with
CCPA if they collect data on residents
of California and have annual revenues
of $25 million, collect information on
over 50,000 people or have 50% of
annual revenue from selling/sharing
personal information
• Gives individuals the right to sue for
damages should a breach expose their
data and that data wasn’t encrypted or
otherwise made unreadable. Key
requirements include:
• Access control
• Restricted user privileges
• Sensitive data protection
• System activity logging
Regulations Require Monitoring
General Data Protection
Regulation
(GDPR)
Enforcement date: 25 May 2018
• Regulation in European Union law on data
protection and privacy for all individuals
within the European Union (EU) and the
European Economic Area (EEA)
• Applies to all organizations doing business
with EU citizens
• Aims primarily to provide protection and
control over their personal data to citizens
and residents, including
• Access control
• Sensitive data protection
• Restricted user privileges
• System activity logging
• Risk assessments
New York Dept. of Financial Services
Cybersecurity Regulation
(NYS 23 NYCRR 500)
Enforcement date: February 15, 2018
• Requires banks, insurance companies,
and other financial services institutions to
establish and maintain a cybersecurity
program designed to protect consumers
• Ensures the safety and soundness of New
York State's financial services industry.
• Requirements protect the confidentiality,
integrity and availability of information
systems, including
• Risk assessments
• Restricted user privileges
• Automatic logouts
• Antivirus
• Multi-factor authentication
• System activity logging
California Consumer
Protection Act
(CCPA)
11
13. Why we do log
collection and
monitoring on
IBM i?
Active
Monitoring
Catching the cybercriminals early
Forensics
Fixing the problem after a
security breach
Presentation name13
14. 14
Data Breach
Numbers
in 2019*
*Norton LifeLock statistics - 2019 data breaches
7,600 publicly disclosed
data breaches
54% increase over 2018
8.2 billion records exposed
15. Active Monitoring
Stop a Data Breach Before it Happens.
• 1,093 breaches in 2016
• 40% increase over 2015, an all time high
• Billions records lost since 2005
• Less than 1% of the breaches were
discovered through log analysis
• 69% of these breaches were detectible via
log evidence
Take Away: If you are monitoring
your logs, you can detect a breach
and stop it before data is lost.
16. Forensics
How did it happen, how do I clean it up?
• What servers are infected?
• How many are infected?
• Where did it start?
• How does the malware actually work?
• How do I clean it up?
Take Away: If you do not have logs you can’t
answer these questions and you are almost
certain to become re-infected with malware
17. System Log Collection and
Monitoring
Core Principles
• Centralize log collection from ALL servers, devices and PCs
• Real time collection
• Event correlation for pattern recognition
• Real time monitoring and alerting
• Historical archives for forensics
• Query and reporting services
18. How to collect and monitor
system logs?
• The high volume of events from the IBM i and all other
devices, servers, and PCs makes human monitoring
IMPOSSIBLE.
• Organizations of all sizes turn to Security Information and
Event Management (SIEM) solutions to solve the problem.
Smart SIEM software can handle the log collection and
monitoring much better than us humans.
19. The State of Logging on
the IBM i
The state of logging on most IBM i’s is not good
• There is a ton of valuable information stored on your IBM i
• The IBM i logs are in proprietary format
• IBM i security logs are often an enclave inside the IT
organization
• No standardized syslog communications facility
• The essence of good security is externalizing the logs
• There is a requirement to remove the risk of tampering
• Compliance regulations recognize the need to watch all users
– including the most powerful users
20. SIEM Consoles for Correlation, Monitoring,
and Alerting
• Few of these vendors capture IBM i security
events !!!
• Those that do, admit they don’t do it well
What to Look for in a System Logging
Solution
• Creates logs that ALL SIEM consoles can
read
• Forwards important information to your
SIEM
• Uses a standardized log format
• Uses SSL/TLS encryption to secure delivery
Logging on the IBM i Today
21. Prioritizing IBM i Log Sources
and Collection
There are many and disparate sources of logging information:
• IBM Security Audit Journal QAUDJRN
• System history message file QHST
• System operator message queue (QSYSOPR, QSYSMSG)
• IBM exit points (SQL, Telnet, FTP, RCMD, and many more)
• Linux/Unix style logs (Apache, OpenSSH, WebSphere, Perl, PHP, etc.)
