Expanding Splunk to Monitor & Analyze IBM i Security Data
IBM i systems house much of the world’s most critical business information. Although these mission-critical systems once operated in relative isolation, today they generally serve as major components within a much broader landscape of integrated systems and applications. That has powerful benefits in terms of application integration and interoperability.
Unfortunately, it also has profound implications for the security of your systems, including those important IBM i systems. For cybercriminals, the sensitive information stored and processed by IBM i can be a very valuable commodity. That makes monitoring and intrusion detection more important today than it has ever been.
These systems are not only subject to external threats, but to internal ones as well. In many cases, data and applications are left exposed because of carelessness or simply out of ignorance of proper protocols. IT administrators must be proactive in monitoring user behavior, identifying anomalous activity or high-risk behavior, and following up promptly to ensure that any potential security risks are addressed right away.
Security Information and Event Management (SIEM) software offers visibility to the activity taking place within an organization’s technology landscapes and provides critically important information to IT administrators. SIEM solutions help to filter out suspicious activity, highlighting potential threats that call for further investigation. When users neglect to follow proper protocols, when viruses show up inside the firewall, or when suspicious network activity indicates a potential intrusion, a SIEM tool can help administrators to identify the problem quickly and resolve it before any damage can be done.
Read our eBook
Splunk is an industry leader in IT operations and security analytics – helping you make better, faster decisions with real-time visibility across the enterprise. Read our eBook to learn more.
Splunk: A Powerful Tool in the IT Arsenal
Splunk has rapidly gained momentum as an integral component in the fight to secure IT systems. Increasingly complex requirements like PCI-DSS, FFIEC, HIPAA, and similar standards and regulations call for stringent IT security. These regulations and standards are backed by security audits, and violations can lead to legal action, severe reputational damage, and costly fines and penalties.
Unfortunately, security incidents are increasingly common. Perhaps even more importantly, they are becoming increasingly expensive. A single event can cost an organization hundreds of thousands of dollars, or potentially even millions, so it’s no surprise that powerful SIEM tools like Splunk are getting attention.
However, for most organizations running IBM i systems, there is a problem. Although Splunk is designed to integrate relatively easily with a wide range of modern distributed computing systems, it doesn’t include native support for the IBM i platform. That leaves IT administrators with a siloed, disconnected view of their systems. They can monitor IBM i activity using dedicated tools for that purpose; and separately, they can keep an eye on the rest of their IT landscape. Unfortunately, they can’t use Splunk to see those two elements together in a unified, holistic way.
For true visibility to potential security problems, administrators must be able to collect, manage, and analyze information originating from within their IBM i systems. Without that capability, security threats could go unnoticed for days, weeks, or even months. That exposes the organization to substantial risks that could otherwise have been prevented.
Automating Access to IBM i Log Data
IBM i systems can be configured to log important security data, but manually accessing that information, sorting it, and analyzing can be extraordinarily time-consuming. The process of accessing, filtering, and analyzing that information in response to a security audit requires an extensive time commitment from highly skilled IT specialists.
Some organizations are tempted to try automating the process by writing custom programs to access the System Audit Journal (QAUDJRN), for example. Because IBM i logs over 90 unique types of audit entries, it can be quite challenging to write the custom code necessary to extract the specific log entries you want. Moreover, it can be nearly impossible to review and understand the resulting audit data manually.
The same statements can be made about the other log files maintained on IBM i systems, such as the QSYSOPR Message Queue (Operator Messages), the QSYSMSG Message Queue (System and Application Messages), and the SQHST History Log.
Bringing Your IBM i System Information to Splunk
Splunk does not natively integrate with the IBM i platform. But, there is a proven alternative that enables IT administrators to gain full and immediate visibility to their IBM i systems without custom programming and extensive manual effort.
Precisely Ironstream was developed in partnership with Splunk. Ironstream makes it possible to collect and securely stream IBM i security, compliance, and operational log data into Splunk, without requiring administrators to have specialized knowledge in IBM i systems. It enables administrators to filter and transform data on the fly, delivering the exact information they need to Splunk. With Ironstream, critical security-related information from your entire IT landscape is available in one place, without delay.
Splunk does a phenomenal job churning through large amounts of data and rendering it into visual formats that can provide valuable insights to IT administrators. With Splunk and Ironstream, compliance security specialists can finally get everything they need in one place–reports for compliance auditing, network analytics, and security monitoring.
Splunk is an industry leader in IT operations and security analytics – helping you make better, faster decisions with real-time visibility across the enterprise. Read our eBook to learn more. Top Use Cases for IBM i Data in Splunk: IT Operations Analytics.