Ptak Associates paints the big picture on Cloud, Mobile, Mainframes, Blockchain, DevOps,Cognitive Computing,Quantum Computing, etc. Partnering with us, IT organizations understand and prioritize their needs within the context of IT trends, and technology vendors refine their strategies. We provide both with market insight, actionable recommendations, and deliverables that communicate the business values of their products and services
Compuware’s newest solution curbs insider threats against mainframe systems!
By Rich Ptak
Courtesy of Compuware
Compuware just delivered its 10th consecutive quarter of new
capabilities aimed at “Mainstreaming the Mainframe.”
This time, with a security
twist. Having focused on enhancing its Topaz solution suite with DevOps focused
products for the last few quarters, with its latest release, Compuware is addressing
new challenges in the area of security enablement.
No, Compuware does not plan to become an all-encompassing security firm.
Nor, will they be offering security consulting. Both areas are already heavy
with talent, product and service options. Compuware is doing what it does best
– removing the idiosyncrasies of the mainframe to enable non-mainframe staff to
access and work with mainframe data in the same manner as they access data from
For its entire lifetime, the mainframe has been the “gold-standard” for
platform security. It remains so today. However, threats evolve over time into
new directions, demanding adaptive responses and new capabilities.
With the announcement of Compuware Application Audit, directly capturing
rich, complete start-to-finish user session activity data in real-time is now
faster, easier and more comprehensive than ever. This is critical to increasing
mainframe cybersecurity and assuring compliance to security protocols and mandates.
A web-based interface and ability to easily integrate with data from
across the enterprise, dramatically adds to the potential benefit from this
We quickly review these threats and their costs. We then discuss Compuware’s
newest contribution aimed at resolving them.
An expensive and growing challenge
The 2016 published
IBM X-Force® Research report on cyber security stated organizations experienced
a 5% increase in data breaches between 2014 and 2015; mostly (60%) the result
of insider (employee, trusted partner) activities. The just released 2017 X-Force
Threat Intelligence Index reveals the number of leaked records had
increased by “a
historic 566 percent in 2016 from 600 million to more than 4 billion records”!
conducted in EMEA revealed that it took an average of 469 days to detect such
activities versus a global average of 146 days. A 2016 global study by the
Association of Fraud Examiners covering breaches in more than 144 countries found
that the cost of such breaches was an average of $2.7M (some as high as $4M).
They also discovered detection efforts, such as active monitoring, internal/external
audits, fiscal reviews, etc. can significantly lower the cost/loss and duration
of a breach.
We agree that the
mainframe is inherently secure from outside attacks. However, in today’s world,
the risk and danger of exposure of sensitive data are increasingly coming from privileged users. Profiles and motives
vary. The user may be unauthorized or authorized. The intent may be malicious,
or completely unintended, i.e. a simple
mistaken file transfer or miss-keyed command. Whatever the cause, the result
can be a breach that exposes confidential internal data or in the illegal
access/exposure of personal client information. In the end, the risk of an
extremely costly breach not only exists but is demonstrably growing over time.
offered today are proving to be insufficient, awkward to implement and
frequently inadequate to detect let alone prevent sophisticated or even naive
user penetrations. Even when recognized, and attempts made to address, those
responsible for prevention, monitoring or protection may actually be the
As would be
expected the response has centered on a proliferation of mandates in the form
of compliance rules, regulations, audits, inspections, reporting, etc. by
governments and watchdog groups. These
are layered on top of existing internally generated and imposed mandates. The
result is an increasing risk of non-compliance along with penalties on top of
the damages done to clients, customers, employees, relationships, etc.
traditional solutions, e.g. SMF data, log scans, SIEM tools, RACF, CA ACF2, CA
Top Secret, etc., all effectively deliver their
promised, designed-in functionality and capabilities. Unfortunately, none is
capable of directly addressing the need to specifically track and store user
behavior in real-time. None collects the data necessary to determine what a
user is actually doing with an
application and with the data. Thus, none can report on who is doing what with
which applications and data for how long. Hence, the danger continues and risk
escalates. This is the problem that Compuware Application Audit is designed to address
for mainframes. Note that while the weakness exists for all systems and
platforms, Application Audit focuses exclusively on the mainframe.
