Above Security Takes i5/OS Log Aggregation to Heart
December 11, 2007 Alex Woodie
Above Security, a Canadian provider of security software and managed security services, recently announced that it now supports the System i with its flagship product, CSC2, or Center of Surveillance, Command, and Control. In fact, company officials report they were so impressed with the order and the level of detail in the i5/OS audit journal that they standardized their log collection and aggregation techniques for other platforms on the multi-user business server from IBM.
Based near Montreal, Quebec, Above Security has been providing customers with IT security services since it was founded in 1999. In 2002, it launched its flagship product, CSC2, to enable customers to get the same level of IDS (intrusion detection system) capability as if the vendor were providing security as an outsourced service.
CSC2 delivers three main capabilities: IDS, log management, and security vulnerability assessments. The solution is deployed on industry-standard, rack-mounted servers running a hardened Linux operating system and a stripped-down Postgres database. One or more of these servers are placed in the customer’s network, where they monitor key journals and logs for network activity. After the raw log and journal data has been filtered by the sensors, any pertinent information–such as a security breach or a problem in the log aggregation process–is bubbled up to the Web-based management console, where a security officer or systems administrator can take appropriate action.
In 2004, Jean Coutu Pharmacies came to Above Security with a request. The company, a major player in the retail pharmacy industry on the East Coast of North America, needed a way to monitor, filter, and store the log data generated from its i5/OS server, and was having trouble getting its current vendors–including Computer Associates (as CA was known then) and IBM–to provide a solution.
“It was our chance to make a play, which we did,” says Daniel Gaudreau, vice president of operations and technologies for Above Security. “We offered to co-develop with them a solution that would aggregate security journals from the AS/400 into an aggregation solution that we already had [CSC2]. We developed a solution that would track the audit journals, classify it, filter it, and retain only what was perceived as being sensitive changes, or a sensitive piece of information from a security perspective.”
By early 2005, the i5/OS log-monitoring solution was ready to be piloted, and it went into production soon after. Since then, Above Security has sold the i5/OS solution to “four or five other customers.” The product has been proved in real-world environments, and has even been listed in the IBM solutions directory. However, only recently did the company complete all of the IBM requirements to obtain Advanced Business Partner status, and to gain certification for CSC2 on the System i.
But Above Security went beyond getting a certificate. The company actually used what it learned from i5/OS’s journaling system to improve the way it accesses and interprets logs from other products, Gaudreau says.
They key element is the continuity that exists in the System i’s logging architecture. There are 80- or 90-some fields in the QUADJRN, Gaudreau says, and complete and total consistency across them. That level of consistency impressed him.
“Our solution for log aggregation was initially based only on Syslog,” he says. “With the advent of that co-development project that we had [with the customer], we introduced a new way to classify logs . . so that we can present that in a more user friendly way.”
“Quite frankly, I think the AS/400 platform is quite unique in the way that they formulated the journal entries,” he says. “If you compare this to a Windows log for example, you’ll find that the positioning or the definition of the different message is not standard–there is no standard way to present the date or the actual event number, or stuff like that, which on the AS/400 is one of the key pieces, where the entry type is always in the same position, and all fields are keeping the same meaning throughout the logs. It inspired us for an idea, for an architecture, to come up with techniques to extend that concept to other platforms.”
Currently, CSC2 only provides log management capability for the System i platform. The other two components–IDS and security vulnerability assessments–will probably not be coming to the System i platform any time soon, according to Gaudreau. “The standard line that we were given on intrusion detection on AS/400 is, due to the nature of the architecture of the iSeries, it’s like a fortress. It’s really hard to penetrate, and all traces of actual activity would be within the audit files.” So, in a way, CSC2 could detect an intrusion on a System i–it just wouldn’t provide real-time notification.
Above Security serves mostly customers in Canada and the Caribbean. The company has clients in the United States, but they’re primarily regional offices of Canadian companies.
CSC2 is available now for the System i. Pricing for the company’s managed security services (where the company installs and manages a sensor at the customer’s site) starts at $3,000 per month per sensor.