Anxiety is high around the potential for Russian cyberattacks given the current political climate. By learning about the history of cyber conflict between Russia and Ukraine, we can gain strategies to protect our own systems. Combined with conventional military forces, Russia has been using Ukraine as a live-fire cyber range to unleash cyberweapons as part of its military operations for years. These historic cyberattacks can serve as critical case studies of what can come in the future—read on for ways to prepare.

Case Studies

On December 23, 2015, Ukrainian civilians were preparing for Christmas festivities when 250,000 people lost power for several hours due to a cyberattack by the Russian hackers known as the Sandworm Team, which used traditional spear-phishing attacks to target power grid employees and gain initial access to the organization.

From there, they used a combination of custom tools and open-source malware like BlackEnergy to seize SCADA systems and remotely turn off critical substations. The BlackEnergy malware was able to disable and destroy key IT infrastructure components to limit the organization’s ability to react to the attack. This case study shows us that Russian Advanced Persistent Threats (APTs) like the Sandworm Team are far more capable than simple attacks on Windows PCs and will target the critical infrastructure to inflict the most damage to an organization.

On June 27, 2017, the largest cyberattack in history was unleashed on nearly 100 companies that do business in Ukraine. The attack that became known as NotPetya was also attributed to the Sandworm Team and was a worm that compiled several known exploits and open-source hacking tools. This worm automatically spread throughout victimized computer systems and unleashed an irreversible encryption attack that destroyed all the data on the system.

This cyber-attack masquerading as a criminal ransomware operation caused over ten billion dollars in damages, slowed global shipping by crippling shipping giants like Maersk, and demonstrated Russia’s intent to target private companies and critical infrastructure as part of its cyber warfare foreign policy. The Sandworm Team did this by attacking one target—Ukrainian tax software company M.E.Doc—and backdooring their software to gain access to all of M.E.Doc’s customers.

Security Blindspot

Private companies should take heed of these case studies as they demonstrate Russian willingness to target corporate business’ critical infrastructure for devastating impact. Cybersecurity policy design should focus on identifying that key infrastructure, implementing modern and effective security controls, and testing them against dedicated white-hat hackers through penetration tests and cybersecurity simulations. Many organizations likely believe they are doing this, but reality continues to show a specific gap that modern cybersecurity tools and priorities have ignored—the IBM^® mainframe.

The mainframe is often called the backbone of the IT enterprise. It is still running the core business applications for 67 of the Fortune 100 and handles 68 percent of the world’s production IT workloads. Despite this, it is commonly an afterthought for enterprise security strategies, and the pervasive myth that “you can’t hack a mainframe” is still painfully common. The mainframe is just a server that can be accessed from any personal computer, which means it is just as vulnerable to attack as any other server in the enterprise.

In fact, because it is so often an afterthought, many mainframes are left staggeringly vulnerable by organizations that felt secure because they passed a checkbox audit. This false sense of security would have been pierced by a single mainframe penetration test done by a legitimate mainframe hacker, but many organizations have still not done this. This is dangerous.

A Bank’s Sitting Duck

Let’s take a look at the case of a bank that thought its mainframe was secure*. A hacker was able to spear-phish the system programmer by directly targeting him through LinkedIn. They knew his credentials based on his work title—we post that information openly for the world to see. Once they gained access to the system programmer’s personal computer, they used a keylogger to steal his credentials and access the mainframe.

At this point, the hacker had as much control over the mainframe as that system programmer did—a lot. This bank couldn’t detect anomalous or malicious activity, so the hacker built custom ransomware that encrypted dozens of sensitive files, which the bank was then forced to pay the hackers to retrieve. Imagine if this attack was by hackers who just wanted to destroy the entire mainframe environment with an irreversible encryption attack? That would be a catastrophic event for that organization. This is the exact kind of impact that Russia can have.

Secure Your Mainframe

So, what do we do about this kind of threat? For starters, include your mainframe as a critical asset in any enterprise cybersecurity plan. This means ensuring you have real-time visibility and analytics in your security operations center to detect anomalous and malicious activity happening on the mainframe.

You should also build indicators of compromise to detect whether an attacker gained control of your system programmer’s credentials or the system was impacted by destructive damage from an insider threat.

By implementing advanced controls under a Zero Trust architecture, you can dramatically limit the scope of a breach should an attacker find a foothold. There is no standalone product that you can install to call Zero Trust complete, but you can implement a combination of solutions that work together enterprise-wide to limit lateral movement and detect malicious behavior.

If you have a mainframe, it is your critical infrastructure. The time to start securing it like one is now—To this end, and in an effort to help European customers go through the Russia-Ukraine conflict, BMC is making its mainframe security software, BMC AMI Security, available to European based customers in the banking and financial sectors, under a limited-term license at no charge, until December 31st, 2022. To learn more please contact your account manager representative.

Part of BMC’s culture is the fostering of ideas from our field and research and development personnel. To achieve this, BMC instituted a hackathon—a marathon of activities to bake new ideas that improve our offerings, exploit our own solutions, or create ideas for brand new products altogether. Some of our software consultants have over 30 years of detailed mainframe knowledge, so letting them try on the hacker hat for a while uncovered some devastating vulnerabilities among common privileges that are often available on production IBM^® z/OS^® systems. This is part one of a technical series where we will detail some of those possible vulnerabilities so you can identify potential areas of concern in your own environments.

