SafeStone Taps RSA for SIEM Expertise
August 24, 2010 Alex Woodie
Safestone Technologies has long been a partner of RSA Security and used the security giant’s expertise in authentication to bolster the environments of its IBM System i customers. With this month’s update to Safestone’s security software, the vendors have strengthened the partnership with an IBM i connection to RSA’s security information and event management (SIEM) system.
Safestone says it worked closely with RSA (a division of EMC) to launch i Connect, which is a new component of the DetectIT suite that’s designed to move IBM i log data to enVision, RSA’s SIEM solution.
The i Connect product watches for more than 300 different IBM i event types, including changes or additions to user profiles, object authorities, network access, use of SQL, and entries to the security journal and system history log, the vendor says.
i Connect also includes filtering mechanisms to help avoid overloading the RSA SIEM with unimportant system events. (Remember, IBM i is quite exact, and prolific, in its log monitoring and journaling capabilities compared to your “standard” X64 or Unix environment). Administrators can screen logs by event type, message ID, job name, job user name, program name, and time and day of week.
Safestone also did some work on its Syslog connecter with DetectIT 14.3, and this played heavily into the launch of i Connect and its integration with enVision. The vendor says it made “extensive enhancements” to its Syslog interface with DetectIT 14.3 to support high volume environments.
Previously, the only way to get IBM i log data into enVision was to send it via FTP. With the Syslog-based mechanism that Safestone developed for enVision with DetectIT 14.3 and i Connect, it is much easier and faster to move the data to enVision.
enVision is used by more than 1,600 organizations around the world, according to RSA. At the heart of the SIEM solution is the LogSmart Internet Protocol database (or IPDB), which RSA says is very good at managing unstructured data, such as that coming from all the various Syslog agents feeding data into the SIEM, as well as many other sources (although IBM i log data is more refined, and verbose, than most sources).
Several other features were added with version 14.3, and one of the most compelling is an enhancement to Powerful User Passport (PUP), the software launched last year that minimizes the potential impact that individuals with privileged user profiles can take, by allowing users to “swap” into powerful user profiles for limited periods of time.
With this release, PUP now monitors all SQL activity the user takes while swapped into a powerful user profile, like ALLOBJ. Since SQL is one of the most powerful (and dangerous, because it is not monitored natively) capabilities of the IBM i platform, creating a full audit trail of all SQL activities while a user is swapped into a powerful user profile with PUP makes perfect sense. (It probably should have been there before, but late is better than never.)
DetectIT 14.3 also brings full RSA certified support for version 7.1 of the SecurID Authentication Manager. It also features more flexible deployment options, Safestone says. SecurID is used to implement two-factor authentication; it prevents a user from gaining access to System i or other servers unless they can provide two forms of authentication, such as a password or PIN and a hardware authenticator, such as a smart card or USB token.
The new release of DetectIT supports IBM i version 7.1. For more information, see www.safestone.com.