Mainframe Blog

Cybersecurity Incident Response on the Mainframe

4 minute read
Christopher Perry

Endpoint Detection and Response (EDR) solutions have become a necessary component of each organization’s security architecture and look to assist the Security Operations Center’s (SOC) ability to meet steps 3 and 4 of the National Institute of Standards and Technology (NIST) Cyber Security Framework:

  • Identify
  • Protect
  • Detect
  • Response
  • Recover

Yet, when you look at most of the literature for these solutions, they only market the ability to detect malicious or anomalous events in real time. Detection is absolutely a core ingredient, but what about response? What can these solutions do to enable a security analyst to efficiently conduct an incident response?

To answer this question, it’s important to look at what a security analyst needs to accomplish during an incident response.

First, the analyst receives an alert in the EDR or Security Information and Event Management (SIEM). This alert notifies the analyst that their automated software detected a potentially malicious incident that needs to be analyzed.

To do this, the analyst must sort through all of the collected data on the endpoint to determine if the incident was malicious or whether it was a false positive. In order to accomplish this effectively, an analyst needs to get immediate access to the step-by-step actions of the offending user ID, IP address, or service that triggered the alert. This provides a timeline of actions that enables the analyst to make a quick determination on whether it needs to be escalated or was a false positive that can be solved.

Organizations need to leverage software solutions to increase the efficiency of their analysts, making each individual able to accomplish the work of multiple


A good EDR solution provides the analyst a framework to quickly visualize the triggered timeline and efficiently analyze each alert. In the growing demand for cyber security talent, organizations need to leverage software solutions to increase the efficiency of their analysts, making each individual able to accomplish the work of multiple resources. 1 The investment in quality solutions will end up reducing the required manpower for a SOC and will save an organization on critically short resources.2

So why is establishing this timeline such a challenge for most organizations? Most of it comes down to the quality of data that reaches the SIEM. As regulations continue to put immediate pressure on organizations, they find themselves in a check-the-box situation where they find the first method possible that enables them to store data like failed logins, file activity monitoring, or privileged users before their upcoming audit. The data will often be ingested in a SIEM or data lake where vendors claim their solution will be able to quickly and effectively sort through stored data. Unfortunately, most of the data is sent and stored without the greater understanding of incident response and will lack core components for establishing a timeline.

This is especially true on the mainframe because the Server Message Facility (SMF) that captures event data on the z/OS wasn’t designed to catch hacker activity. This means that those critical SMF records which security analysts would have to use lack critical information that they would need to filter on. Organizations may feel secure, having just passed an audit, but will quickly find their actual capability for conducting required cyber security practices is limited because incident response will resemble a search for a needle in a haystack.

The solution: BMC AMI Security

BMC AMI Security can help. To facilitate incident response, BMC AMI Security enriches each captured SMF record with relevant information like user IDs and IP addresses that enable security analysts to filter on the alerted trigger and establish the critical timeline which enables them to efficiently respond to the incident. This is enabled through the lightweight agent that runs on each logical partition which can access the key details from the operating system memory and add it as a field before sending the event off to the SIEM or data lake. Now, analysts can build a holistic timeline in seconds instead of coming through all events in a certain time window. This will significantly enhance the capability of each security analyst in the SOC as they leveraged the intelligence of the software that was built with true automated mainframe security in mind.

If you feel secure in your current solutions, then you should begin the practice of testing your defensive posture through cybersecurity simulations. These simulations will model a true cyber security incident to test your organizations ability to detect and respond to real threats. Just like military exercises, rehearsals are a core component to testing, training, and improving your defenses. In today’s age where a criminal can rent Ransomware as a Service3 and can begin having catastrophic impacts on an organization is as little as 18 minutes from first infection4 this can be the difference between losing the indispensable data that runs on the mainframe or responding to a threat in time.

If you’d like to learn more about mainframe security or how BMC AMI Security can help you detect and respond to very real mainframe cyber risks then please contact your account manager or click here to sign-up for a free trial of BMC AMI Security.

1 https://cybersecurityventures.com/jobs/
2 https://www.gartner.com/smarterwithgartner/solve-the-cybersecurity-talent-shortage/
3 https://nakedsecurity.sophos.com/2017/12/13/5-ransomware-as-a-service-raas-kits-sophoslabs-investigates/
4 https://www.zdnet.com/article/you-have-around-20-minutes-to-contain-a-russian-apt-attack/

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing blogs@bmc.com.

BMC Brings the A-Game

BMC works with 86% of the Forbes Global 50 and customers and partners around the world to create their future. With our history of innovation, industry-leading automation, operations, and service management solutions, combined with unmatched flexibility, we help organizations free up time and space to become an Autonomous Digital Enterprise that conquers the opportunities ahead.
Learn more about BMC ›

About the author

Christopher Perry

Christopher Perry is the Principal Product Manager for BMC AMI Security. Prior to BMC, he served as a commander in the United States Cyber Command and holds several certifications including the Offensive Security Certified Expert (OSCE) and Certified Information Systems Security Professional (CISSP).
Chris contributes to online cybersecurity and machine learning publications like Information Week, Security Magazine, Help Net Security, and Planet Mainframe.