A SIEM that Speaks IBM i
Use of security information and event management (SIEM) software is on the rise, thanks to compliance requirements and the growing need for real-time threat detection. Organizations of all sizes can benefit from capturing, logging, and responding to security events in real time, but one important operating system is often overlooked: IBM i.
If you have a Power Systems server running IBM i in your data center, there’s a good chance it runs some of your organization’s most critical applications and houses sensitive data. You’d think this OS would be a top priority when it comes to identifying security events that require quick attention.
The fact is, most SIEM solutions only provide a very basic level of support for IBM i.
The Disconnect Between Most SIEM Software and IBM i
One of IBM i’s most powerful features is its ability to log and record events to a tamperproof secure audit journal, QAUDJRN. From command usage by specific users to changes to system values, the audit journal can record practically anything that happens on the system.
Versions 7.2 and 7.3 enable IBM i to create syslog-formatted messages that can be sent to SIEM software, but one problem remains. Those messages aren’t meaningful to most security analysts, who aren’t familiar with IBM i or the ways their organizations use this platform.
Think about it: how does a security analyst know what the IBM i data actually means? Which events should they respond to and which don’t call for action?
At the same time, the IBM i team doesn’t have insight into what data the SIEM is collecting.
These conditions make it easy for significant threats to go unnoticed. Considering how important IBM i is to the organizations that rely on it, the consequences could be serious.
Fortunately, this challenge is not insurmountable.
How to Monitor Security Events and Information on IBM i
Getting insight in to IBM i security events is easier than ever, thanks to the recently launched Powertech Event Manager. It can interpret security events coming from any source—including IBM i.
Whether you haven’t implemented SIEM software yet or you have an enterprise-level SIEM that doesn’t integrate with IBM i, a solution like this turns data into actionable insight.
Event Manager normalizes the data it collects, so that security analysts don’t have to be platform experts. By translating the information into a common, easy-to-understand format, Event Manager enables even junior IT staff to respond to critical security events.
Serious security events are prioritized over others in real time. This makes it easy to respond to serious threats quickly.
Event Manager is also designed to be easy to implement, unlike many other SIEM solutions that require a substantial commitment in terms of time and budget.
Get Proactive: Detect Threats Early
Many organizations are using multiple security event monitoring tools for different platforms in their environments. They have the data they need, but none of the insight. The challenge of using multiple tools that don’t communicate with each other is that there’s no way to see the big picture.
Do the security events add up to a major threat that requires a response—or are they nothing to worry about?
Answering this question often requires time and an in-depth examination by an experienced security analyst.
Event Manager eliminates a lot of these questions by correlating events coming from different sources. For example, you can see if something happening on IBM i is also happening on Linux. You can see if an IBM i user is using Telnet to access data on a Linux system. Insight like this makes it possible to get proactive with cybersecurity.
Event Manager also integrates with other Powertech solutions for a seamless experience:
- See when users initiate profile switches with Authority Broker
- Stay on top of possible attacks by monitoring connection attempts rejected by Network Security
- Track out-of-compliance settings identified by Policy Minder
- Monitor malware detected and removed by Stand Guard Anti-Virus
Consolidating security events with Event Manager makes audits simpler. Event Manager records all security events and documents any investigation into a security event, so that you have a complete audit trail. Audit reports are easy to compile, which makes meeting compliance requirements much simpler.
Cybersecurity technology is advancing at a rapid pace to keep up with new and more sophisticated threats. But much of that technology ignores IBM i. SIEM solutions are incredibly useful, but not if they exclude one of the most important operating systems in your environment. Event Manager makes it possible to get powerful insight into the state of your IBM i security.
See what Event Manager can do for you.