|CorreLog IND$Defender™ fills a huge gap in mainframe security by monitoring IND$FILE, an unaudited file transfer program in IBM z/OS.
When one of your users uploads or downloads mainframe datasets – containing some of the most valuable intellectual property in an enterprise datacenter – RACF does not record the activity. Since there is no audit trail from RACF, your Security Information and Event Management or SIEM system does not receive a notification that anything was uploaded/downloaded by the user.
CorreLog’s closes this major auditing gap in mainframe security with IND$Defender™. IND$defender™ provides a systematized approach for monitoring mainframe dataset activity through a 3270 Emulator program, a PC application that delivers a mainframe user interface on Windows/UNIX devices. With IND$defender™, compliance managers now have an audit trail and real-time SIEM notifications for any IND$FILE transfer, which incidentally does not natively create an SMF record from the mainframe operating system. SMF (System Management Facility) records are used by RACF to notify your SIEM that a security event just occurred and potentially needs immediate (or automated) attention.
CorreLog’s IND$defender™ operates as a “wrapper” that transparently audits the usage of IND$FILE and writes an SMF record (unique to CorreLog and approved for use by IBM) that can be formatted for any SIEM system for every IND$FILE transfer. IND$defender™ then generates a real-time alert from the SMF record for the organization’s SIEM system. The product has a very small footprint that requires minimal system resources. The audit data that can be sent to the distributed SIEM system includes:
- Invoking user ID, name and Group
- Terminal name and IP address
- Mainframe dataset name
- Upload or download
- Time of day and duration of transfer
- Other IND$FILE parameters
CorreLog has worked with leading SIEM vendors to achieve certified integration status with HP ArcSight, IBM® QRadar Security®, RSA Security Analytics/EnVision, NetIQ, McAfee, and Solutionary. In addition to CorreLog has worked with leading SIEM vendors to achieve certified integration status with HP ArcSight, IBM® QRadar Security®, RSA Security Analytics/EnVision, NetIQ, McAfee, and Solutionary. In addition to
sending SMF data to the CorreLog SIEM Correlation Server or CorreLog Visualizer™, IND$defender™ can send data to any brand-name SIEM system including Splunk, LogRhythm®, Dell SecureWorks and others.
IND$Defender™ is part of the CorreLog SIEM Agent for IBM z/OS solution, the industries’ first SIEM event message collector for z/OS that reports mainframe security event messages in real time. IND$Defender can be deployed as a standalone product or as part of a SIEM Agent for z/OS package. SIEM Agent for z/OS resides in a mainframe LPAR, or multiple LPARs, and in real time, converts mainframe security events such as RACF, ACF2, Top Secret and DB2 accesses to distributed syslog format for enterprise SIEM systems. In addition to mainframe SIEM functions, SIEM Agent includes functionality for Mainframe File Integrity Monitoring (MFIM) and Data Loss Prevention (DLP).
For additional details about the Correlog IND$Defender™, download the product datasheet.