For most of the established companies in the Fortune 2000, the IBM mainframe still holds the crown jewels in the world of corporate data. IBM reports that 71 percent of the Fortune 500 use mainframes, including 92 of the top 100 banks and 23 of the top of the top 25 U.S. retailers. Perhaps because these jewels sit within a largely heritage architecture, built by IT organizations that had a fortress mentality, everyone feels this data is in the safest place. But our annual State of the Mainframe Survey reveals that those responsible for mainframe data are beginning to wake up and get worried: 63 percent of respondents cited security and compliance requirements as their top challenges for the year ahead. What is the new threat to the old castle?
Stuck in the Past – Waking from a Deep Slumber
Mainframes are run mainly by people like me who are nearer to the end of their careers than the start. Many believe mainframes are secure just because they’ve always been, and because most attacks we hear about concern open systems servers. Thus, mainframe experts have been lulled into a false sense of security, and we must wake from this deep slumber before it’s too late.
In the days of old, mainframes were connected to their end-users via closed SNA networks comprised of NCPs and 3270 terminals. It was very hard to penetrate this network because you had to compromise a physical terminal. You couldn’t do this with software alone like today, and even if it was achieved by phishing (no-one knew that word then!), all the compute power, apps and data were centralized and monitored carefully through tightly controlled practices.
Today’s mainframe is connected to the corporate network via TCP/IP and even if the mainframe itself isn’t connected to the outside world directly, the rest of the network is. Linux and Java run on zSeries in just the same way they do on other platforms, so software-based attacks are now a real threat.
The Insider Threat
I just finished reading “The Pillars of the Earth,” which takes place in medieval England. To achieve the sacking of a castle, the enemy first got inside to set a fire within the castle walls as a distraction. Once achieved, the ropes used to raise the drawbridge were cut, leaving the castle vulnerable to easy attack from a small force that rode straight in and blindsided unprepared forces.
Similarly, today an insider threat can come from people already within the organization: employees, contractors, visitors, even former employees who still have inside information. Anyone who is trusted to have information concerning an organization's security practices, data and computer systems is a potential threat. Of course, we don’t suspect these people because we trust their motives, but that is why they are a threat; eventually, someone with hidden malicious motives will strike the blow.
According to a 2016 Ponemon Institute report, out of 874 security breaches, 568 were caused by employee or contractor negligence, 85 by outsiders using stolen credentials and 191 by malicious employees and criminals.
The Imposter Threat
In the aforementioned novel, the enemy didn’t walk in dressed in armor, they clothed themselves in peasants’ outfits to remain undetected. In these days of rampant identity theft, people are not always who they appear to be, creating a real imposter threat. Once hackers have phished or otherwise stolen someone’s credentials, the only way to detect a breach is by identifying anomalous activities.
A “fortress mentality” assumes you have complete control over who enters your domain and a belief that you can trust them to do only what they are supposed to. This likely worked in medieval England, where a culture of fear kept people in line, but today’s corporations are not feudal societies.
Security is now more about detection and compliance monitoring than it is locking people out. More specifically, that is knowing who is in your network, what they can do and what they are actually doing. It’s just as likely for an employee to go, rogue, as it is to have an imposter assume an employee’s identity.
The Need to Build a Pet Dragon
Modern day warfare relies heavily on new technologies, like drones, that can give us eyes everywhere. This broad aerial perspective of a landscape allows you to see the big picture; who is moving where and doing what, where an attack is being prepared and any atypical behavior.
Many IT security breaches originate in mobile or web-based applications that connect directly to mainframe applications on the back end. Without real-time insight into both distributed and mainframe-based security data – in other words, without that drone-like perspective giving us eyes everywhere, IT professionals are completely blind from hacker activities and are starved of forensic data to navigate the events following an attack.
CISOs know they must protect the integrity of their perimeter with port routers, firewalls, and other strong defensive walls. Many also want a second level of defense around the inner “keep” in the form of two-factor authentication for IBM’s RACF, or one of the other mainframe ESMs. However, they still need to know why people are approaching their perimeter and need to carefully monitor what people inside the castle walls, or inside the mainframe, are doing.
Several companies are now using next-gen platforms like Splunk and Hadoop for real-time security monitoring and SIEM (Security Information and Events Management) audit logs. In fact, most of the organizations that still have a mainframe use these tools for a 360-degree view of what’s going on within and around their IT resources. Yet, in our recent survey of customers, only 23 percent said they already integrate mainframe data with other enterprise data to achieve an end-to-end view. Without this view, there is a blind spot in your vision, a missing security camera. Smart CISOs have already built themselves an all-seeing dragon that can be ridden to gain the view of everything and everyone. More specifically, a real-time view to spot attacks before the damage is done, and a recorded view from which they can reconstruct events to better defend themselves in the future, capture criminals and best repair the damage.
The Power of Log Analytics and Behavioral Analytics
Products like Splunk, Elastic and Loggly are popular because of their flexibility and power. These databases allow easy storage of semi-structured log data and make it equally easy to access, visualize and analyze it. Following the pattern of all “big data,” the power comes from the volume and variety of the data that can be stored and processed and the ability of these databases to scale to the velocity of the required logging. Events recorded in log data from one system can be contextualized by correlating with, and viewing alongside, events from other systems. The more you collect, the more powerful the solution is likely to be.
This new approach to managing IT infrastructure, and specifically, security and compliance monitoring, has become so effective that many of the traditional tools with proprietary databases and collection mechanisms are being replaced by more open, big data analytics platforms. Having had significant success with log data from open-systems, many companies are turning to the mainframe to realize that they can better secure it by collecting various forms of log data from its vast vaults. In fact, in our State of the Mainframe survey, 44 percent of respondents (all mainframe managers) chose integrating mainframe data with modern analytics tools as a top organizational priority.
Along with broad collection and contextualization, the real power of log data analytics provides the ability to see patterns of behavior that were unknown before. Particularly powerful is the ability of machine learning algorithms to discover what is normal and reveal anomalous behavior. For both the insider threat and the imposter threat discussed above, spotting anomalous behavior quickly is the only real way to protect your data from being ransacked.
Even when the attack pattern is known, using behavioral analytics to detect the pattern early is key to minimizing impact and mitigating the effects. For example, if your log analysis detected hundreds of file rename attempts from the same user ID, you might recognize that as a ransomware attack, kill the connection and block the user ID.
Leaving the Past Behind You
The fortress mentality of yesteryear is no longer enough for today’s digital world. Assume that someone is going to breach your network and get into your mainframe: implement a solution that will automatically detect known attacks and spot the anomalous behavior of an attack you couldn’t even conceive.
Don’t let the strong record of a secure past lull you into inactivity around the mainframe, and don’t let the experience of preventing known breaches blind you to the unknown attacks of the future. Leave the past behind you, but push your mainframe into the future and allow log data analytics to be your new dragon eyes, and machine learning to be the ever-watchful sentry on duty patrolling the areas around your most precious data.
About the Author:
David Hodgson is Syncsort’s chief product officer (CPO) with 24 years of experience in senior management roles at CA Technologies and Sterling Software in engineering, operations, business development, product management, technical support and professional services. His expertise spans mainframe, data management, network management and cloud. As CPO, he runs all product-related activities in the organization, including business development, support, services and product management.
