IBM i Security: Identifying the Events That Matter Most
Download as PPTX, PDF0 likes139 views
This presentation discusses IBM i security monitoring and integration with SIEM solutions. It covers the basics of security monitoring on IBM i, including key areas to monitor like user access, privileged users, network traffic, and database activity. It emphasizes the importance of centralized log collection and correlation through a SIEM for advanced security monitoring, threat detection, and compliance. Finally, it outlines how Precisely's Assure Monitoring and Reporting solution can help organizations by comprehensively monitoring IBM i system and database activity, generating alerts and reports, and integrating IBM i security data with other platforms in the SIEM.
IBM i Security: Identifying the Events That Matter Most
- 1. IBM i Security: Identifying the Events that Matter Most Making Sense of Critical Security Data Patrick Townsend - Townsend Security Bill Hammond - Precisely
- 2. The global leader in data integrity Trust your data. Build your possibilities. Our data integrity software and data enrichment products deliver accuracy and consistency to power confident business decisions. Brands you trust, trust us Data leaders partner with us of the Fortune 100 90 Customers in more than 100 2,000 employees customers 12,000 countries
- 3. Better decisions, better data Data Integration Security High Availability Mainframe Sort & Optimization Integrate Data Discovery Data Cleansing Data Lineage Governance Verify Spatial Analysis Geocoding Routing Visualization Locate Location Enrichment Boundaries Points of Interest Property Attributes Demographics Enrich
- 4. Townsend Security ENCRYPTION KEY MANAGEMENT 4 Townsend Security creates data privacy solutions that help organizations meet evolving compliance requirements and mitigate the risk of data breaches and cyber-attacks. The company’s solutions easily integrate with Precisely’s Assure Security products. Companies worldwide trust Townsend Security’s NIST and FIPS 140-2 compliant solutions to meet encryption and key management requirements in PCI DSS, GDPR, CCPA, HIPAA/HITECH, FISMA, and other regulatory compliance requirements. Technology Partners Include
- 5. Today’s Agenda • Basics of security monitoring • Key areas to monitor • Integration with SIEM solutions • How Precisely can help 5
- 7. Basics of Security Monitoring You can’t monitor what you aren’t watching! 7 A strong IBM i security foundation requires solutions that draw a perimeter around your system and its data – capturing security data that you can monitor in log files IBM i has powerful audit logs • System Journal – QAUDJRN • Database (Application) Journals – for Before and After Images • Other IBM Journals are available • QHST Log Files – DSPLOG Command • System Message Queues – QSYSOPR, QSYSMSG Turn on auditing, save journal receivers, and take advantage of everything the operating system can log for you
- 8. Alerts and Reporting Full visibility into security issues! 8 Security tools generate the log entries required to create a complete audit trail of events on your system. By leveraging that information to generate alerts and reports, those tools will also: • Simplify the process of analyzing complex IBM i journals • Detect security incidents when they occur • Quickly highlight compliance deviations • Raise alerts and deliver reports in multiple formats • Distribute reports via SMTP, FTP, IFS, SIEM
- 9. Enterprise-Level Visibility Monitor IBM i security all the other platforms in your enterprise 9 Monitoring and reporting tools can forward IBM i security data to a Security Information and Event Management (SIEM) solution to: • Integrate IBM i security data with data from other IT platforms • Enable advanced analysis of security data using advanced SIEM technology for correlation, pattern matching, and threat detection • Support information sharing and collaboration across teams • Facilitate integration with case management and ticketing systems
- 10. Analyze IBM i Audit Logs Tools help you extract insight from your logs 10 IBM i log files are comprehensive, unalterable, and trusted by auditors BUT they are not easy to analyze. Monitoring and reporting tools are needed to: • Simplify the process of analyzing complex IBM i journals • Filter through the massive amount of information in your logs • Detect security incidents and raise alerts • Quickly highlight compliance deviations • Deliver reports in multiple formats to compliance and security auditors, partners, customers and your management team • Relieve your team of the burden of manual analysis
