Enterprise Executive 2017: Issue 2 : Page 14
Securing Your Mainframe Against the Rise of Insider Threats By John Crossno 14 | E nt e rp r i s e E xe c u t i ve | 2017: Issue 2
Securing Your Mainframe Against The Rise Of Insider Threats
Across all operating systems at all companies, the rise of insider threats is a growing concern. Regarding what level of risk different systems face, it’s true that the mainframe is inherently more secure than any other platform. However, if an unauthorized individual can obtain credentials to gain access to a mainframe—where a company’s most business-critical applications and data reside—the scenario changes.
Many assume that because the mainframe was designed with security in mind, the information residing on it reflects the same level of protection. However, authorized users can access applications and data that a typical hacker would have trouble accessing. This opens the door for unauthorized users who are, by whatever means, able to obtain credentials and access sensitive information under the radar.
This individual could be a malicious employee or someone posing as one, but the reality is you likely don’t have the adequate tools or visibility to know who’s doing what when they’re in your mainframe environment, when they’re doing it, how or why, let alone know while it’s happening or at least immediately after. Who can you trust?
The State of Enterprise Security
In the Cisco 2016 Annual Security Report, 47 percent of respondents indicated internal security breaches are a significant threat to their organizations, shadowed only by malicious software downloads (54 percent). The report also indicated lack of employee awareness (39 percent) and inadequately trained IT security staff (26 percent) as threats to enterprise security. Does this demonstrate a decline in effective security measures at companies? In a December 2016 report from McAfee Labs, as reported in CIO Insight, 67 percent of survey respondents reported an increase in security breaches.
To translate the cost of these threats to organizations, consider the Association of Certified Fraud Examiners 2016 Report to the Nations on Occupational Fraud and Abuse that included a study of 2,410 cases of occupational fraud occurring in 114 countries and causing a total loss of more than $6.3 billion. More than 23 percent of those cases amounted to a loss of at least $1 million. However, when fraud was uncovered through active detection methods, such as monitoring, the median loss and median duration of schemes were lower.
One can conclude that these figures indicate the importance of companies having in place a solution that allows them to see what’s going on in their various system environments.
How Capable Are Your Security tools?
Companies are using security tools to monitor their applications and data, but it’s questionable if those tools provide enough visibility into the activity occurring in their mainframe environments. Most commonly, companies rely on gathering various available records, such as SMF, where activities like logging on and off are tracked, along with attempts to access systems, applications and data for which an ID is unauthorized. These SMF records are then processed to produce audit reports.
However, these types of audit reports offer limited visibility and exclude critical information about users. Audit reports can’t answer questions about who a user is, what they were doing, when they were doing something or how they found access to sensitive data in the first place.
Without a good view of mainframe activity from the user’s perspective, what happens when an unauthorized user gets their hands on an authorized user’s credentials and gains unapproved access to sensitive mainframe applications or data?
Adopting an Advanced Security tool
Under the growing risk of insider data breaches, simply collecting and analyzing mainframe log data isn’t enough. By merely scratching the surface of user activity, you’re letting critical knowledge about mainframe applications and data access fall between the cracks.
By limiting risk management capabilities and only tracking user flows in your mainframe environment, your company could face major consequences. Be it a damaged reputation with customers, or penalties incurred after a failure to comply with tightening government regulations, such as the General Data Protection Regulation (GDPR) slated to come into full force in May 2018, or company security policies.
To catch bad behavior sooner, companies can’t continue relying on information about security violations and SMF records, which primarily notify you of issues after someone did something they weren’t supposed to. Companies need a tool that both provides a good view of mainframe activity and pushes information on that activity to a security information and event management (SIEM) product for the advantage of combining mainframe data related to application usage with other data collected from other systems.
It also stands that companies need auditor-friendly ways to manage the criteria for the data being captured from their mainframe. Auditors aren’t mainframe users; they’re used to browser-based interfaces and GUIs. With a more intuitive tool that automatically sends this mainframe data to a SIEM, an auditor can easily decide if they need to monitor certain privileged users based on anomalous behavior, and can start to capture the specific types of activity for these privileged users for further investigation.
Ultimately, this provides a comprehensive outlook on what exactly is happening across an entire enterprise, with improved attention to the mainframe and its sensitive applications and data. An advanced auditing tool would allow a company to keep a closer eye on what’s going on in its mainframe environment and prevent insider breaches by gaining visibility from an end-user’s perspective into:
• Who sees what data
• What sensitive data a user accesses and what they do with that data
• When that data is discovered
• How they gain access to that data.
Without this in-depth level of visibility, security teams are left with significant blind spots, forcing them to sift through volumes of false positives looking for actual threats. Deeper insights into mainframe user activity can illuminate other areas that should be of concern as well, such as:
• Why a user’s behavior is becoming suspicious
• Why an authorized user is looking at specific sensitive data so often and for so long.
Where Does this Apply?
No company or industry is free from the risk of insider breaches, nor is the mainframe, a platform on which organizations run their most sensitive, mission-critical applications and data. Just as a company needs to know how programs are interacting with data, they need to know how users are interacting with programs. Let’s look at a few case studies of where an auditing tool for the mainframe with the capabilities described above would be useful.
As we’ve covered, companies can look at SMF records, database logs, RACF logs, what have you, to see what activity is going on in their mainframe environments. But this information can’t necessarily reveal from an end-user’s perspective what they’re looking at when, how and for how long.
In our first example, imagine a user is pulling up credit numbers. We know from data this user spends an average of 30 seconds looking at credit card numbers. The pattern has emerged and we consider it normal. But what if we notice this user starts looking at certain credit card numbers for a minute and a half. The pattern has been disturbed and we should consider investigating why. Of course, this presupposes we have the necessary data to discover those patterns, and that’s only possible with an advanced auditing tool that allows us to see this change in the user’s behavior more immediately than a retrospective audit report.
In our second example, imagine an authorized user ID is being used after hours. Use indicates this person is attempting to access different transactions. We don’t know it yet, but an unauthorized user has somehow obtained authorized credentials, allowing them to log in. We notice—because this unauthorized user doesn’t know what program to run or what transaction to execute—they are haphazardly trying names of transaction IDs, resulting in typos. The odd time of day and abnormal behavior of struggling to execute transactions we would expect this user ID to be familiar with are alarming. We should investigate. But again, this presupposes we have an advanced auditing tool that allows us to spot these things from the user’s perspective, as opposed to discovering trends later through a report.
These, of course, are simple examples that hardly represent the plethora of growing security vulnerabilities companies face, including in their mainframe environments. Merely tracking user flows in a mainframe environment limits risk management capabilities, and a company could face major consequences, be it a damaged reputation with customers, or penalties incurred after a failure to comply with tightening government regulations or company security policies. Only with the proper auditing tool can your company keep a closer eye on what’s going on in its mainframe environment and fight against the growing threat of insider breaches.
John crossno is the product manager for Compuware’s Security Solutions with an extensive background in product management for mainframe software and storage environments, development and field technical services. Email: email@example.com