scratching the surface of user activity, you’re letting critical knowledge about mainframe applications and data access fall between the cracks. By limiting risk management capabilities and only tracking user flows in your mainframe environment, your company could face major consequences. Be it a damaged reputation with customers, or penalties incurred after a failure to comply with tightening government regulations, such as the General Data Protection Regulation (GDPR) slated to come into full force in May 2018, or company security policies. To catch bad behavior sooner, companies can’t continue relying on information about security violations and SMF records, which primarily notify you of issues after someone did something they weren’t supposed to. Companies need a tool that both provides a good view of mainframe activity and pushes information on that activity to a security information and event management (SIEM) product for the advantage of combining mainframe data related to application usage with other data collected from other systems. It also stands that companies need auditor-friendly ways to manage the criteria for the data being captured from their mainframe. Auditors aren’t mainframe users; they’re used to browser-based interfaces and GUIs. With a more intuitive tool that automatically sends this mainframe data to a SIEM, an auditor can easily decide if they need to monitor certain privileged users based on anomalous behavior, and can start to capture the specific types of activity for these privileged users for further investigation. Ultimately, this provides a comprehensive outlook on what exactly is happening across an entire enterprise, with improved attention to the mainframe and its sensitive applications and data. An advanced auditing tool would allow a company to keep a closer eye on what’s going on in its mainframe environment and prevent insider breaches by gaining visibility from an end-user’s perspective into: 18 | E nt e rp r i s e E xe c u t i ve | 2017: Issue 2 • Who sees what data • What sensitive data a user accesses and what they do with that data • When that data is discovered • How they gain access to that data. Without this in-depth level of visibility, security teams are left with significant blind spots, forcing them to sift through volumes of false positives looking for actual threats. Deeper insights into mainframe user activity can illuminate other areas that should be of concern as well, such as: • Why a user’s behavior is becoming suspicious • Why an authorized user is looking at specific sensitive data so often and for so long. No company or industry is free from the risk of insider breaches, nor is the mainframe, a platform on which organizations run their most sensitive, mission-critical applications and data. Just as a company needs to know how programs are interacting with data, they need to know how users are interacting with programs. Let’s look at a few case studies of where an auditing tool for the mainframe with the capabilities described above would be useful. As we’ve covered, companies can look at SMF records, database logs, RACF logs, what have you, to see what activity is going on in their mainframe environments. But this information can’t necessarily reveal from an end-user’s perspective what they’re looking at when, how and for how long. In our first example, imagine a user is pulling up credit numbers. We know from data this user spends an average of 30 seconds looking at credit card numbers. The pattern has emerged and we consider it normal. But what if we notice this user starts looking at certain credit card numbers for a minute and a half. The pattern has been disturbed and we should consider investigating why. Of course, this Where Does This Apply?