Compuware Application Audit: Captures User Behavior in Real-time
The most interesting aspect of Application Audit lies in its unique ability
to collect and provide access to ALL user interactions with and IN ANY
application on the mainframe. This is done in real-time and over-time, as long
as the user is using an app, even if the interaction is interrupted and spread
over time. It provides a comprehensive view of exactly what happens from the
user’s perspective. It works for privileged or non-privileged users. It tracks
ALL activities that occur from a user perspective whether CICS transactions, 3270-based
interactions – any interaction (data I/O, moves, changes, etc.) that takes
place in and with any application.
Activity tracking is completely
transparent to both the user and application. There is no call to Application
Audit by the user. No changes are made to any application. All data regarding
user interaction with applications is collected in real-time by Application
Audit. The data is recorded on the mainframe by the Application Audit Global Record
and stored locally.
Data captured by Application Audit
can be sent directly to Splunk for analysis or written out as SMF for CorreLog or
Syncsort, which store, transport and format the data before delivering it to
Splunk, or in the case of CorreLog, to popular SIEM or other analytics engines
such as Hadoop. Customers can combine data from across the enterprise within
the SIEM tools where it can be analyzed together and correlated for security
and compliance. See Figure 1 for an implementation example leveraging CorreLog.
Figure 1 Example of Audit Data & Process
Compuware Application Audit has been designed and
implemented as a standalone solution. It does not require the purchase of additional
Compuware products. It includes a web interface with basic data display, full data
access along with an out-of-the-box customizable Splunk-based dashboard.
Compuware consulted with security experts and auditors on
multiple aspects in the design of the product. These include such areas as web
interface, menus for reports, data collection and reporting, presentation,
alerts as well alert mechanisms and visualizations built into the application.
User experiences prove the value
Compuware described the experiences of two major banks
and one healthcare insurance company using Compuware Application Audit to solve
security problems. A bank needed to be able to monitor privileged users and
collect auditable evidence on user activities. Application Audit data fed to
Splunk enabled the bank to identify a privileged user engaging in improper
Another bank required comprehensive insight into
mainframe application usage after an exposure of credit card information.
Application user behavior data collected by Applications Audit and analyzed in
Splunk revealed an outsourced contractor was abusing their privileges. Application Audit also provided the necessary
information to show auditors the bank was operating in compliance with
regulations that govern access to sensitive data. The bank is now meeting GDPR
compliance requirements with ongoing monitoring.
The Healthcare insurance firm needed to assure
compliance with HIPAA mandates and to track viewing of sensitive, personal data
records so they could search records. Once again Application Audit user data
monitoring and collection combined with Splunk analysis of user behavior
resolved the problem.
The Final Word
Compuware continues to maintain an accelerated pace providing new and
enhanced products and solution extensions to improve the mainframe environment
and ecosystem. Not content with optimizing processes and tasks ranging from
development to infrastructure, operations and service management, Compuware
found a way to ease the task of detecting and preventing user-driven security
problems by automating real-time data collection about user-behavior.
Ten quarters ago (2 ½ years), Compuware made a commitment and issued a
challenge as they committed to a quarterly delivery of products and
enhancements that would “Mainstream the Mainframe.”
Quarter by quarter, Compuware has lived up to that commitment. They are
delivering new and enhanced products and services that have made life easier,
simpler, and more interesting for developers, systems administrators,
operations and, now, security staff. They have introduced tools that removed
long-standing barriers that discouraged or intimidated non-mainframe IT staff
from using or learning about the mainframe. They eased access to the latest in
IT tools and technologies once used only in distributed environments. They
automated tasks that were onerous, time-consuming and error-prone.
Compuware has not been alone in these efforts. Competitors have risen
to the challenge albeit with their own strategic twist on what needs to be done
and how to do it. But, no one else has matched their pace of delivery which, by
all the evidence we have been shown, they fully intend to continue.
Congratulations to Compuware on this release, which, by the way, also
includes some enhancements to other products. Again, we recommend that anyone
with a mainframe in their shop invite these folks to discuss what they can do
with you. You’ll find that by working with Compuware, “You won’t get tired of