• DB2 row and column access
• User and ISV applications
23. What is SIEM?
Security Information and Event
Management
• Real-time analysis of security alerts
generated by applications and network
hardware
• Holistic, unified view into infrastructure,
workflow, policy compliance and log
management
• Monitor and manage user and service
privileges as well as external threat data
23
Log Collection
Log Analysis
Event Correlation
Log Forensics
IT Compliance
Application Log Monitoring
Object Access Auditing
Real-Time Alerting
User Activity Monitoring
Dashboards
Reporting
File Integrity Monitoring
System/Device Log Monitoring
Log Retention
SIEM
24. Enterprise Security Monitoring
• Monitoring and reporting tools can forward IBM i security
data to a Security Information and Event Management (SIEM)
solution to:
• Integrate IBM i security data with data from other IT
platforms
• Enable advanced analysis of security data using correlation,
pattern matching, and threat detection
• Sharing information across teams
• Integrate with case management and ticketing systems
Monitor IBM i security along with your other enterprise platforms
24
25. What Can You Detect
with a SIEM?
• Data movement – inbound/outbound FTP
• Dataset access operations
• Determine potential security threats based on unauthorized access
attempts
• Ensure only authorized users are accessing critical datasets
• Privileged/non-privileged user activity monitoring
• Unusual behavior pattern – off hours connections
• High number of invalid logon attempts
• Attack detection – intrusion, scans, floods
• Authentication anomalies – e.g. entered the building at 08:30 but
logged on from another country at 09:00
• Network Traffic Analysis – high data volumes from a device/server
• … and much more
25
27. 27
Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Security Risk
Assessment
Assure Compliance
Monitoring
Assure Monitoring and
Reporting monitors IBM i
system and database activity
and produces clear, concise
alerts and reports that
identify compliance
deviations and security
incidents
28. Assure Monitoring & Reporting
Comprehensive monitoring of system and database activity
28
• Serves as a powerful query engine with extensive filtering
• Includes out-of-the-box, customizable models for ERP applications or GDPR compliance
• Provides security and compliance event alerts via e-mail popup or syslog
• Produces clear, easy-to-read reports continuously, on a schedule or on-demand
• Supports multiple report formats including PDF, XLS, CSV and PF formats
• Distributes reports via SMTP, FTP or the IFS
• Forwards security data to Security Information and Event Management (SIEM) consoles such as IBM
QRadar, ArcSight, LogRhythm, LogPoint, and Netwrix
• No application modifications required
29. ............SOURCES...............
Assure System Access
Manager
Exit Point Control
Assure Monitoring
and Reporting
System and Database
Activity
and Static Data Sources
Assure Elevated Authority
Manager
Privileged Access
Management
Assure Multi-Factor
Authentication
Reinforced Login
Management
Filters the
events
Selects the
message format:
*LEEF, *CEF,
*RFC3164, *RFC5424,
user-defined
Builds the
message
Categorizes
the message
Sends Syslog, Db2
file, stream file
Secures & encrypts
SSL/TLS
Enriches the
message
Optimizes
Connects to the
different sources
HPE ArcSight
Splunk
LogRhythm
MacAfee
AlienVault
SolarWinds
Etc…
SIEM
DSM
Event
Properties
Heartbeat
Assure
Security
Gateway
29
Assure Security and SIEM Integration
30. Benefits of
Assure Monitoring and Reporting
30
• Simplifies the process of analyzing complex journals
• Comprehensively monitors system and database activity
• Enables quick identification of security incidents and compliance
deviations when they occur
• Monitors the security best practices you have implemented
• Enables you to meet regulatory requirements for GDPR, SOX, PCI
DSS, HIPAA and others
• Satisfies requirements for a journal-based audit trail
• Provides real segregation of duties and enforces the independence of
auditors
31. Sample Reports
These are just a handful of the reports you could create with
Assure Monitoring and Reporting
31
• File accesses outside business hours
• Accesses to sensitive database fields
• Changes of more than 10% to a credit limit field
• All accesses from a specific IP address
• Command line activity for powerful users (*ALLOBJ, *SECADM)
• Changes to system values, user profiles, and authorization lists
• Attempts to sign into a specific account
• Actions on a sensitive spool file, such as display or deletion of the
payroll spool file
Bill
GDPR – Not only for Europe, It also addresses the export of personal data outside the EU (European Union) and EEA (European Economic Area) areas.
23 NYCRR 500 - Cybersecurity Requirements for Financial Services Companies requires banks, insurance companies, and other financial services institutions regulated by the New York Department of Financial Services.
Patrick
Patrick
Patrick
Patrick
Patrick
Patrick
Patrick
Patrick
Patrick
Patrick
SIEM technology aggregates and provides real-time analysis of security alerts using event data produced by security devices, network infrastructure components, systems, and applications. A primary function of SIEM is to analyze security event data in real-time for internal and external threat detection to prevent potential hacks and data loss. This typically includes user behavior analytics (UBA) – understanding user behavior and how it might impact security. SIEM technologies also collect, store, analyze and report on data needed for regulatory compliance to ensure that audit requirements are met as dictated.