For this installment, we will focus on privilege escalation—the act of getting into a supervisor state without having the expressed permission to do so. As most developers know, one of the most common ways hackers exploit this is through an authorized program facility (APF), which has working exploit code available on Github. To run in an authorized state, a program must meet two criteria: 1) be link-edited with authorization code 1 (AC=1), and 2) the resulting executable load module must be stored in in an APF-authorized library. This can be an existing library, or one that is added dynamically.

Accordingly, any addition of a program to an existing APF library, or the addition of a new library to the APF list, needs to be reported to the security operation center (SOC), as this represents a significant security threat to the mainframe. To help with this, BMC AMI Security provides dynamic enrichment for any action in an APF library or a dynamic APF command that would not be available in traditional logs. These are then processed into real-time alerts that can be sent directly to an enterprise security information and event monitoring (SIEM) solution or a security orchestration, automation, and response (SOAR) solution to trigger an incident response.

This is all well and good. However, our mainframe experts decided to take it one step further and highlight methods of running in an authorized state that do not involve the use of z/OS APF libraries at all.

UNIX System Services (USS) Directory Method

One of these methods uses a USS directory location to store programs with the extended-attribute APF, which will allow them to execute in an authorized state. It is easy to assemble and link-edit such a program, even while strictly running in a USS shell (i.e., without submitting a batch job). Here is sample assembler source that exploits this method.

There are a couple of ways that the extended attribute can be assigned to a program instead of assembling it. For example, shell commands extattr and untar support the extended-APF attributes, as well as PGM=BPXCOPY and ISPF option 3.17 (using line command mx). Needless to say, each needs to be locked down.

This method is slightly more concerning because many organizations fail to consider USS security the same way they consider standard z/OS permissions, and our mainframe penetration testers have found it to be one of the most successful avenues to escalate their privileges while attacking some of the largest mainframe shops in the world.

The good news is, that regardless of the manner used to set the APF attribute, it is both securable and auditable. BMC AMI Security provides the same level of enrichment and out-of-the-box detection to provide real-time alerts for any anomalous or malicious activity in USS. In addition, it provides an automated audit capability that will alert your security team to any open USS permissions that may have been overlooked.

Multiple Virtual Storage (MVS) Command Method

The last method we will discuss in this series is the use of MVS commands. As one of our consultants said, “Give me access to run MVS commands and I own the mainframe.”

First, some context. Before it can be executed, a z/OS program must be fetched and loaded into storage. For performance reasons, z/OS dedicates an area of storage for pre-fetching and loading programs during an initial program load (IPL). This portion of storage is known as the link pack area (LPA). These programs can be executed without specifying a library (JOBLIB/STEPLIB) and are found before LINKLIST. They are available to all address spaces, and because they reside in the LPA, they can run as authorized as long as they were link-edited with AC=1.

To avoid an IPL, LPA is not normally changed, except for emergency maintenance. In these emergency situations, an MVS command can be used to add a program to the LPA on the fly and it will run as authorized, even it is added from a non-APF library.

This command:

SETPROG LPA,ADD,MODNAME=mybypass,DSNAME=prefix.non.apf.listed

dynamically adds program mybypass to the LPA.

So, what does this mean? With an MVS command, you can quickly add any program that gives you full control over the mainframe to the LPA in an authorized state. Or, more succinctly, any user with MVS command authorization should be considered a fully privileged user.

Fortunately, the use of MVS commands is also securable and auditable. BMC AMI Security real-time detection and alerting is enriched to report on the use of any MVS command or any suspicious activity or indicator of compromise (IOC). In the case of adding a program to the LPA, this needs to be sent to a SOC with the same urgency as the addition of an APF library, since it indicates the potential misuse of authorization for a privilege escalation. For most organizations, if you are not actively monitoring for this type of activity in real-time, you will not know there is a potential catastrophic event until it is too late.

The singular takeaway from the plethora of ways to abuse privileges is that you won’t know there is abuse unless you are looking. Our mainframe hackers have a near-perfect record of finding privilege escalation methods at major organizations that truly felt their environments were perfectly secured. Because they were never tested adversarially, they developed a false sense of security that comes from decades of not being attacked in the same capacity as internet-facing Windows and Linux servers.

With BMC AMI Security, you can leverage automated audit capabilities to lock down and harden your environments from external or insider threats. Our threat detection and response will then provide you with real-time monitoring and alerting capabilities integrated directly into your 24×7 SOC so that you can avoid the existential threat of ransomware on the mainframe that has crippled the first victims of mainframe malware. BMC AMI Security is built by hackers to stop hackers. Learn more at bmc.com/ami-security.

As BMC continues its journey to supporting our clients in achieving their dreams of an autonomous digital enterprise, we are proud to announce that we have released some key integrations between our BMC Helix and BMC AMI solutions to help unite IT Operations and Security team workflows. To level set, our BMC AMI Security is the industry’s leading mainframe detection and response solution with the largest library of Indicators of Compromise. It maintains real-time integrations with all leading enterprise Security Information Event Monitoring (SIEM) solutions like Splunk^® and Micro Focus ArcSight^®. BMC Helix is our market leading IT Service Management solution which has been recognized as the best Ticketing and Event Management software solution of 2020.

