July 28, 2017 | IBM i

Real Time Alerts: The Benefits of Using Real Time Alerts for IBM iSecurity

image

Real Time Alerts: The Benefits of Using Real Time Alerts for IBM iSecurity

Think of IBM i monitoring like a series of nested circles, with each circle defining a different level of critical items that need monitoring and that can affect the performance and health of your system. The standard view of an IBM i monitoring strategy might look like figure 1, where the inside monitoring levels deal with basic up-time issues affecting system availability, while the outer levels deal with application and user issues.

 

Thanks to IBM i work management, problems in the outer circles are more isolated and have less effect on total system performance than problems in the inner circles (ex., a disabled user profile won’t take down your entire system but a back plane error will put everything out of commission). And the deeper you go into the standard IBM i monitoring diagram in figure 1, the more critical the issues become.

 

Before you monitor for messages and key resource issues

While this type of message and resource monitoring is important, typical IBM i monitoring software packages don’t usually monitor for security breaches that can occur in the following IBM i features and third-party products.

If we add security breach monitoring covering these features and products to figure 1, our IBM i monitoring diagram evolves into something like that shown in figure 2.

 

Adding security breach monitoring is an important and critical addition to any shop’s IBM i monitoring strategy. Unfortunately, traditional IBM i monitoring packages (such as the ones built to only detect the issues shown in figure 1) don’t usually cover security breach monitoring.

 

Luckily, there are third-party IBM i products such as iSecurity Action software, part of the iSecurity suite of security solutions, that provide security breach monitoring for any IBM i monitoring plan. These products add the following important capabilities for security breaches monitoring.

Real time security alerts

Compliance is driving companies to adopt real time alerts for monitoring solutions to help protect their critical data. While compliance doesn’t always require real time alerts, real time notification can protect your business from a security threat. Being alerted when a user profile has been disabled due to too many password attempts for example, is something that a security administrator should be notified of, when it is happening. Other IBM i security breaches you need to immediately know about include firewall intrusions, IFS virus infections, suspicious database activity, and changes to system parameters or important system jobs.

 

With real time alerts for security monitoring, you have the opportunity to look at the situation as it is occurring and determine if it is a real threat or not.

Notification through different methods

Most companies don’t have system administrators who work 24 X 7. This is why having a monitoring solution that can alert you via a variety of methods is also important. In today’s world, we connect via different devices, and the device we’re using often depends on where we are. It’s more important than ever that you can receive alerts when you are not in the office, especially for security breaches. Receiving real time alerts for security alerts via email, SMS, Twitter, or SNMP is critical to being able to protect your business. Having a solution that makes it easy to notify your response team wherever they are increases the level of control you have over the security of your environment.

More than just the facts

It’s not just about being alerted though. It’s also how you’re alerted. Being able to alter alert messages to include breach-specific information like the system name, user name or other variables provides the administrator with more useful information. With breach specific information, the administrator knows at a glance what the problem is and what it is affecting. This is important when you have several breaches occurring at one time, because it will help you to prioritize the most critical alerts quickly, assuring you are doing everything you can to protect the business.

SIEM integration

Integration with Security Information and Event Management solutions (SIEM) can also be important for companies running multiple platforms. Many companies have already invested in an SIEM solution and having a single place where all security related information is stored and managed is helpful from a compliance point of view, especially at audit time. The auditors want to know about all the events that happened during the audit period, and it is much easier if this information is consolidated in one place. Most IBM i security monitoring solutions can be integrated with SIEM, the problem is that they often require someone with programming skills to make it work.  Any security breach monitoring solution you consider should be able to easily integrate with your SYSLOG server, without the need for extensive coding to pass variables like the system or user name.

Automated actions

One of the most important things to look for in a real time alerts for a security monitoring solution is whether it can initiate automated actions or corrective responses when a security breach is detected. Automated actions can further improve your security, because they ensure that action is taken immediately, even before an on-call resource is alerted. Again, given that most companies don’t have 24 X 7 administrators , if you rely on your staff to take action when they are not actually at work, it could be too late for a security breach when an operator doesn’t see the message for 30 minutes or more.

 

One example would be if a developer user profile (*DEV) is changed to have QSECOFR authorities. With this level of security, a developer could have access to many things that they should not have. Instead of allowing this change to happen, you could instead set a rule that will automatically disable any USRPRF that has it user type changed from *DEV to *SECOFR. Other common corrective responses that could be initiated when security breaches occur include CL script generation and automated command processing. This is where true protection comes into play, by automatically being able to prevent someone from harming your business.

Adding security to monitoring

It’s important to consider security breach monitoring when you design and implement an IBM i monitoring strategy. And if you have an existing monitoring system that only covers the issues shown in figure 1, you should consider adding security breach monitoring to complete your coverage. Without security monitoring, you’re not really covering all the critical issues and threats your IBM i is facing and your system is still vulnerable. Fortunately, there are several products on the market (such as iSecurity Firewall or iSecurity Audit) that can help fill in your IBM i security holes and make your system more secure.

 

Feel free to contact us at SEA for more information on IBM i message and resource monitoring, with security breach monitoring included.