PowerTech Ships i5/OS Syslog Connector for SIEM
November 13, 2007 Alex Woodie
PowerTech Group launched a new version of its Interact connector last week that makes attempted break-ins of System i servers and other information available to cross-platform security information and event management (SIEM) software. With Interact 2.0, PowerTech is now supporting Syslog, which is the closest thing that there is to a standard, cross-platform security messaging format, enabling Interact to work with a wide assortment of SIEMs. But for certain SIEMs, PowerTech has gone the extra mile to provide deeper i5/OS connectivity.
If you’ve never heard of the Interact product from PowerTech, you’re not alone. The product was created several years ago as a way to serve i5/OS security event information into the intrusion detection systems (IDS) sold by Internet Security Systems, which is now owned by IBM. But because Interact was sold as a component of Network Security, the company’s flagship product for preventing unauthorized access to System i servers, nobody really knew much about it.
But owing to the greater need for sharing security event information from critical business servers–especially as it pertains to complying with the Payment Card Industry (PCI) security requirement–PowerTech decided it was time that Interact stand on its own two feet, according Brendan Patterson, vice president of marketing for the Seattle, Washington, software company. “We’re exposing it more, rather than hiding it and making it part of Network Security,” he says.
With version 2.0, Interact now supports the Syslog messaging standard that is used by the majority of SIEM products. With Interact 2.0 running on your System i server, you now have a way to expose several critical i5/OS logs–including the security audit journal (QAUDJRN), the system (QSYSMSG), and system operator (QSYSOPR) message queues–via Syslog to tier-one SIEM products, such as those sold by ArcSight, Cisco, Symantec, TriGeo, and OpenService.
While several of these vendors offer i5/OS connectors with their SIEM products, they don’t offer the full depth of information and understanding that PowerTech can offer with Interact, Patterson says. “A lot of these vendors have developed basic support for the AS/400,” he says. “But they don’t know the platform. It’s one of a couple of hundred platforms they’re dealing with.”
For example, ArcSight offers an i5/OS connector with its SEM offering, which is a respected leader in the field. However, it requires batch transfers to transmit the audit journal from the System i, which doesn’t do much for real-time notification, Patterson says. “It’s not real time, and you don’t get the ability to filter it down, cut it down to the specifics,” he says.
But Patterson is not picking on ArcSight, the up-and-coming software vendor whose new log management offering we covered elsewhere in this newsletter. In fact, the combination of ArcSight and PowerTech’s Interact product makes for a more powerful SIEM solution than is possible with some other SIEM offerings, Patterson says, thanks to the work that’s been done to communicate additional i5/OS security information to ArcSight’s SEM above and beyond what can be included in basic Syslog messages.
“There are some [SIEM] platforms that have taken our events and done more with them, to map them to the categorization or taxonomy in their own solution,” he says. ArcSight and its Common Event Format (CEF) message format is one of those platforms. The SIEM product from OpenService, with whom PowerTech established a partnership with earlier this year, is the other product that can get better visibility into i5/OS security events than plain Syslog has to offer.
Other new features debuting in Interact 2.0 include more simplified reporting for non-System i users. Thanks to a new interface that translates much of the esoteric jargon into meaningful phrases, PowerTech is enabling just about any security administrator to understand what’s going on with the System i. “We essentially take raw data on the AS/400, and translate it into more readable information to someone who’s not familiar with the product,” Patterson says.
Better real-time notification of i5/OS security events is delivered with Interact 2.0 thanks to support for forwarding event info to any paging, messaging, or e-mail service running on an i5/OS server.
Interact 2.0 is available now. Pricing starts at $1,500 per logical partition. For more information, visit www.powertech.com.