When working with our clients, a regular challenge that we have found is that there can be a significant gap between their security teams who are detecting anomalous and malicious behavior and the operations teams who are responsible for remediation. Conducting triage, containment, and eradication of threats during incident response might be coordinated via phone calls, email, or other manual processes that ultimately slow the process down. This gap leaves companies at risk and wastes valuable human resources.

With our new integration, when BMC AMI Security detects anomalous or malicious activity occurring on our client’s critical mainframe platform it will produce an alert that can be fed directly into our BMC Helix ITSM platform which will trigger automated workflows to orchestrate and accelerate incident response. This allows our clients to minimize manual processes in their mainframe security operations that delay reaction times to critical security incidents. A fast and effective incident response is not optional when a threat has gained privileged access to sensitive data or a rogue process is encrypting datasets with ransomware.

The benefits of the BMC Helix and BMC AMI Security integration for SecOps include:

• Operational Efficiency – By leveraging the power of BMC Helix’s automated workflows you can replace manual and time-consuming processes to enable teams to achieve a greater output with fewer resources.
• Reduced time to response – By automating and prioritizing security incidents in BMC Helix, you are able to ultimately minimize your Mean Time To Response (MTTR) which could help contain an incident before it is becomes a catastrophic breach.
• Centralized Incident Response Management – By integrating security alerts from BMC AMI Security and other security solutions into BMC Helix, you gain the ability to coordinate security incident management across your enterprise.

“Every company is trying to accelerate and automate their business to deliver more value to their customers with their current resources” states John McKenny, Senior Vice President and General Manager of ZSolutions at BMC. “Today we are glad to announce that our BMC clients are able to achieve an integrated SecOps strategy for incident response through their existing investment.”

BMC Software is dedicated to helping our clients achieve their dreams of an Autonomous Digital Enterprise and fully attain adaptive cybersecurity throughout their enterprise. We are proud to integrate our powerful solutions together to help our customers maximize the value they can realize in their tools and, most importantly, enable them to have a modern cybersecurity experience for their mainframes. If you are interested in learning more about these solutions, or simply discussing mainframe security, please feel free to reach me at Christopher_perry@bmc.com.

One of BMC Software’s most exciting announcements this year was the acquisition of Compuware,^[1] our largest purchase in our 40 years of serving the mainframe community. Compuware shares our fanatical belief in the longevity of the platform and now is part of our team for modernizing the ‘backbone’ of the IT enterprise. While Compuware has primarily focused on enabling application developers to adhere to the modern DevOps processes, one of their solutions provides detailed application and user behavior data that integrates directly into our AMI Security^[2] portfolio. This solution, Application Audit^[3] now works alongside AMI Security to enhance our ability to protect, detect, and respond to malicious threats on the mainframe.

What Is Application Audit?

Application Audit is a mainframe security solution that delivers deep insight into user behavior by capturing and analyzing start-to-finish user session activity. This provides not only file access that you would find in regular logs, but will show what data was viewed, by whom, and which applications were used to access it. This detailed data significantly increases the security teams ability to conduct User Entitiy Behavior Analytics (UEBA), support incident response, and fulfill compliance mandates regarding protection of sensitive data. It also has the ability to integrate the data directly into AMI Security where it can be consolidated alongside the data in AMI Defender for a single viewpoint for all security conerns on the mainframe. AMI Security is also specifically designed to display and integrate with AppAudit to support developing indicators of compromise and incident response following an alert.

Indicators of Compromise

AMI Security is the market leading solution for providing detection and response capabilities on the mainframe. Leveraging a real-time data stream mainframe logs and events, AMI Security is able to correlate actions together to build Indicators of Compromise as alerts for anomalous or malicious activity. Application Audit’s detailed user behavior data is fully integrated in real-time which significantly enhances AMI Security’s ability to perform UEBA to detect real-time threats and ultimately defend the platform.

Here is an example: One of the unique data points captured by Application Audit is the session keyboard commands, menu selections, and specific viewed data. When a malicious threat gains access to a system, the first thing they need to do is enumerate the environment to understand the specific logical partition, privileges, and available resources. This enumeration stage is often times automated in publically available scripts^[4] or follows a similar enough pattern that you could build correlation threads and alerts which would indicate that this is not normal user behavior. Now that the specific user activity is captured at this level with Application Audit, you can enhance your overall detection mechanisms to alert on a threat before they even begin to take malicious actions on the system.

Incident Response

Not only does Application Audit enable better detection capabilities, but the user data also significantly enhances the incident response team’s ability to determine what the threat did on the mainframe. Since Application Audit captures the exact details for what the threat did, AMI Security can fully rebuild the 3270 screens to provide the security administrator the ability to see specifically what they were looking at, what data they were able to exfiltrate, and what data they were able to modify. The ability to graphically see all the threat’s actions significantly decreases how long it would take to respond to the security incident and thus reduces the organization’s total Mean Time To Respond (MTTR) which can be the difference between a minor breach and a catastrophic event.

