Ensure that your security events are being aggregated and included with other logs from your network.

In the wake of the SQL slammer worm in 2003, the attention of information security professionals was primarily focused on distributed computing architectures and Windows, UNIX, and Linux servers. Protecting the perimeter against worms and viruses was the order of the day. But today, meeting compliance initiatives and guarding against the insider threat from employees are just as important. Regulations specify the need for regular review and analysis of security logs. The Payment Card Industry (PCI) Data Security Standard, which was recently updated to version 1.2, requires that log files be reviewed daily and that at least three months of log data be available for immediate analysis.

IT auditors are also waking up to the issues associated with IBM i, and they demand that this platform's logs and event data receive the same level of monitoring and attention as other platforms. After all, it probably houses the most critical data: account numbers, customer information, and credit card data, for example. IBM i administrators and the information security team need to ensure that the security logs are monitored as closely as logs from firewalls, switches, routers, and other databases and operating systems in the data center. The syslog standard should be considered as a way to aggregate logs from the IBM i with other systems.

Syslog, a standard for forwarding log messages in an IP network, was originated on Linux systems. In 2001, the syslog standard was documented as an Internet standard in RFC 3164, and it has become more generally accepted as a way to exchange log data in TCP/IP networks. It is commonly used for security auditing.

Syslog, a simple protocol, is used by a wide variety of devices and thus it can be used to collect centralized logs of events from across a network. The syslog sender sends a small text message (less than 1024 bytes) to the "syslog daemon" or "syslog server." Because of its simplicity, syslog has become the standard logging solution on UNIX and Linux systems.

PowerTech Interact provides a method to export security events from the IBM i to syslog in real time. Interact interprets events and translates IBM i-specific jargon into actionable statements that IT security staff can understand. Online documentation is provided that explains the impact and meaning of each event.

Many companies are using Security Information and Event Management (SIEM) solutions to gather data from devices in the network. Popular examples of SIEM solutions are LogRhythm, ArcSight, TriGeo, RSA enVision, Symantec, IBM Tivoli, Open Service, HighTower, and Q1 Labs. Along with reading logs from firewalls, routers, databases, and servers, most SIEM solutions can also accept syslog feeds. Many leading SIEM vendors have integrated with the syslog output generated by Interact so that events are also mapped and normalized to the schema used by the SIEM vendor.

With Interact, you can filter events so that not everything that is sent to the journal is sent beyond the platform to a central logging solution. Object-level auditing often needs to be configured to support the needs of high availability software, and events are recorded that are not relevant for security and compliance purposes. Interact allows you to filter by day, time, IP address, user profile, and/or event type. Before any events are forwarded to a SIEM solution, there should be a more granular level of filtering than that provided by the operating system's audit controls.

Figure 1 shows an IBM i log event that is displayed natively on the operating system using the DSPJRN command. Figure 2 shows a similar event that has been sent in real time to the LogRhythm SIEM console.

Figure 1: This is output from the DSPJRN command. (Click images to enlarge.)

Figure 2: Here are the IBM i security events in the LogRhythm console.

The PowerTech Network Security product provides exit program access control and logging. When it is installed, Interact can also gather and send network transactions like FTP, ODBC, and remote command. Interact also includes support for logs beyond just QAUDJRN. The product also monitors critical messages from the operating system.

Many retailers and financial institutions are using Interact today for Sarbanes-Oxley compliance and to meet the onerous requirements of the PCI standard. The IBM i is not an island. If your security events are not getting aggregated and included with other logs from your network, you should take a look at PowerTech Interact today. Visit http://www.powertech.com/ for more information.

Brendan Patterson is Vice President of Products for The PowerTech Group. Brendan has been in the high-tech industry since 1991. Since joining PowerTech in 2003, Brendan has directed product management and marketing for the company's complete suite of security and compliance software products. He was instrumental in expanding the product line and the successful launch of the Authority Broker and Compliance Monitor products.

 

Brendan has spoken at industry events and been published in the industry's press. Previously, he held product management positions at GoAhead Software, a leading provider of High Availability and Management middleware, and Webforia, an Internet portal company.

Brendan has a master's degree in the Management of Technology from the Massachusetts Institute of Technology, Cambridge, Massachusetts, and a bachelor's degree in mechanical engineering from the National University of Ireland.