Visualizing Mainframe and IBM i Data in Splunk
IBM systems have long been viewed as being highly secure by design. However, it can be very risky to rely too heavily on the reputation of IBM i or z/OS to guard against a growing range of cybersecurity threats. Real-time monitoring is critical. While many organizations already have good visibility to their distributed systems, most are still stuck with a disjointed view of their IT landscape.
Over the past decade, IT analytics and monitoring tools like Splunk visualization have been bringing software log data to life, revolutionizing IT Service Management (ITSM) and changing the way enterprise IT departments operate. As security threats loom ever larger and grow more sophisticated, it’s more important than ever to have a complete view of what’s happening across your IT landscape. For organizations running IBM systems, that can be a challenge, but with the right tools, you can bring that vital information to life for your team.
Splunk Enterprise Security: A Window into Your IT Landscape
Splunk Enterprise Security (ES) is a SIEM (security information and event management) solution that brings together critical information from all the systems in your IT landscape and presents it in one place. By giving IT teams a “single pane of glass” through which to view key events as they happen, Splunk visualization enables security professionals to monitor for security threats, investigate incidents as they unfold, and respond rapidly to prevent or minimize potential harm to the organization, its customers, and other stakeholders.
Splunk does not natively connect with IBM i or z/OS, so for many organizations running those systems, that “single pane of glass” capability has never been fully realized. Without the right tools, IBM systems remain a blind spot in Splunk’s otherwise comprehensive view of the enterprise IT landscape.
Some organizations simply go with the default option of treating IBM systems as silos within their larger IT environment. They rely on native IBM tools or third-party products to monitor what’s happening within the mainframe silo.
This has a number of drawbacks. First, it makes organizations dependent on specialists who understand those IBM systems and have the skills and knowledge to interpret the data. That, in turn, creates a dependency that makes rapid and effective communication difficult. When a security incident is unfolding, that dependency can cause delays that impact the Mean Time to (MTTI) and Mean Time to Resolution (MTTR). Ultimately, IT teams are dealing with wasted time and resources. They may also suffer from reputational damage, both internally and with customers.
Watch our Webinar
To learn more about how Ironstream for Splunk can help you eliminate silos and gain a unified view of your enterprise with Splunk visualization, watch our free on-demand webinar.
This disjointed approach ultimately makes it difficult to get a single, coherent view of what’s happening. This approach relies heavily on people with different skillsets and makes it necessary to seek out key information in more than one system. Because IBM’s native monitoring tools lack the robust visualization capabilities for which Splunk is so well known, that information simply can’t be presented in as meaningful a context.
Getting the Most from Splunk with Precisely Ironstream
There is a way to bring your IBM environment into the fold. Precisely’s Ironstream for Splunk normalizes and streams IBM log data and security information, mapping it to the Splunk ES Common Information Model (CIM). This enables Splunk ES to provide a true enterprise-wide view of security activity, threats, and intrusions.
That opens up new possibilities for dashboards that deliver highly intuitive, real-time insights for timely, effective SEIM monitoring and responsiveness. Here are a few examples of Splunk visualization that IBM shops are using to improve their SEIM, enabled by Precisely Ironstream:
- Weak Access Controls and Security Administration: Many vulnerabilities start with errors and oversights in defining resources, users, access rights, and so on. That requires significant expertise in security administration, and in light of the growing shortage in mainframe talent, that can be a scarce resource. By building Splunk visualizations to monitor access and track anomalies such as Resource Access Control Facility violations by type, administrators can gain rapid visibility to potential problems before they materialize.
- User IDs and Privileges: When organizations create users with no password expiration, with a weak password, or with elevated privileges that are unnecessary, those organizations create risks within the mainframe environment. Studies indicate that one-third of all data breaches can be attributed to insiders within an organization such as employees, contractors, vendors, business partners, or others. It’s often simply a matter of poor security administration, granting unwarranted levels of access and opening the door to abuse. A disgruntled employee with elevated rights or an ex-employee with still-active credentials can pose a meaningful threat. Lax attention to security privileges also renders phishing attacks far more dangerous than they otherwise might be. Splunk visualizations that highlight potential gaps surrounding user IDs and privileges can go a long way toward mitigating these threats.
- Dataset and Resource Access: Very often, system administrators may fail to protect resources appropriately. Safeguards are sometimes defined in terms that are far too broad, giving access to too many users and applications. An additional level of security monitoring ensures that critical dataset resources are not being accessed by the wrong users. Splunk visualizations that track FTP sessions and transfer or Time Sharing Option account activity and lockouts can help to highlight gaps and concerns, suggesting ways to close the door on potential vulnerabilities.
- Data Vulnerability: In today’s complex IT environments, IBM systems no longer operate as isolated components. Instead, they are part of a complex IT infrastructure that includes distributed systems working together to enable the efficient flow of data between various platforms. When the wrong data is allowed to flow into or out of the mainframe, it constitutes a threat to the entire IT landscape. Files being transferred between platforms must be carefully monitored to ensure the integrity of the organization’s valuable data assets.
- Network Intrusion: Today’s IBM systems are more highly integrated with the larger IT infrastructure. That renders them susceptible to outside attacks. Networks are the single biggest point of attack, so organizations must diligently monitor them to look for unwanted port scans, Denial of Service (DoS) attacks, network flood attacks, malformed network packets, and other intrusions. Splunk visualizations that monitor for these anomalies can help IT personnel to identify potential threats in real time.
Precisely’s Ironstream connects your IBM system to Splunk so that your organization can have that “single pane of glass” view to everything that’s happening across your IT environment. With this single source of truth IT infrastructure organizations can save time, money, and ensure that they are getting the most out of their Splunk investment. Ironstream comes with a collection of Starter Packs that include curated dashboards and searches, giving you instant access to Splunk visualizations for security and compliance as well as operational intelligence. Enterprises can install and configure Ironstream for Splunk, getting up and running in just minutes.
To learn more about how Ironstream for Splunk can help you eliminate silos and gain a unified view of your enterprise with Splunk visualization, watch our free on-demand webinar, Learnings from 7 Years of Integrating Mission-Critical IBM Z® and IBM i with Splunk.