Arpeggio Introduces IBM i Security Monitoring Solutions
November 8, 2011 Alex Woodie
Arpeggio Software last week unveiled SIFT-IT Free Edition, a new IBM i security monitoring utility that, as the name indicates, is free. The free edition of SIFT-IT automates the monitoring and review of IBM i security logs, while an enterprise version provides expanded log coverage, in addition to real-time notifications and technical support. SIFT-IT is the first product suite for Arpeggio, which was founded by the developers behind TrailBlazer Systems’ ZMOD file transfer product.
SIFT-IT Enterprise keeps an eye on the key logs, journals, and message queues that the IBM i OS and third-party apps use to collect security-related messages, including QAUDJRN, QSYSOPR, and logs for file transfer products, Web servers, and EDI translators.
When SIFT-IT Enterprise detects an event that could signify a potential breach of security–such as a sudden change in authority level granted to a low-level employee–it will automatically respond by: notifying the administrator by sending an email or a text message; by sending a syslog formatted message to a centralized security event and information management (SEIM) solution; or by triggering an IBM i program to take immediate corrective action.
Of course, there are many security monitoring solutions on the IBM i market. What differentiates SIFT-IT Enterprise, Arpeggio says, is the product’s capability to . . . well, sift through data.
As opposed to security monitoring solutions that only harvest the QAUDJRN and apply basic filtering, the company says, SIFT-IT Enterprise provides much more granular filtering, including the capability to parse messages by users, job names, IP addresses, event times, object names, object types, and object locations, among others. The software allows administrators to use “complex logic to define specific events to monitor,” the company says.
The capability to take immediate action is another highlight claimed by Arpeggio. “SIFT-IT is the first available product for the IBM i that provides truly granularly filtering of events along with real-time remediation and is useful to companies of any size,” states Arpeggio CTO Tim McCarthy in a press release.
Arpeggio was co-founded in July by McCarthy and Richard Brown, who were also the co-founders of TrailBlazer Systems, which developed a managed file transfer (MFT) product for the IBM i server called the ZMOD Exchange. TrailBlazer was acquired in 2004 by nuBridges, which in turn was acquired by Liaison Technologies in April.
Brown, who is CEO, and McCarthy teamed up to launch Arpeggio and SIFT-IT to address a need they identified in the IBM i user community.
“When we interviewed our customers we heard many interesting requests regarding monitoring of events,” Brown says in a press release. “The types of requests we heard included needing to know when certain jobs start and end or if a particular server ends unexpectedly. Whenever any of those events happen our customers want to call a process the instant it occurs.
“From a security perspective our clients want to know about events such as when a power user accesses their IBM i after hours or updates particular files via non-standard interfaces like DFU,” he continues. “From a data perspective they wanted to know when certain files were created in specific IFS directories. Almost every customer said they need to set rules around how they monitor activities in various libraries and folders and be able to treat them uniquely. In every case, our customers wanted to know about it in real time and be able to trigger alerts, start remediation processes, and initiate secure logging to archive the events.”
SIFT-IT offers hooks for monitoring the activity log generated ZMOD Exchange (now called Liaison Exchange i), which the company claims is used by more than 2,500 organizations. The company is also offering ZMOD Exchange customers a discount on SIFT-IT Enterprise licenses.
SIFT-IT Free Edition has several limitations compared to the enterprise edition. For starters, it only provides coverage of the QAUDJRN, although it does provide the granular filtering and “if then” logic that is one of the hallmarks of the software. The free edition also doesn’t generate email notifications or take corrective actions, but it will convert QAUDJRN entries into the syslog format used by SIEMs. There is also no console available with the free edition.
SIFT-IT runs on i5/OS V5R4 and higher. Pricing for the enterprise version was not disclosed. For a complete comparison of the free and enterprise versions and other information, see Arpeggio’s website at www.arpeggiosoftware.