Let’s take a look at another example: Using AMI Security you get an alert that a specific user was able to escalate their privileges^[5] and now has special and operations privileges on the mainframe when they were not authorized. The incident response team takes the user ID and performs a query in AMI Security that has Application Audit data integrated and is able to see the specific information that the user was querying with their new privileges. You can immediately identify the RACF Database and encryption key datasets that the user opened and viewed so they could offline crack passwords for persistence and decrypt sensitive data. Since the incident response team was able to immediately identify the malicious activity, they were able to revoke the user’s credentials and block them from accessing the mainframe through their initial point of entry while they changed the passwords, encryption keys, and responded to breach across the distributed portion of the enterprise.

Conclusion

BMC Software is dedicated to providing modern mainframe security software solutions that ultimately enable our clients to protect, detect, and respond to malicious threats. We could not be more excited to welcome the Compuware team into the BMC family and the Application Audit solution to the AMI Security portfolio. If you are interested in learning more about these solutions, or simply discussing mainframe security, please feel free to reach me at Christopher_perry@bmc.com.

^[1]Compuware Acquisition PR↩
^[2] https://www.bmc.com/it-solutions/bmc-ami-mainframe-security.html↩
^[3] https://www.compuware.com/application-audit/↩
^[4] https://github.com/hacksomeheavymetal/zOS↩
^[5] https://www.bmc.com/blogs/top-10-privilege-escalation-hacks-for-the-mainframe/↩

In previous blogs I have already illustrated the various ways hackers will gain initial access to your mainframe^[1] and how they will execute a privilege escalation attack to gain full control over the system.^[2] Once a threat actor completely owns the mainframe, they will have complete access to the sensitive data that resides on it. While ransomware has created a scenario where hackers no longer need to exfiltrate data to profit off their cybercrime, theft of sensitive data is still a catastrophic risk to companies who face increasingly punitive fines and loss of customer trust.

This blog will focus on the top ways hackers will exfiltrate the sensitive data from your mainframe. This knowledge is critical in order to understand how to initially protect your system and effectively detect anomalous and malicious activity in time to respond to the breach. My goal is to help you have an answer to the following questions:

1. Is this possible on my mainframe?
2. Do I have alerts built for Indicators of Compromise (IOC) for each of these activities?

Mainframe Data Exfiltration Techniques

1. Hackers are going to use native tools available on the system before getting to more complex methods – especially if those tools are also ubiquitous on Windows/Linux where most will be more familiar. Since the primary method of initial access to most machines is compromised account credentials,^[3] hackers could simply use those credentials with Secure Copy (SCP) to copy the files over the Secure Shell (SSH) protocol.
2. If SSH isn’t available, hackers could also use the File Transfer Protocol (FTP) to easily download any files they are authorized to access on the system. FTP also makes it easy to upload/download files in bulk and can even be used in Job Entry System (JES) mode to execute commands on the mainframe.
3. The next tool designed to transfer files is the Network File Share (NFS) which is a distributed file system found in Linux that enables a hacker to “mount” the filesystem and download any files off the mainframe.
4. Another file transfer protocol that is built directly into the mainframe is IND$File which only requires a typical TN3270 connection and compromised credentials to simply download any file they are able to access. This one is harder to monitor as IND$FILE does not write a default SMF record.
5. The last native tool that hacker could weaponize to exfiltrate data is the Network Job Entry (NJE) protocol which is designed to transfer commands, messages, and jobs to the multiple systems in a network. Since the systems are already communicating, a hacker can use NJE to send any of the data it wants to exfiltrate to a separate system under their control.
6. Before getting too creative, hackers have one last capability available to them that is often overlooked. They could easily browse the datasets they are interested in and copy/paste the data onto their personal system. This is obviously limited to smaller quantities of data, or a tremendous amount of patience, but can be extremely useful if stealing small valuable components like usernames and hashed passwords for new accounts or encryption keys.
7. If hackers are looking to avoid standard file transfer mechanisms, they may look to build their Command and Control (C2) channel. This could be done quickly using socket tools like Netcat^[4] or more advanced by bringing over C code and compiling its own communication protocol. While this bypasses most typical tracking mechanisms on the mainframe, IOCs that are designed to search for anomalous port activity should quickly spot rogue C2 channels to the mainframe.
8. The last popular method for hackers is to upload the files to a cloud storage container they control. Using java, a hacker could quickly connect the mainframe to an S3 bucket on Amazon and upload all of the sensitive data outside the organization.

Shutting down all of these methods on the mainframe is a somewhat impossible task when you consider how important many of these protocols are to basic operations. This necessitates the ability to filter and monitor user behavior in real-time in order to detect anomalous user activity and ultimately catch the exfiltration of data before it is catastrophic. Hackers will continue to make this harder on the Security Operations Center (SOC) by hiding their exfiltration activity in normal scheduled activity, breaking a large heist into smaller chunks, or deliberately using methods which don’t leave normal logs. These methods are not unique to the mainframe and are all detailed in the MITRE ATTCK Framework^[5] to guide your User Entity Behavior Analytics (UEBA) program.

Ultimately, visibility and automation are key factors to help ensure these forms of attack don’t impact your mainframe systems. That’s why BMC is committed to helping our clients build a modern mainframe security program with BMC AMI Security. AMI Security automates detection and response on mainframes while integrating the platform into the SOC’s tools and processes. If you’d like to know more or have questions about the steps to effectively secure your mainframe environment, please contact Christopher_perry@bmc.com or visit BMC Software for more information.

