How to protect the mainframe from the enemy within - monitor all use
How to protect the mainframe from the enemy within - monitor all use



Another day, another cyber-attack – or so it seems. Whether it's the NHS, Wonga, TalkTalk or repeatedly Yahoo!, it has become startlingly obvious that even the biggest companies, with vast resources at their disposal, fail to prevent hackers from accessing their most precious information – customer and employee data. Hackers use a myriad of methods to gain access to a company's systems, such as keyloggers, browser exploits and phishing scams. Although the forms of attack vary, the perpetrators are usually after one thing, personally identifiable information (PII), which can be used for illegitimate financial gain.


As it is consumers who are put at risk by a company's lax cyber-security measures, the ramifications for those that fail to protect their customers and employees are understandably and justifiably severe; with IBM calculating the cost of a data breach at US$4 million (£3 million). Due to the huge financial implications, companies are investing hand over fist to secure their systems and data. So much so that IDC expects spending on security technology to reach US$81.7 billion (£62.3 billion) in 2017. However, much of this investment is on technologies to keep the bad guys out; but what happens if the attacker is operating from within the company?


We've traced the call... it's coming from inside the house


The importance of this question was underscored by the now infamous case of Jerome Kerviel, who used his access credentials and privileges as an employee at one of Europe's largest banks to commit unauthorised transactions totalling €4.9 billion (£4.4 billion). Worryingly, this incident isn't an anomaly. In fact it is a frequent occurrence, with 69 percent of security professionals having experienced an attempted or successful data theft or corruption by corporate insiders between 2015 and 2016.


As illustrated by the Jerome Kerviel scandal, the cost of insider threats can far outweigh the average costs of an external data breach. However, it's more than disgruntled, disenfranchised or just plain greedy employees that organisations have to worry about. In addition to the threat of malicious employee activity, organisations also face the risk that hackers could obtain access to login credentials illegitimately, to become an outside insider. This all begs the question: why aren't companies investing in protection against insider threats with the same gusto used to thwart external threats?


Inside the mainframe


One of the main reasons is that insider threats are so much harder to detect, as on the surface, the perpetrators' actions appear legitimate. Companies need to provide employees with access to their systems and data so they can do their job, but in doing so they expose themselves to subterfuge from the very people they entrusted this access to. There is also the challenge of monitoring the access and usage of much of an organisation's PII, given that for large organisations, it usually resides on the mainframe.


Since they are inherently securable, mainframes have long been the go-to computer system for large enterprises with a wealth of sensitive information to store, such as: banks, insurance providers and retailers. The mainframe brings the advantage of being a highly securable data repository, which is incredibly difficult to breach. Additionally, the mainframe is usually only accessible to a select few trusted users, compared to other systems, which have a much larger user-base and multiple points of entry. The likelihood of insider threats occurring on the mainframe is greatly reduced, but isn't eradicated entirely. Equally though, if an insider does breach the mainframe, the results can be severe.


The high security rabbit warren


Detecting insider threats on the mainframe requires an organisation to have the right systems and processes in place, as the environment is an incredibly complex rabbit warren of databases. So much so, that recent research from Compuware revealed that this complexity has created a security blind-spot for 84 percent of organisations, who say it is difficult to monitor which employees are accessing which mainframe data and what they are doing with it.


The problem is that most enterprises rely solely on disparate logs and SMF data from security products, such as RACF, to piece together an idea of what employees are doing on the mainframe. Even if they feed this data into a SIEM to build out a wider context around user behaviour, it is still very difficult to get the level of insight into user behaviour to identify a malicious insider. The reason is that these logs and data sources only provide insights into login attempts, but don't provide any details into what the user does once they access the system. As a result, when investigating suspicious or malicious employee behaviour, security teams have a sketchy, incomplete view.


Don't be another statistic


The only effective way of protecting the hugely valuable and sensitive data that resides on the mainframe from insider threats is to capture a complete picture of mainframe user activity in real-time. Organisations need insight into which users are accessing what information and when, in addition to which applications they are accessing, what data, and how the data is manipulated. This granular level of insight can only be obtained by directly capturing complete, start-to-finish user session activity data in real-time and integrating it into a SIEM system such as Splunk and CorreLog, so it can be analysed for patterns that are out of line with normal employee behaviour.


With this approach, organisations will have the ability to spot malicious employees or unwelcome insiders at the crime scene and in the early stages of a data breach. That's a win-win for security teams and those whose personal data they are entrusted with protecting alike, going a long way towards ensuring an organisation doesn't just become another statistic on the rapidly lengthening list of data breach incidents.

Contributed by John Crossno, product manager, Compuware

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.