Tuesday, April 18, 2017
Compuware’s newest solution curbs insider threats against mainframe systems!
By Rich Ptak
Compuware just delivered its 10th consecutive quarter of new capabilities aimed at “Mainstreaming the Mainframe.”
This time, with a security twist. Having focused on enhancing its Topaz solution suite with DevOps focused products for the last few quarters, with its latest release, Compuware is addressing new challenges in the area of security enablement.
No, Compuware does not plan to become an all-encompassing security firm. Nor, will they be offering security consulting. Both areas are already heavy with talent, product and service options. Compuware is doing what it does best – removing the idiosyncrasies of the mainframe to enable non-mainframe staff to access and work with mainframe data in the same manner as they access data from other platforms.
For its entire lifetime, the mainframe has been the “gold-standard” for platform security. It remains so today. However, threats evolve over time into new directions, demanding adaptive responses and new capabilities.
With the announcement of Compuware Application Audit, directly capturing rich, complete start-to-finish user session activity data in real-time is now faster, easier and more comprehensive than ever. This is critical to increasing mainframe cybersecurity and assuring compliance to security protocols and mandates.
A web-based interface and ability to easily integrate with data from across the enterprise, dramatically adds to the potential benefit from this product.
We quickly review these threats and their costs. We then discuss Compuware’s newest contribution aimed at resolving them.
The 2016 published IBM X-Force® Research report on cyber security stated organizations experienced a 5% increase in data breaches between 2014 and 2015; mostly (60%) the result of insider (employee, trusted partner) activities. The just released 2017 X-Force Threat Intelligence Index reveals the number of leaked records had increased by “a historic 566 percent in 2016 from 600 million to more than 4 billion records”!
Other research conducted in EMEA revealed that it took an average of 469 days to detect such activities versus a global average of 146 days. A 2016 global study by the Association of Fraud Examiners covering breaches in more than 144 countries found that the cost of such breaches was an average of $2.7M (some as high as $4M). They also discovered detection efforts, such as active monitoring, internal/external audits, fiscal reviews, etc. can significantly lower the cost/loss and duration of a breach.
We agree that the mainframe is inherently secure from outside attacks. However, in today’s world, the risk and danger of exposure of sensitive data are increasingly coming from privileged users. Profiles and motives vary. The user may be unauthorized or authorized. The intent may be malicious, or completely unintended, i.e. a simple mistaken file transfer or miss-keyed command. Whatever the cause, the result can be a breach that exposes confidential internal data or in the illegal access/exposure of personal client information. In the end, the risk of an extremely costly breach not only exists but is demonstrably growing over time.
The safeguards offered today are proving to be insufficient, awkward to implement and frequently inadequate to detect let alone prevent sophisticated or even naive user penetrations. Even when recognized, and attempts made to address, those responsible for prevention, monitoring or protection may actually be the perpetrators.
As would be expected the response has centered on a proliferation of mandates in the form of compliance rules, regulations, audits, inspections, reporting, etc. by governments and watchdog groups. These are layered on top of existing internally generated and imposed mandates. The result is an increasing risk of non-compliance along with penalties on top of the damages done to clients, customers, employees, relationships, etc.
Existing traditional solutions, e.g. SMF data, log scans, SIEM tools, RACF, CA ACF2, CA Top Secret, etc., all effectively deliver their promised, designed-in functionality and capabilities. Unfortunately, none is capable of directly addressing the need to specifically track and store user behavior in real-time. None collects the data necessary to determine what a user is actually doing with an application and with the data. Thus, none can report on who is doing what with which applications and data for how long. Hence, the danger continues and risk escalates. This is the problem that Compuware Application Audit is designed to address for mainframes. Note that while the weakness exists for all systems and platforms, Application Audit focuses exclusively on the mainframe.