^[1]https://www.bmc.com/blogs/top-6-ways-a-hacker-will-gain-access-to-your-mainframe/↩
^[2] https://www.bmc.com/blogs/top-10-privilege-escalation-hacks-for-the-mainframe/↩
^[3]https://enterprise.verizon.com/resources/reports/dbir/↩
^[4] https://kellgon.com/netcat-the-hackers-swiss-army-knife/↩
^[5]https://attack.mitre.org/↩

The skyrocketing number of cyberattacks deserves the media attention it garners. 2018 saw a 350% increase in ransomware attacks, a 70% increase in spear-phishing attempts, and a 250% increase in business email compromise (BEC) attacks—alarming figures that rightfully have CxOs worried. Despite the fact that security was deemed the top investment priority by CIOs in 2019, 65% of security professionals nonetheless should expect to cope with a major breach in 2020.

Data Security: A Frightening Future

A large part of the reason for this less-than-rosy outlook stems from the cybersecurity skills shortage. As the amount of cybercrime increases and armies of cut-rate hackers are empowered with sophisticated Malware as a Service (MaaS) weapons, the number of able-bodied defenders has failed to keep pace with the looming threat. The latest figures from (ISC) report more than 4 million unfilled cybersecurity positions around the globe—an increase of more than a million over the previous year. It’s no wonder more than two-thirds of security professionals believe that the skills shortage is impeding defense efforts, and 36% of organizations cite the lack of available cybersecurity talent as their primary concern in the workplace.

So, what’s to be done? Universities and school systems aren’t going to be able to train the next generation of cybersecurity talent quickly enough to meet the overwhelming demand, and in areas such as mainframe cybersecurity, experienced professionals are retiring faster than they can be replaced. The skills gap is currently being addressed by the software vendor community. But if you are going to effectively close this security gap, you must pick the right vendor who can deliver the right solution with automation.

Arming Security Teams with Software and Automation

In an environment where organizations struggle to fill critical cybersecurity vacancies, it’s clear that adding additional analysts to your ranks is all but impossible. Instead, forward-thinking companies must turn to automated security solutions that amplify the efforts of your current employees, giving each one the capabilities of many.

BMC AMI Security was specifically designed with mainframe data protection and automation in mind. It’s powered by a best-in-class event management system that allows you to see mainframe and distributed security events correlated alongside one another in real time to reveal anomalous activity indicative of cyber threat. Going through this amount of event log data would take an army of security personnel countless days or even weeks to find anomalous activity, but the automation within BMC AMI Security works in step with your Security Information & Event Management (SIEM) system or Security Ops Center (SOC) looking for cyber threat triggers. Data security personnel are notified through multiple channels (SMS text, email, support desk trigger, etc.) to investigate, or other automated remediation events can take place within your systems to stem the bleeding.

BMC AMI Security uses a lightweight software agent installed on each logical partition (LPAR) that works with the Server Message Facility (SMF) to enrich mainframe events with critical security information. It then formats them for ingestion with leading enterprise analytics engines. The agent operates with extremely low resource utilization and the event messages leave the LPAR ready-formatted for your SIEM or SOC. The result is cross-platform event correlation in your security software system of record for up-to-the-second alerts on cyber threat.

To learn more about how BMC AMI Security is automating your mainframe defense and empowering your valuable cybersecurity personnel, please visit our product page or reach out to your BMC solutions expert today.

Endpoint Detection and Response (EDR) solutions have become a necessary component of each organization’s security architecture and look to assist the Security Operations Center’s (SOC) ability to meet steps 3 and 4 of the National Institute of Standards and Technology (NIST) Cyber Security Framework:

• Identify
• Protect
• Detect
• Response
• Recover

Yet, when you look at most of the literature for these solutions, they only market the ability to detect malicious or anomalous events in real time. Detection is absolutely a core ingredient, but what about response? What can these solutions do to enable a security analyst to efficiently conduct an incident response?

To answer this question, it’s important to look at what a security analyst needs to accomplish during an incident response.

First, the analyst receives an alert in the EDR or Security Information and Event Management (SIEM). This alert notifies the analyst that their automated software detected a potentially malicious incident that needs to be analyzed.

To do this, the analyst must sort through all of the collected data on the endpoint to determine if the incident was malicious or whether it was a false positive. In order to accomplish this effectively, an analyst needs to get immediate access to the step-by-step actions of the offending user ID, IP address, or service that triggered the alert. This provides a timeline of actions that enables the analyst to make a quick determination on whether it needs to be escalated or was a false positive that can be solved.

Organizations need to leverage software solutions to increase the efficiency of their analysts, making each individual able to accomplish the work of multiple

A good EDR solution provides the analyst a framework to quickly visualize the triggered timeline and efficiently analyze each alert. In the growing demand for cyber security talent, organizations need to leverage software solutions to increase the efficiency of their analysts, making each individual able to accomplish the work of multiple resources. ¹ The investment in quality solutions will end up reducing the required manpower for a SOC and will save an organization on critically short resources.²

So why is establishing this timeline such a challenge for most organizations? Most of it comes down to the quality of data that reaches the SIEM. As regulations continue to put immediate pressure on organizations, they find themselves in a check-the-box situation where they find the first method possible that enables them to store data like failed logins, file activity monitoring, or privileged users before their upcoming audit. The data will often be ingested in a SIEM or data lake where vendors claim their solution will be able to quickly and effectively sort through stored data. Unfortunately, most of the data is sent and stored without the greater understanding of incident response and will lack core components for establishing a timeline.

