Feed the Big Data Beast: Security Data for Mainframe Threat Intelligence
Whether it was because of a past high profile breach or the steady march of technology, giant retailer Target saw fit to host the 2015 Aspen Security Forum.
In a story posted on the company’s website, CISO Brad Maiorino profiled Target’s Cyber Fusion Center.
“It’s an important part of the $1 billion Target plans to invest in technology and supply chain this year. We’ve got teams of Cyber Security analysts working round the clock. They use a mix of human intelligence, analytics and state-of-the-art technology to detect, investigate and contain threats to our business. Much of the work they do takes place in our newly opened Cyber Fusion Center (CFC).”
The details Target revealed about its CFC say much about how large enterprises interpret and implement best practices for cybersecurity.
Threat Type Teams
Target’s CISO identified these distinct teams within his cybersecurity operation:
• Incident Response
• Red Team
• Continuous Improvement
• Threat Intelligence
While the first four of these teams represent decades-long responsibility groupings, Threat Intelligence is relatively new.
According to Matt Hartley in Dark Reading, Gartner defined Cyber Threat Intelligence (CTI) concept in 2014 as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response . . . “
As Hartley warns, threat intelligence isn’t about simply more data, nor just adding dashboards.
Instead, it’s about software that collects data from more sources, and that can elevate mere data closer to knowledge. CTI must support decision-making to defend against threats to assets explicitly identified as highest risk.
Machine-to-Machine Mainframe CTI Data
IBM’s own mainframe security intelligence framework identifies a central need for integrating machine-generated data from logs that used to be primarily consumed for operations, such as performance tuning and scheduling. As those processes have become increasingly automated, closed-loop solutions, logs are consumed by largely self-managing apps rather than humans – hence the “machine-to-machine” designation.
In their analysis, IBM offers four reasons that security is often more challenging in the mainframe environment:
1. Mainframe solutions entail more complex underlying business processes.
2. Mainframe roles and responsibilities tend to have more rigid departmental silos.
3. Regulation and compliance constraints are usually in place but have undependable timelines.
4. Security change control is difficult to administer due to distributed operations and authority.
Just as predictive analytics has become important in settings such as e-commerce and atmospheric science, there is growing recognition that cybersecurity threats must be proactively managed.
A recent scenario reported by the New York Times illustrates the need rather well.
Under Attack . . . From Cate Machine & Welding?
Much to their own surprise, Cate Machine & Welding, based in a sleepy Madison Wisconsin suburb, discovered that it was hosting computers that served as launching pads for attacks against other companies and individuals.
Cate Machine was tipped off to its unwitting collaboration with attackers by Area 1, a relatively new player in cybersecurity services. Like iSight Partners and Recorded Future, threat intelligence services collect exogenous data, such as third party posts to web forms and social media, and connect that with log and other data provided from a company’s internal network.
Area 1 and firms like it partner with others like Blue Coat, or with internal corporate teams, to defend against attacks, and to disable any attacks – potentially in real time. Success in such preemptive methods depends on having adequate internal data, decision support – and staff.
Bigger Pipes: More Volume, More Velocity Enroute
The Internet of Things, machine-to-machine networks, will directly as well as indirectly impact mainframe security risks. The convergence of technologies that has become known as big data – represented by the shorthand concepts of volume, velocity and variety – bring with them a diversity of threats. The direct effects are typified by a broadened attack surface. Indirect effects are similarly numerous, but are typified by rapid rollout of new mainframe applications needed to process and interpret IoT data streams. Unintended as well as intentional flaws in those DevOps-influenced applications will stimulate new patterns of attack.
Tools that facilitate what the military has for decades been calling “information fusion” will become more critical as the security risk profile becomes more apparent to managers in large enterprises. The ubiquity of mainframes in multinational firms suggests that standing up Cyber Fusion Centers — if not already a fate accomplished — will continue to swell corporate IT office space.
Emerging Design Pattern For mainframe z/OS, products like Ironstream coupled with Splunk Enterprise and Splunk Security represent a design pattern for processing data in support of threat intelligence.