Compuware Application Audit: Captures User Behavior in Real-time
The most interesting aspect of Application Audit lies in its unique ability to collect and provide access to ALL user interactions with and IN ANY application on the mainframe. This is done in real-time and over-time, as long as the user is using an app, even if the interaction is interrupted and spread over time. It provides a comprehensive view of exactly what happens from the user’s perspective. It works for privileged or non-privileged users. It tracks ALL activities that occur from a user perspective whether CICS transactions, 3270-based interactions – any interaction (data I/O, moves, changes, etc.) that takes place in and with any application.
Activity tracking is completely transparent to both the user and application. There is no call to Application Audit by the user. No changes are made to any application. All data regarding user interaction with applications is collected in real-time by Application Audit. The data is recorded on the mainframe by the Application Audit Global Record and stored locally.
Data captured by Application Audit can be sent directly to Splunk for analysis or written out as SMF for CorreLog or Syncsort, which store, transport and format the data before delivering it to Splunk, or in the case of CorreLog, to popular SIEM or other analytics engines such as Hadoop. Customers can combine data from across the enterprise within the SIEM tools where it can be analyzed together and correlated for security and compliance. See Figure 1 for an implementation example leveraging CorreLog.
Figure 1 Example of Audit Data & Process Flow
Compuware Application Audit has been designed and implemented as a standalone solution. It does not require the purchase of additional Compuware products. It includes a web interface with basic data display, full data access along with an out-of-the-box customizable Splunk-based dashboard.
Compuware consulted with security experts and auditors on multiple aspects in the design of the product. These include such areas as web interface, menus for reports, data collection and reporting, presentation, alerts as well alert mechanisms and visualizations built into the application.
User experiences prove the value
Compuware described the experiences of two major banks and one healthcare insurance company using Compuware Application Audit to solve security problems. A bank needed to be able to monitor privileged users and collect auditable evidence on user activities. Application Audit data fed to Splunk enabled the bank to identify a privileged user engaging in improper activities.
Another bank required comprehensive insight into mainframe application usage after an exposure of credit card information. Application user behavior data collected by Applications Audit and analyzed in Splunk revealed an outsourced contractor was abusing their privileges. Application Audit also provided the necessary information to show auditors the bank was operating in compliance with regulations that govern access to sensitive data. The bank is now meeting GDPR compliance requirements with ongoing monitoring.
The Healthcare insurance firm needed to assure compliance with HIPAA mandates and to track viewing of sensitive, personal data records so they could search records. Once again Application Audit user data monitoring and collection combined with Splunk analysis of user behavior resolved the problem.
The Final Word
Compuware continues to maintain an accelerated pace providing new and enhanced products and solution extensions to improve the mainframe environment and ecosystem. Not content with optimizing processes and tasks ranging from development to infrastructure, operations and service management, Compuware found a way to ease the task of detecting and preventing user-driven security problems by automating real-time data collection about user-behavior.
Ten quarters ago (2 ½ years), Compuware made a commitment and issued a challenge as they committed to a quarterly delivery of products and enhancements that would “Mainstream the Mainframe.”
Quarter by quarter, Compuware has lived up to that commitment. They are delivering new and enhanced products and services that have made life easier, simpler, and more interesting for developers, systems administrators, operations and, now, security staff. They have introduced tools that removed long-standing barriers that discouraged or intimidated non-mainframe IT staff from using or learning about the mainframe. They eased access to the latest in IT tools and technologies once used only in distributed environments. They automated tasks that were onerous, time-consuming and error-prone.
Compuware has not been alone in these efforts. Competitors have risen to the challenge albeit with their own strategic twist on what needs to be done and how to do it. But, no one else has matched their pace of delivery which, by all the evidence we have been shown, they fully intend to continue.
Congratulations to Compuware on this release, which, by the way, also includes some enhancements to other products. Again, we recommend that anyone with a mainframe in their shop invite these folks to discuss what they can do with you. You’ll find that by working with Compuware, “You won’t get tired of winning!”