This is especially true on the mainframe because the Server Message Facility (SMF) that captures event data on the z/OS wasn’t designed to catch hacker activity. This means that those critical SMF records which security analysts would have to use lack critical information that they would need to filter on. Organizations may feel secure, having just passed an audit, but will quickly find their actual capability for conducting required cyber security practices is limited because incident response will resemble a search for a needle in a haystack.

The solution: BMC AMI Security

BMC AMI Security can help. To facilitate incident response, BMC AMI Security enriches each captured SMF record with relevant information like user IDs and IP addresses that enable security analysts to filter on the alerted trigger and establish the critical timeline which enables them to efficiently respond to the incident. This is enabled through the lightweight agent that runs on each logical partition which can access the key details from the operating system memory and add it as a field before sending the event off to the SIEM or data lake. Now, analysts can build a holistic timeline in seconds instead of coming through all events in a certain time window. This will significantly enhance the capability of each security analyst in the SOC as they leveraged the intelligence of the software that was built with true automated mainframe security in mind.

If you feel secure in your current solutions, then you should begin the practice of testing your defensive posture through cybersecurity simulations. These simulations will model a true cyber security incident to test your organizations ability to detect and respond to real threats. Just like military exercises, rehearsals are a core component to testing, training, and improving your defenses. In today’s age where a criminal can rent Ransomware as a Service³ and can begin having catastrophic impacts on an organization is as little as 18 minutes from first infection⁴ this can be the difference between losing the indispensable data that runs on the mainframe or responding to a threat in time.

If you’d like to learn more about mainframe security or how BMC AMI Security can help you detect and respond to very real mainframe cyber risks then please contact your account manager or click here to sign-up for a free trial of BMC AMI Security.

¹ https://cybersecurityventures.com/jobs/ ↩
² https://www.gartner.com/smarterwithgartner/solve-the-cybersecurity-talent-shortage/ ↩
³ https://nakedsecurity.sophos.com/2017/12/13/5-ransomware-as-a-service-raas-kits-sophoslabs-investigates/ ↩
⁴ https://www.zdnet.com/article/you-have-around-20-minutes-to-contain-a-russian-apt-attack/ ↩

For decades, mainframes were practically locked away like vaults, and it was easy to take their security for granted. Even if you could break into the room, you needed the expertise to know command lines to get what you wanted. With the advent of 3270 terminal emulators in the 1970s, mainframe functions could be controlled from a “PC” with the use of a coax adapter card, but you still needed vast mainframe programming knowledge to get what you were after. Now, thanks to the ready availability of emulator variants such as TN3270, special hardware is no longer required to tap into the mainframe. All you need is an internet connection. As a result, mainframe accesses have extended beyond what early mainframers could ever have imagined. Endpoint access has come a long way and you can now access a mainframe with an iPhone.

Today’s mainframe is a TCP/IP-connected computer integrated with your enterprise, and new threats have emerged to test its penetrability. To ensure viable defenses against both internal and external threat, you should treat your mainframe like any other endpoint and implement an endpoint detection and response (EDR) solution. Here are the best practices to secure your most valuable endpoint:

1. 1. Security Operations Center (SOC) inclusion
      Ponemon’s 2019 Cost of a Data Breach report indicates a 4.9% year-over-year increase in the mean time to identify (MTTI) and mean time to contain (MTTC) a breach, putting them at 206 days and 73 days, respectively. This incredibly long lifecycle is inexcusable for the regulated industries that rely on mainframes, and it’s also expensive – a response time that lags over 200 days will end up increasing the overall cost by 37%.Security personnel can’t stop what they can’t see. To streamline identification and response, look for an EDR solution that offers complete integration with your enterprise SOC. In the case of AMI for Security, that means eliminating the mainframe and distributed personnel silos and allowing for a 360-degree real-time view of your security operations. Visit AMI for Security for more info on how we help the largest companies in the world do this.

1. 1. Security automation
      Even adequately funded IT departments are facing a labor shortage because there simply aren’t enough experienced professionals. In 2018, the U.S. Department of Commerce estimated there were 350,000 vacant cybersecurity positions in the U.S. alone, and Cybersecurity Ventures predicts 3.5 million unfilled positions globally by 2021.To accomplish more and maintain an agile team, EDR solutions must lean on automation. Automated triggers such as shutting down ports and admin alerts that are sent in real-time must be in play. AMI for Security amplifies the efforts of employees with pre-built intelligence that leverages industry leading mainframe penetration expertise to automatically monitor mainframe data accesses and provide real-time alerts against anomalous user/system behavior.

