One of the most important assets that organizations need to protect is their critical data. PCI regulations specifically require that organizations monitor access to sensitive data files and to changes in configuration and log files. Being able to produce an audit report is key, but it’s also critical to protect your business in real time. Integrating File Integrity Monitoring (FIM) with your Security Information and Event Management solution (SIEM) can help provide your business with an added layer of protection by ensuring that potential data breaches are reported in real time and by protecting your system against unauthorized changes.
Because internal threats can do more harm than external threats
We all know that our organizations can be exposed by external threats, but are we doing enough to ensure that the internal threats are detected and resolved quickly? A lot of time is spent to ensure that critical data isn’t exposed to the outside world, when it’s really the internal threats that can wreak havoc. The reason is that internal resources may have the access and authority to make changes to configuration files that will provide them with the increased power they need to harm your business. A disgruntled employee can do more harm than an outside threat.
Integrating FIM with SIEM can give your business an added layer of protection by ensuring that you are alerted to potential threats in real time. SIEM provides a single point of collection for all potential security threats, which can help your business react faster. Even better though, FIM enables you to alert someone in real time, so you are able to mitigate your risk faster. Together they provide more protection than either can provide alone.
IBM i is securable but not secure
It’s not uncommon for IBM i users to have more authority than they really need to do their day to day tasks. The reason is that many shops still believe that their IBM i is secure, because the IBM i cannot become infected with a virus. Despite being a highly securable platform, it doesn’t come that way. You must have good security practices in place to protect your critical data. A user with elevated privileges may not be able to access your sensitive data in the traditional way – i.e. via the application through the green screen –but did you know that if TELNET is open they could still get to the data and manipulate it with their current authorities?
In many shops, menu driven security was implemented to prevent users from being able to access areas of the system which they shouldn’t. Even with elevated authorities the user was limited in what they could do, especially if they didn’t have a command line. This used to be enough to protect your system. However, now we have TELNET, SQL, and FTP access to the IBM i. This created a new security threat that organizations weren’t considering when menu security was implemented.
Without FIM and SIEM
A rogue employee with *ALLOBJ authority can still manipulate your data through FTP, even if they can’t execute those same commands from the green screen. While your green screen access is protected by menu security, with this level of authority, the user can still access your payroll file from home using FTP. Since FTP doesn’t prevent them from running commands, they can run an SQL script to add a zero to the end of their weekly salary in the PAYROLL file. Due to the false sense of security the organization has, since they have locked down the green screen, no one is even looking at this file. Months later, someone in payroll notices the increase in monthly costs and starts to do some analysis. It is several weeks more before they identify the problem. Everyone thought the file was secure. Boy were they wrong.
With FIM and SIEM
This could all have been prevented by implementing FIM with SIEM. Let’s assume the same rogue employee doesn’t have *ALLOBJ authority in this scenario, but they do have access to a profile with QSECOFR to perform day to day tasks. And they use that access to change their authority to *ALLOBJ. With SIEM, a record of the event is sent to the SIEM solution notifying the security team of a potential threat. At the same time, the FIM solution will revert their privileges back to the accepted level. The employee goes home and tries to access the payroll file, only to find they have insufficient privileges. The FIM records the read of the file. The security department does their due diligence, reviewing the reports and the employee is fired. This is a much better way to protect your data.
Protecting your Sensitive Data from Internal and External Threats
SEA’s suite of Security solutions can easily be integrated together to provide your organization with full visibility of your critical system values, sensitive data files and locking down exit points. Being able to integrate the data and report over it helps facilitate compliance and auditing. Real time alerting helps protect your business from both internal and external threats.
Without FIM and SIEM working together, it’s difficult to protect your IBM i from internal threats. With FIM and SIEM working together, FIM ensures that your log files are not altered and that critical data files have their changes tracked for audit and compliance. SIEM will track things such as changes to user authority and objects. Together they provide you a way to be alerted in real time if someone is trying to breach your sensitive data.
Feel free to contact us at SEA Software for advice and recommendations on how to use FIM and SIEM to better protect your IBM i systems.