Let’s face it, monitoring security events on IBM i probably isn’t at the top of anyone’s “bucket list.” However, it’s a critical process that should be performed by every organization to ensure that unauthorized activities don’t occur unnoticed. Typically, there are two main issues with monitoring a system manually: having to go out deliberately (and repeatedly) and check to see if something has happened; and the fact that you are most likely looking for the proverbial needle in a haystack of logged events.
Powertech conducts hundreds of free compliance assessments each year and compiles many of the statistics into a published report, The State of IBM i Security Study. During the course of performing these assessments, we frequently uncover user profiles that have been subjected to multiple invalid signon attempts. Ranked #1 in 2012 was a single profile with over 154,000 invalid attempts logged against it! That’s amazing, but still not the all-time leader—that dubious honor is bestowed on a user from 2010 whose attempts surpassed the one-million mark.
What makes these stunning statistics worse is that the company was oblivious to these attempts and therefore clueless about the cause. I challenge whether they’d be more concerned if they discovered that the profile in question was QSECOFR. Sure, the profile might have been disabled after the first few attempts, but perhaps this is the one and only red flag of unauthorized activity against the system. Financial giants Citigroup reportedly received a $500,000 fine recently for not acting on red flags about unauthorized insider activities.
Powertech Compliance Monitor is one of the most popular tools on the market for simplifying complex audit-related tasks, including the forensic analysis of audit journal data. With version 3, hundreds of audit reports can be scheduled in batch and the results made available in popular .xls and .pdf formats. The product can even place the completed reports onto the IFS, or distribute them as email attachments—encrypted, of course!
Security Officers and auditors like to know the instant that something unexpected occurs on the system. If you prefer to have your IBM i system proactively escalate critical system events as they happen, you’ll want to investigate Powertech Interact. Installed quickly as a native IBM i agent, Interact is like a security alarm for your system. Interact will aid your security team by escalating several types of events:
- Critical system messages (QSYSMSG / QSYSOPR)
- IBM security audit journal entries (QAUDJRN)
- Apache Web Logs
- Powertech product events (e.g. firewall logs from Powertech Network Security)
Configuration couldn’t be simpler: Supply the IP address of your syslog or ISS security console and start the monitor job. If you don’t maintain a Security Event Information Monitor (SEIM)—like ISS, or ArcSight, LogRhythm, or Splunk—then you can also send a notification to a message queue that can be escalated using popular messaging tools, such as Bytware Messenger or Robot Console and Robot Alert.
Interact comes with almost 600 event filters predefined (Figure 1), and you can specify thousands more.
Figure 1 - Hundreds of events can be monitored easily
The filters define what events should be escalated and which ones should be ignored (Figure 2). They also indicate the criticality of the event to help the remote console differentiate between important events and simple notifications.
Figure 2 - Events can be filtered based on numerous criteria
Interact detects events as they occur and then formats the data before sending it to the remote console. The vast majority of SIEM monitoring solutions can process the events without modification, due to the industry-standard syslog format that Interact uses.
Companies that utilize HP ArcSight now also enjoy enhanced compatibility with their solution due to the partnership that Powertech has established with this fellow market leader. Interact received HP ArcSight Common Event Format (CEF) certification in July 2013, ensuring organizations more accurate prioritization and timely response to potential threats.
All of this means you’ll spend less time configuring and more time monitoring. No more surprises of an audit uncovering system values that are out of compliance, or profiles that have been targets of invalid signon attempts. Of course, Interact also detects events generated by other Powertech products, including users switching to alternate profiles in Powertech Authority Broker, and important network events such as ODBC connections, IFS activities, and FTP file transfers in PowerTech Network Security.
If your organization needs to step up to the next level of security monitoring, download a free 30-day trial of Interact.