What Is SIEM Integration?
Cybercriminals continue to be as active and sophisticated in their attacks as they’ve ever been. In 2018, companies suffered more than 6,500 major data breaches that compromised vital personal and business information. No matter whether your organization is a large enterprise or a smaller company, you can be sure that sooner or later you will be targeted. As IBM CEO Ginni Rometty has said, “Cybercrime is the greatest threat to every company in the world.”
In order to protect against an ever-widening array of cyber threats, organizations must be able to immediately detect and quickly react to attempted intrusions into their IT systems. Providing the information and analytical insights required to accomplish that is the role of SIEM — Security Information Event Management.
How SIEM Protects Your IT Systems
SIEM systems work by collecting and integrating security-related information from throughout an organization’s IT infrastructure. That data is correlated and analyzed in real time to reveal patterns of activity that may indicate an attempt at intrusion. If such activity is detected, the SIEM system issues alerts on its dashboard (and even by email), and may automatically institute rules-based remedial actions to block the attempted breach. It will also log pertinent information for later forensic analysis.
Mainframes and SIEM
At one time, mainframes were considered to be inherently secure due to their isolation from the outside world, and their rock-solid security protocols that have been refined over decades. But today, because they are central to a variety of internet-based applications such as online transaction processing (OLTP), mainframes have become more vulnerable to, and targeted by, cyber attacks than ever before.
SIEM, now the industry standard for top-fight IT security, was developed in and for the distributed processing environment. Mainframes, which require an entirely different set of technological skills from those common in the distributed systems world, were simply not considered.
Although mainframes generate more than 200 different types of log data through features such as resource access control facility (RACF), until recently there was no way to deliver that information in real time to industry-standard SIEM platforms. That’s the cause of what’s been called the “mainframe security gap” in which a company’s SIEM system has access to needed information from all parts of the organization’s IT infrastructure except for the big iron at the center of it.
But now Syncsort’s Ironstream® is bridging that gap.
The Syncsort Ironstream® Solution
Syncsort Ironstream is the industry leader for automatically collecting and forwarding IBM mainframe information to SIEM platforms in real time. Although Ironstream works well with almost any SIEM solution, a good example of its value can be seen in its tight integration with Splunk Enterprise Security (ES). Although rated by Gartner as the industry’s premier SIEM solution, Splunk ES has no native capability for accessing mainframe security data. But with Splunk ES and Syncsort Ironstream working together, that deficiency is completely overcome.
Ironstream captures data from a wide range of z/OS sources. For example, the Ironstream RACF Monitor facility highlights metrics such as data set updates, authentication events, and superuser activity. Other mainframe data sources include Syslog, SyslogD, Db2 tables, Unix System Services file systems, and more. Ironstream maps these disparate data formats to the Splunk ES Common Information Model (CIM), allowing Splunk to obtain an enterprise-wide view of security-related activity.
The combination of Syncsort Ironstream with Splunk ES provides a truly comprehensive integrated SIEM solution.
Make sure to download our eBook and learn how to address the top 5 mainframe security vulnerabilities.