Eliminate Enterprise Security Blindspots with Ironstream and Splunk

Many companies today depend on Splunk ES (Enterprise Security) as the foundation of their cybersecurity program. Splunk ES ingests data from throughout the organization’s IT infrastructure, correlates it, and analyzes it to enable real-time threat monitoring and security alerts.

However, Splunk ES has a major blind spot. It promises comprehensive security coverage based on the assumption that it receives relevant data from all significant components of the organization’s IT infrastructure. Yet, for the 71 percent of Fortune 500 companies that continue to use mainframes and are even seeing that usage increase. Splunk ES has no native ability to tap into data from these platforms that typically process a company’s most mission-critical applications.

Precisely Ironstream was created to eliminate that gaping hole in enterprise cybersecurity coverage. Ironstream for Splunk® forwards data from z/OS into Splunk ES, where it is merged with the data Splunk collects from the other portions of the organization’s IT infrastructure.

How Ironstream delivers mainframe to Splunk ES

Precisely Ironstream is the industry’s leading solution specifically designed to automatically forward key operational and security information from z/OS to Splunk ES in real time. It accomplishes this by tapping into the information available in logs these systems already maintain. 

For example, in the mainframe environment, Ironstream captures z/OS data from a variety of sources, such as Syslog, SyslogD, SMF, RMF, SYSOUT, Db2 tables, and Log4j. Ironstream normalizes the data, then streams it in near real time to Splunk ES.

How Ironstream/Splunk mitigates enterprise cybersecurity issues

The data Ironstream forwards to Splunk ES is combined with information from other parts of the organization’s IT infrastructure to produce a comprehensive security status overview. Splunk ES monitors and assesses this pool of data and sends out real-time alerts when potential security-related events are detected. 

That real-time capability is vital. Security threat identification in mainframe has traditionally been done using batch jobs that may run only once a day. By the time suspicious activity is detected, the damage has usually already been done. With Ironstream enabling real-time monitoring of the system logs that continuously track system activity, Splunk ES can be configured to detect and respond to such threats as they occur.

For example, a common enterprise cybersecurity threat is the phishing attack in which “social engineering” is used to trick workers into revealing sensitive information such as system access credentials. Because Ironstream enables ongoing tracking of unusual login attempts or data transfers, alerts can be issued when suspicious user activity is first detected.

Insider threats are a perennial issue. A disgruntled employee with administrative privileges steals or destroys data. Or employees leave, but their network access privileges are never revoked. (According to a 2017 study, 48 percent of former employees can still access their company’s network after they leave). With Ironstream enabling continuous monitoring of data movement, network events, FTP activity, file creation and deletion, and more, your chance of quickly detecting and countering illicit insider activity is greatly enhanced.

By fully integrating your mainframe into the Splunk ES input data stream, Ironstream for Splunk® eliminates a huge blind spot in your company’s cybersecurity posture.

To learn more, read our eBook: Splunk and the Mainframe: 6 Real-World Case Studies for ITOA, ITSI and SIEM