Townsend Delivers Fine-Grained IBM i Log Data to SIEMs

May 15, 2012 Alex Woodie

It’s a big, bad, scary world out there. Cyber-criminals are constantly probing networks, looking for places to plant malware and do their nasty business. To thwart these attempts, an organization needs a good security plan, and possibly invest in a security information and event management (SIEM) program that monitors and correlates all IT activity. Townsend Security recently issued a new release of its Alliance LogAgent Suite that will help protect the IBM i platform by providing SIEMs with more detailed and fine-grained IBM i log data.

Townsend Security president Patrick Townsend began his COMMON press conference last week with a blunt assessment of the state of security. Cyber-criminals are constantly using port scanners and other network listening devices to probe for weak points in companies’ perimeter defenses. When they can get in, they plant a piece of malware designed to exploit a vulnerability, usually in an application these days, because system makers have largely gotten their acts together.

Townsend says he has never seen malware on an IBM i server. As you may know, the IBM i has additional layers of protection that other platforms don’t have, which prevents unsigned programs from running. However, Townsend says, that’s not to say a piece of malware couldn’t be installed on an application running on the IBM i server. A vulnerability in the Apache Web server or a malicious script showing up in PASE, he says, could provide the means for a cyber-criminal to compromise the server.

Preventing such a breach is what companies like Townsend Security live for, and these days, a SIEM is the best tool for getting the upper hand on security. A properly configured SIEM can alert an organization almost instantly when suspicious behavior occurs across one or more monitored servers or network devices. Since many organizations are required to store log data anyway, the thinking goes, why not use a SIEM to detect potential breaches in real time, instead of doing forensics work after a cyber criminals have caused damage?

In 2007, Townsend Security launched Alliance LogAgent, which gathers IBM i log data from various logs (QAUDJRN, QHST, QSYSOPR, and Apache, MySQL, and PHP systems), transforms them into the industry standard format (syslog RFC3164 or CEF), and then forwards them to one of the SIEMs developed by third-party software companies, such as ArcSight (acquired by HP), LogRhythm, LogLogic (being bought by TIBCO), RSA Security, the free Splunk, Symantec (which works closely with Townsend), Q1 Labs (acquired by IBM), TriGeo, and Tripwire, among others.

Last week, the company unveiled an overhauled version of LogAgent that does its job much better. The biggest feature is the capability to monitor data access at the column or field level, providing a powerful tool for assessing exactly what piece of DB2/400 data may have been put at risk by a malicious program or a malicious user. Previously, Townsend didn’t have visibility at the field level, and had no way of knowing exactly which fields in a file (each with thousands upon thousands of records) may have been compromised.

The new release also brings the capability to monitor multiple columns in one database table, providing even more targeted monitoring of sensitive data. Townsend says other new features include user “white lists” for granting access to data at the tables and column level; the capability to set floor and ceiling values for events; and the capability to log hashed value of changed data.

LogAgent gathers logs from other Townsend products, including its Alliance AES encryption offering, its managed file transfer (MFT) products, and AS2 and Web services software. Any unusual activity occurring in these products will trickle up into the SIEM via LogAgent.

The new release of Alliance LogAgent Suite is available now. Pricing is $2,200 per LPAR. For more information, see www.townsendsecurity.com.