CorreLog zDefender™ for IND$FILE fills a huge gap in mainframe security by monitoring IND$FILE, an unaudited file transfer program in IBM z/OS.
When one of your users uploads or downloads mainframe datasets – containing some of the most valuable intellectual property in an enterprise datacenter – RACF does not record the activity. Since there is no audit trail from RACF, your Security Information and Event Management or SIEM system does not receive a notification that anything was uploaded/downloaded by the user.
CorreLog’s closes this major auditing gap in mainframe security with zDefender™ for IND$FILE. zDefender™ provides a systematized approach for monitoring mainframe dataset activity through a 3270 Emulator program, a PC application that delivers a mainframe user interface on Windows/UNIX devices. With zDefender™ for IND$FILE, compliance managers now have an audit trail and real-time SIEM notifications for any IND$FILE transfer, which incidentally does not natively create an SMF record from the mainframe operating system. SMF (System Management Facility) records are used by RACF to notify your SIEM that a security event just occurred and potentially needs immediate (or automated) attention.
CorreLog’s zDefender™ for IND$FILE operates as a “wrapper” that transparently audits the usage of IND$FILE and writes an SMF record (unique to CorreLog and approved for use by IBM) that can be formatted for any SIEM system for every IND$FILE transfer. zDefender™ for IND$FILE then generates a real-time alert from the SMF record for the organization’s SIEM system. The product has a very small footprint that requires minimal system resources. The audit data that can be sent to the distributed SIEM system includes:
- Invoking user ID, name and Group
- Terminal name and IP address
- Mainframe dataset name
- Upload or download
- Time of day and duration of transfer
- Other IND$FILE parameters
CorreLog has worked with leading SIEM vendors to achieve certified integration status with HP ArcSight, IBM® QRadar Security®, RSA Security Analytics/EnVision, NetIQ, McAfee, and Solutionary. In addition to CorreLog has worked with leading SIEM vendors to achieve certified integration status with HP ArcSight, IBM® QRadar Security®, RSA Security Analytics/EnVision, NetIQ, McAfee, and Solutionary. In addition to sending SMF data to the CorreLog SIEM Correlation Server or CorreLog Visualizer™, zDefender™ for IND$FILE can send data to any brand-name SIEM system including Splunk, LogRhythm®, Dell SecureWorks and others.
zDefender™ for IND$FILE is part of the CorreLog zDefender™ for z/OS solution, our industry’s first SIEM event message collector for z/OS that reports mainframe security event messages in real time. zDefender™ for z/OS resides in a mainframe LPAR, or multiple LPARs, and in real time, converts mainframe security events such as RACF, ACF2, Top Secret and DB2 accesses to distributed syslog format for enterprise SIEM systems. In addition to mainframe SIEM functions, zDefender includes functionality for Mainframe File Integrity Monitoring (MFIM) and Data Loss Prevention (DLP).