Connecting IBM i Into A Broader Security Web
April 19, 2017 Alex Woodie
In the on-going war between cybercriminals and everybody else, there’s no place for lone wolfs. The strength of any individual company’s security is largely dependent on the collective posture of multiple groups of actors. Luckily for IBM i shops, there are defined paths to plug into the broader shield that’s constantly evolving to keep us safe.
The idea of collective security is nothing new. Every anti-virus engine you’ve ever owned for the past 25 years is kept up-to-date by groups of security researchers who constantly stay on the lookout for new pieces of malware and new forms of attacks.
But viruses and malware form just one aspect of today’s security threats. Armed with the latest technology, today’s sophisticated cybercriminal operations are capable of launching widespread yet targeted attacks that can yield entry into back-office systems.
As cybercriminals get better at breaking into computer systems and remaining undetected for months at a time, it’s up to individual organizations to step up their games to deal with the threat. No bank or retailer or manufacturer asked for this security arms race, but it’s the best alternative to giving up one’s valuable data. You don’t want to be the next Target, which lost hundreds of millions of files when cyber crooks broke into systems by using credentials stolen from an HVAC repair company (yes, in our uber-connected world, even air conditioners pose a security threat).
To deal with this threat, organizations are turning to security solutions that can give them a bird’s eye view of every digital point of entry into back-office systems (it’s assumed you have physical security already taken care of). Called Security Information and Event Management (SIEM) solutions, these products are designed to collect log files from multiple sources, and then correlate them in a way that allows them to spot unusual activity.
In response to threats from cybercriminals and regulators alike, large and midsize companies are moving to adopt SIEMs, including IBM i shops. Here’s a valuable data point: All of the top solutions in Gartner’s most recent Magic Quadrant for SIEM products support IBM i.
HPE (formerly Hewlett-Packard), which Gartner put in the leader’s quadrant, supports what it calls the “eserver iSeries mainframe” with its Arcsight SIEM. LogRhythm, another leader in Gartner’s report, also supports IBM i log files. The McAfee Enterprise Security Manager, previously sold by Intel Security but now a standalone entity once again, also supports AS/400 database files. The QRadar solution from IBM also supports security log information from IBM i through what Big Blue calls its “Device Support Module for IBM AS/400 iSeries” (somebody should tell IBM what the new name of the platform is). The log file exploration and intelligence tool from Splunk also supports IBM i sources.
While these SIEM solutions also feature some out-of-the-box support for IBM i servers, customers may opt to bolster the integration by purchasing additional tools that smooth the hand-off and upload of IBM i log files into the SIEM. Townsend Security, Raz-Lee, Arpeggio Software, and other IBM i security software vendors offer these types of tools.
Patrick Townsend, the CEO and founder of Townsend Security and an IBM i security expert, says IBM i shops are increasingly turning to SIEM solutions to provide active security protection.
“It goes by different names. Some people call it continuous monitoring. I tend to call it active monitoring,” Townsend tells IT Jungle. “But it’s all the same thing. It’s all SIEM. It’s collecting security and log information from a variety of systems in one place and then detecting anomalies and potential attacks.”
Townsend Security works with close to 40 different SIEM solutions, and is certified with the top names, like QRadar, LogRhythm, McAfee, and Splunk. “Because of the approach we took to sending security events from IBM i to the SIEM, we normalize the data so every SIEM can very rapidly receive this data and start reacting to it,” Townsend says.
While SIEM solutions have a reputation of being crabby and hard to deal with, they’re actually getting better, Townsend says. “They’re all making them easy to deploy, which means that people get better security faster through that process,” he says. “LogRhythm is a great product and is selling into IBM i shops at a very rapid clip.”
Sending IBM i log files to a SIEM product is good, but it’s only part of the answer if you’re looking for continuous monitoring. “Our philosophy is you have to see the whole picture,” says Townsend, who recently blogged about active security monitoring. “The IBM i is only one piece of your infrastructure. You have switches, firewalls, DLP systems– all these systems. You have to see them all in one place in real time. An AS/400-only solutions is just not going to give you a security posture that can do that.”
IBM is working to push the security envelope by adding Watson-powered cognitive intelligence into the QRadar mix. Called Watson for Cyber Security, IBM is aiming to bolster the awareness of security analysts by using Watson to comb through unstructured data sources, like blogs, websites, and research papers, and correlating any security-related tidbits it finds with the log files collected and collated by QRadar.
Eventually, all SIEMs will be outfitted with artificial intelligence, and use machine learning algorithms to automatically detect the trail that cybercrooks will inevitably leave as they attempt to worm they’re way through our digital lives unseen.
“I think that’s the future,” Townsend says. “The power of our security posture is going to come from those SIEMs getting smarter and smarter, and being able to detect attacks against the enterprise as a whole. AI in security products is going to be absolutely critical and IBM i customers need to line up with that strategy to have a solid security posture.”