Bridging the SIEM Mainframe Gap

Among the presentations given at the recent (ISC)2 Security Congress in Austin, Texas was “The Seven Secret Sins of SIEMs” given by Franklyn Jones of Cyphort.  The content shared during this presentation is of interest to all enterprises that use SIEMs. One of the seven secret sins in particular caught my attention: the need for greater visibility of network traffic moving across the organization. An SIEM survey Jones cited in his presentation revealed that 71 percent of IT professionals agreed with the need for greater visibility.[i]

One place where this greater visibility is needed is the mainframe.  For most organizations, however, transactions go off the SIEM radar when they go to the mainframe.  For tracking purposes, the mainframe is kind of a black hole.  Transactions go in, some processing occurs, and a timely response hopefully comes out.  But the fact is that these requests go off the SIEM radar and don’t come back on until the mainframe component of the transaction is done. This is a problem for enterprises that need to diagnose a problem, or do a true assessment of customer service levels, because there’s a mainframe gap.

Joseph Blankenship, senior security and risk analyst at Forrester Research, sees gaps in the end-to-end visibility that enterprises really need from their SIEM implementations, stating, “It’s not unusual to see partially deployed SIEMs that are only monitoring parts of an environment[ii].” These gaps are not necessarily the fault of the SIEMs, but reflect the nature of the computing environment where open platform SIEMs, and proprietary, mainframe transaction processing systems like CICS, don’t easily integrate.  The solution Blankenship suggests for better visibility is to “bring in logs from inside the network, including endpoints, hosts and applications. Focus on parts of the network where critical data is stored.” This is a brute-force approach at best, but until now, there have been few alternatives.

The SIEM vendor community and many of the enterprises that use their solutions have simply chosen to live with this gap. For those who found the existence of this gap too troubling, various home-grown solutions or vendor “hooks” have been developed into CICS and other mainframe applications to gain an end-to-end view.  But this view came at a cost: putting all these programmatic hooks into CICS created a new set of problems, most often in the form of instability or maintenance.

For enterprises that use CICS, IBM has rolled out a set of features called CICS Transaction Tracking that provides the necessary infrastructure, under the covers of CICS, to enable tracking of everything that’s going on inside and across regions. This capability is a standard part of CICS as of v4.2.  Since most enterprises use open SIEM platforms, and there is now this foundational transaction tracking capability in CICS, how can enterprises take advantage of it?

Solutions that bridge this SIEM gap, such as Syncsort Ironstream® Transaction Tracing, are emerging to provide an easy path for enterprises to gain the insights they need into the impact of web and mobile transactions on the mainframe. This solution has done the work of exploiting the transaction tracking infrastructure IBM has added to CICS.  They close the SIEM gap to the mainframe, finally allowing enterprises to easily have a complete view for performance management or auditing purposes. They are important for any organization that uses CICS transactions to deliver functionality to end user devices.

[i] Survey sponsored by Cyphort, and done in collaboration with the Ponemon Institute and Osterman Research that collectively represent nearly 1,000 enterprise SIEM users.

[ii]7 SIEM Situations That Can Sack Security Teams”, Dawn Kawamoto, September 27, 2017.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s