- 11. Enforcement date: January 1, 2020 • Requires organizations to comply with CCPA if they collect data on residents of California and have annual revenues of $25 million, collect information on over 50,000 people or have 50% of annual revenue from selling/sharing personal information • Gives individuals the right to sue for damages should a breach expose their data and that data wasn’t encrypted or otherwise made unreadable. Key requirements include: • Access control • Restricted user privileges • Sensitive data protection • System activity logging Regulations Require Monitoring General Data Protection Regulation (GDPR) Enforcement date: 25 May 2018 • Regulation in European Union law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA) • Applies to all organizations doing business with EU citizens • Aims primarily to provide protection and control over their personal data to citizens and residents, including • Access control • Sensitive data protection • Restricted user privileges • System activity logging • Risk assessments New York Dept. of Financial Services Cybersecurity Regulation (NYS 23 NYCRR 500) Enforcement date: February 15, 2018 • Requires banks, insurance companies, and other financial services institutions to establish and maintain a cybersecurity program designed to protect consumers • Ensures the safety and soundness of New York State's financial services industry. • Requirements protect the confidentiality, integrity and availability of information systems, including • Risk assessments • Restricted user privileges • Automatic logouts • Antivirus • Multi-factor authentication • System activity logging California Consumer Protection Act (CCPA) 11
- 13. Why we do log collection and monitoring on IBM i? Active Monitoring Catching the cybercriminals early Forensics Fixing the problem after a security breach Presentation name13
- 14. 14 Data Breach Numbers in 2019* *Norton LifeLock statistics - 2019 data breaches 7,600 publicly disclosed data breaches 54% increase over 2018 8.2 billion records exposed
- 15. Active Monitoring Stop a Data Breach Before it Happens. • 1,093 breaches in 2016 • 40% increase over 2015, an all time high • Billions records lost since 2005 • Less than 1% of the breaches were discovered through log analysis • 69% of these breaches were detectible via log evidence Take Away: If you are monitoring your logs, you can detect a breach and stop it before data is lost.
- 16. Forensics How did it happen, how do I clean it up? • What servers are infected? • How many are infected? • Where did it start? • How does the malware actually work? • How do I clean it up? Take Away: If you do not have logs you can’t answer these questions and you are almost certain to become re-infected with malware
- 17. System Log Collection and Monitoring Core Principles • Centralize log collection from ALL servers, devices and PCs • Real time collection • Event correlation for pattern recognition • Real time monitoring and alerting • Historical archives for forensics • Query and reporting services
- 18. How to collect and monitor system logs? • The high volume of events from the IBM i and all other devices, servers, and PCs makes human monitoring IMPOSSIBLE. • Organizations of all sizes turn to Security Information and Event Management (SIEM) solutions to solve the problem. Smart SIEM software can handle the log collection and monitoring much better than us humans.
- 19. The State of Logging on the IBM i The state of logging on most IBM i’s is not good • There is a ton of valuable information stored on your IBM i • The IBM i logs are in proprietary format • IBM i security logs are often an enclave inside the IT organization • No standardized syslog communications facility • The essence of good security is externalizing the logs • There is a requirement to remove the risk of tampering • Compliance regulations recognize the need to watch all users – including the most powerful users
- 20. SIEM Consoles for Correlation, Monitoring, and Alerting • Few of these vendors capture IBM i security events !!! • Those that do, admit they don’t do it well What to Look for in a System Logging Solution • Creates logs that ALL SIEM consoles can read • Forwards important information to your SIEM • Uses a standardized log format • Uses SSL/TLS encryption to secure delivery Logging on the IBM i Today
- 21. Prioritizing IBM i Log Sources and Collection There are many and disparate sources of logging information: • IBM Security Audit Journal QAUDJRN • System history message file QHST • System operator message queue (QSYSOPR, QSYSMSG) • IBM exit points (SQL, Telnet, FTP, RCMD, and many more) • Linux/Unix style logs (Apache, OpenSSH, WebSphere, Perl, PHP, etc.) • DB2 row and column access • User and ISV applications
- 22. SIEM Integration
- 23. What is SIEM? Security Information and Event Management • Real-time analysis of security alerts generated by applications and network hardware • Holistic, unified view into infrastructure, workflow, policy compliance and log management • Monitor and manage user and service privileges as well as external threat data 23 Log Collection Log Analysis Event Correlation Log Forensics IT Compliance Application Log Monitoring Object Access Auditing Real-Time Alerting User Activity Monitoring Dashboards Reporting File Integrity Monitoring System/Device Log Monitoring Log Retention SIEM
- 24. Enterprise Security Monitoring • Monitoring and reporting tools can forward IBM i security data to a Security Information and Event Management (SIEM) solution to: • Integrate IBM i security data with data from other IT platforms • Enable advanced analysis of security data using correlation, pattern matching, and threat detection • Sharing information across teams • Integrate with case management and ticketing systems Monitor IBM i security along with your other enterprise platforms 24