1. Privileged user monitoring
   With state-sponsored threat actors and high-profile breaches dominating the headlines, it’s easy to pay a disproportionate amount of attention to external threats. On the other hand, just 9% of European IT decision-makers feel safe from internal threats. Whether from a malicious insider, a non-technical (careless) executive with privileged access, an infected employee device, or just a lost laptop, internal threats are everywhere.To ensure adequate protection across a vast number of endpoints, a solution like AMI for Security monitors users and tracks their individual actions, alerting administrators in cases of privilege escalation, rights violations, and anomalous login instances. Real-time surveillance for suspicious user activity empowers an immediate response to threats, allowing your organization to mitigate resulting damages or even avoid them entirely.

EDR is designed to provide advanced threat protection, but not all solutions are created equal.

If you have a mainframe, it is nearly guaranteed that you are a professional organization who handles extremely valuable data. This data may range from your customers’ Personally Identifiable Information (PII), to financial transactions, or even your intellectual property.

Following industry standard best practices to protect your data, you have likely established a fully functioning Security Operations Center (SOC) complete with expert security analysts who monitor the enterprise through your Security Information and Event Management (SIEM). These security analysts are prepared to respond to security threats in real-time and bring your response rate to an attack down from months to hours. You feel protected. Are you?

Your security analysts responsible for defending your organization are only as good as two things:

1. The information they receive
2. Their training on how to handle that information

The Information in the SIEM

When was the last time your security architects analyzed the forwarders that feed your SIEM to ensure it has a complete picture? An effective SIEM will aggregate data across the breadth of your technology infrastructure. Everything from your firewalls, servers, and routers to your end point devices is responsible for forwarding relevant data to the SIEM. Any gap, or missing equipment, leaves a glaring hole in the vision of your SOC which can be exploited by hackers, insider threats¹, or simply a poorly executed command by an employee.² Your SOC needs to have immediate access to all of your key infrastructure in order to have a timely and effective response to any incident.

Is your mainframe protected by the same level of best practices and automation as your distributed servers? Let’s discuss the mainframe – the refrigerator sized computer that is the backbone of your entire enterprise. For the longest time, the mainframe was considered the pinnacle of secure computing which has enabled it to be fundamentally ignored by most security engineers who didn’t understand it. While the mainframe is indeed a secure system, the threat landscape has developed to include nation state level resources put towards attacking civilian companies as an extension of their military and foreign policy.³ As secure as the mainframe is, it is no match for capabilities of these advance persistent threats who are attacking systems as complex as off-the-grid nuclear power plants.⁴ To protect your mainframe, and the capacity of your entire company, it is time to start treating the mainframe for what it is: just another computer on your network. This means that it is time to synchronize the mainframe’s information and event logging into your SIEM in real time. Ask yourself, what would happen if your mainframe data was encrypted with ransomware?

The Mainframe Security Intelligence Gap

Let’s assume that you are already on the foreword edge of security monitoring and you have worked with your mainframe and security engineers to integrate your mainframe information into your SIEM in real-time. Unfortunately, even with this, you may still be lacking the requisite knowledge and expertise to successfully use the information and react to it. It is vital to understand that data is not the end state, but the tool used to derive actionable intelligence.

With real-time monitoring your security analysts will be immediately notified of any alerts but how fast will they be able to use the data and react to an incident? If they have never touched a mainframe, and acronyms like RACF and ACF2 are foreign to them, then it is likely they will not be able to differentiate between a false positive and a devasting incident. By the time your organization realizes something has gone wrong it could cost you upwards of billions of dollars.⁵

So, who should own the responsibility of mainframe security? The answer is – it depends. Doctrinally, the role of securing the systems should fall on the SOC, but as Secretary of Defense James Mattis used to say, “doctrine is the last refuge of the unimaginative.” Each organization needs to determine whether it is pragmatic for the SOC, who understands security, or the mainframe operations team, who understand their platform, that should own the role of monitoring and responding to security incidents on the mainframe. There is a strong debate for either method in the market right now. The part that isn’t debatable, is that whoever owns the role needs to have it codified and then provided the resources to accomplish the mission successfully.

Training the Security Analysts

We often work with customers who have determined that the SOC will be responsible for defending the mainframes in addition to the other endpoints on the network. Most SOC security analysts will come from a background where they will be very comfortable in windows, linux, and routers which all use an entirely separate operating system than z/OS operating system designed by IBM. Fortunately, this isn’t an overwhelming gap as the foundational knowledge of security transcends all systems.

A CISO who prioritizes his analysts getting the requisite training, and providing the scenarios for them to practice, will find that the mainframe and its alerts will quickly become part of their battle rhythm. This ongoing training and education will enable the organization to have a truly defensible posture. To jumpstart this process, successful companies have generally conducted two actions:

1. Hired individuals with a mainframe background and interest in security. This new hire provided diversity of thought and experience to the security team to provide a holistic understanding.
2. Leveraged available training programs like Evil Mainframe⁶ to receive a crash course on mainframe penetration testing by two of the world’s leading mainframe hackers.

Whether your company choses to have centralized security in a SOC or have the mainframe operations team monitor for security issues BMC is here to help. BMC Automated Mainframe Intelligence (AMI) for Security packages the industry’s leading mainframe hacking defense expertise into preconfigured alerts for your team to strengthen your security posture. If you are interested in learning more about how we can help integrate the mainframe into your SOC and provide true actionable security intelligence, start your easy trial at https://www.bmc.com/it-solutions/bmc-ami-mainframe-security.html.

¹ https://securityintelligence.com/these-5-types-of-insider-threats-could-lead-to-costly-data-breaches/ ↩
² https://www.geekwire.com/2017/amazon-explains-massive-aws-outage-says-employee-error-took-servers-offline-promises-changes/ ↩
³ https://www.washingtonpost.com/world/national-security/us-set-to-declare-north-korea-carried-out-massive-wannacry-cyber-attack/2017/12/18/509deb1c-e446-11e7-a65d-1ac0fd7f097e_story.html?noredirect=on&utm_term=.cece25943963 ↩
⁴ https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ ↩
⁵ https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ ↩
⁶ https://evilmainframe.com/ ↩

Europe’s Data Protection Directive emerged in 1995, just two years after the formation of the European Union (EU). It was designed almost a decade before Facebook and three years before Google – a time when ecommerce was just a blip on the radar and the internet had a total of 120,000 registered domain names. By 2016 that number had grown to 326.4 million, and the rapid pace of technological change meant we were living in a different world that demanded modernized data security regulations.

After four years of deliberation and design, the EU announced the General Data Protection Regulation (GDPR), a sweeping law governing the data security and privacy of European citizens. When the law came into force in May of 2018, it affected not just European businesses, but companies all over the world that had customers in Europe. It also had even broader implications by inspiring the creation of similar laws in the U.S. California led with the California Consumer Privacy Act (CCPA) in 2018, and a total of 25 states now have data protection laws. While more will surely follow, there’s also the looming possibility of a federal law governing how companies treat the Personally Identifiable Information (PII) and other data of US citizens.

Why all the concern? Until recently, consumers have been all too happy to give away reams of Personally Identifiable Information or PII data without much concern for how it was being used. However, a slew of major data fumbles, from Facebook’s Cambridge Analytica scandal to the Equifax breach that exposed the financial records of 148 million people, have eroded public trust and pushed consumers to question how companies are defending sensitive PII.

The Year 2015 BC (Before Cambridge)

In 2015, the RAND Corporation set out to weigh public perception of high-profile data breaches. The “Customer Attitudes Toward Data Breach Notifications and Loss of Personal Information” study surveyed 2,038 individuals to determine how consumer behavior changes after breach notifications. While responses varied by demographic, a mere 11% of respondents indicated they would cease doing business with a company after a breach while 65% felt that their relationship with the company would continue unchanged.

With cybersecurity itself evolving at such a frantic pace, Ping Identity set out in 2018 to determine if customer perception might echo those changes. “Attitudes and Behavior in a Post-Breach Era” polled more than 3,000 consumers around the globe, and the results told a profound story. Almost half (49%) of those surveyed indicated that they wouldn’t use a service or application that had recently been breached, and while 37% would, they would only do so if they had no other options for the service in question.

In the tumultuous world of corporate cybersecurity, one thing is perfectly clear – consumers are more conscious of their data than ever before. While they can welcome the passage of additional legislation to establish protections and penalties, the rash of U.S. state regulations on the horizon will continue to plague the Fortune 1000 enterprises that lose control of their data. With the costs of a breach – both to a company’s reputation and its bottom line – climbing ever higher, CxOs must take the following steps to demonstrate an effective and clearly evident posture of cybersecurity defense.

1. Use correlation to glean evidence from event logs
   Correlation should occur on both distributed and mainframe systems, combining event messages and user activity to help determine the type of behavior that constitutes a threat. BMC AMI Security uses an intelligent correlation engine that automatically spots anomalous events events based on Indicators of Compromise developed by the world’s leading mainframe hackers and alerts administrators
2. Rely on solutions that provide insights in real time
   It takes an unacceptable 279 days for the average organization to identify and contain a data breach, according to 2019 data from the Ponemon Institute. Enterprises aren’t just failing to put a stop to cybercriminal activity – they’re failing to see it going on in the first place. To amend the present state of affairs, organizations must rely on real-time threat reporting that happens automatically. With automated security solutions, administrators are notified the instant a cyberattack is spotted, enabling them to take immediate action according to the nature of the threat.
3. Implement and practice an incident response plan
   Many organizations mistakenly think their security procedures and policies adequately insulate them from the risk of a data breach, which means they’re left scrambling to initiate a response when a breach inevitably occurs. When dealing with data exfiltration, seconds count, and having a plan in place might mitigate some of the fallout from a breach. The most advanced enterprises, however, are the ones that actually practice their incident response plans. As the cybersecurity landscape evolves, there are more threats than ever, and the most appropriate response depends on the specific danger. For example, BMC AMI Security supports the ability to take a user ID and immediately search for all actions taken by a user to determine scope and depth of the damage versus companies who must sort through system data in batches with the hopes of piecing together what happened. Knowing what to do and practicing how to do it will allow for a relatively quick and painless remediation compared to the alternative.

Attitudes around data security are changing, and for good reason. As massive organizations demonstrate a careless approach to PII that jeopardizes the well-being of their customers, governments are responding with increased regulation. To win trust and conquer compliance obstacles, enterprises must implement forward-thinking solutions that bring their mainframe security practices into modernity. To access our in-depth report on cybersecurity legislation and the steps to achieve compliance, download our whitepaper today.