- 25. What Can You Detect with a SIEM? • Data movement – inbound/outbound FTP • Dataset access operations • Determine potential security threats based on unauthorized access attempts • Ensure only authorized users are accessing critical datasets • Privileged/non-privileged user activity monitoring • Unusual behavior pattern – off hours connections • High number of invalid logon attempts • Attack detection – intrusion, scans, floods • Authentication anomalies – e.g. entered the building at 08:30 but logged on from another country at 09:00 • Network Traffic Analysis – high data volumes from a device/server • … and much more 25
- 27. 27 Assure Security Assure Data Privacy Assure Encryption Assure Secure File Transfer Assure Monitoring and Reporting Assure Db2 Data Monitor Assure Access Control Assure System Access Manager Assure Elevated Authority Manager Assure Multi-Factor Authentication Security Risk Assessment Assure Compliance Monitoring Assure Monitoring and Reporting monitors IBM i system and database activity and produces clear, concise alerts and reports that identify compliance deviations and security incidents
- 28. Assure Monitoring & Reporting Comprehensive monitoring of system and database activity 28 • Serves as a powerful query engine with extensive filtering • Includes out-of-the-box, customizable models for ERP applications or GDPR compliance • Provides security and compliance event alerts via e-mail popup or syslog • Produces clear, easy-to-read reports continuously, on a schedule or on-demand • Supports multiple report formats including PDF, XLS, CSV and PF formats • Distributes reports via SMTP, FTP or the IFS • Forwards security data to Security Information and Event Management (SIEM) consoles such as IBM QRadar, ArcSight, LogRhythm, LogPoint, and Netwrix • No application modifications required
- 29. ............SOURCES............... Assure System Access Manager Exit Point Control Assure Monitoring and Reporting System and Database Activity and Static Data Sources Assure Elevated Authority Manager Privileged Access Management Assure Multi-Factor Authentication Reinforced Login Management Filters the events Selects the message format: *LEEF, *CEF, *RFC3164, *RFC5424, user-defined Builds the message Categorizes the message Sends Syslog, Db2 file, stream file Secures & encrypts SSL/TLS Enriches the message Optimizes Connects to the different sources HPE ArcSight Splunk LogRhythm MacAfee AlienVault SolarWinds Etc… SIEM DSM Event Properties Heartbeat Assure Security Gateway 29 Assure Security and SIEM Integration
- 30. Benefits of Assure Monitoring and Reporting 30 • Simplifies the process of analyzing complex journals • Comprehensively monitors system and database activity • Enables quick identification of security incidents and compliance deviations when they occur • Monitors the security best practices you have implemented • Enables you to meet regulatory requirements for GDPR, SOX, PCI DSS, HIPAA and others • Satisfies requirements for a journal-based audit trail • Provides real segregation of duties and enforces the independence of auditors
- 31. Sample Reports These are just a handful of the reports you could create with Assure Monitoring and Reporting 31 • File accesses outside business hours • Accesses to sensitive database fields • Changes of more than 10% to a credit limit field • All accesses from a specific IP address • Command line activity for powerful users (*ALLOBJ, *SECADM) • Changes to system values, user profiles, and authorization lists • Attempts to sign into a specific account • Actions on a sensitive spool file, such as display or deletion of the payroll spool file
- 32. Q & A Presentation name32
Editor's Notes
- #3: Bill
- #4: Bill
- #6: Bill
- #8: Bill
- #9: Bill
- #11: Bill
- #12: Bill GDPR – Not only for Europe, It also addresses the export of personal data outside the EU (European Union) and EEA (European Economic Area) areas. 23 NYCRR 500 - Cybersecurity Requirements for Financial Services Companies requires banks, insurance companies, and other financial services institutions regulated by the New York Department of Financial Services.
- #14: Patrick
- #15: Patrick
- #16: Patrick
- #17: Patrick
- #18: Patrick
- #19: Patrick
- #20: Patrick
- #21: Patrick
- #22: Patrick
- #24: Patrick SIEM technology aggregates and provides real-time analysis of security alerts using event data produced by security devices, network infrastructure components, systems, and applications. A primary function of SIEM is to analyze security event data in real-time for internal and external threat detection to prevent potential hacks and data loss. This typically includes user behavior analytics (UBA) – understanding user behavior and how it might impact security. SIEM technologies also collect, store, analyze and report on data needed for regulatory compliance to ensure that audit requirements are met as dictated.
- #25: Patrick
- #26: Patrick
- #28: Bill
- #29: Bill
- #30: Bill
- #31: Bill
- #32: Bill