1. Your Mainframe Environment Is a Treasure
Trove: Is Your Sensitive Data Protected?
Data protection with visibility and control
8 August 2017
Peter Mandel
Guardium Product Manager
mandel@us.ibm.com

2. 2© 2015 IBM Corporation
Attackers break through conventional safeguards every day
Source: IBM X-Force Threat Intelligence Index - 2017
$7M
average cost of a U.S. data breachaverage time to identify data breach
206 days
2014
1B+ records breached
2015
Healthcare mega-breaches
2016
4B+ records breached

3. 3 IBM Security
What’s on the inside counts
Your next attacker is
likely to be someone
you thought you could
trust.**
**Source: IBM X-Force Research 2016 Cyber
Security Intelligence Index
60% of all attacks are
caused by insider
threats**

4. 4 IBM Security
Not all insider threats are created equal
Employees with privileged access to sensitive data carry
the greatest risks!
Who represents an insider threat?
 An inadvertent actor
 A malicious employee
 A 3rd party/partner with
access to sensitive data
(And falls into one of
the categories above)
Image Source: IBM X-Force Research 2016 Cyber
Security Intelligence Index

5. 5 IBM Security
How are most companies combating insider threats today?
61% of organizations do not
monitor and audit the actions of users
with privileges more closely than non-
privileged users*
*According to a 2015 UBM study of more than 200 organizations
70% of organizations do not have
a data security solution that supports
entitlement reporting*

6. 6 IBM Security
Today’s technologies have eliminated “mainframe isolation”
The increasingly desirable target of the mainframe
%
of all active code
runs on the mainframe80
%
of enterprise data is
housed on the mainframe80
Internet
Cloud
Social
Mobile
Big Data
Business
Innovation

7. 7 IBM Security
Key concerns
Mainframe customers are more vulnerable to security incidents:
Source: IBM Webinar 2/6/2014, Security Intelligence Solutions for System z and the Enterprise
“As mainframes become a major component in service-
oriented architectures, they are increasingly exposed
to malware. Web services on the mainframe have
significantly impacted security.”
Meenu Gupta
President, Mittal Technologies Inc.
The solution…
%
concerned with
privileged insiders50%
concerned with advanced
persistent threats21
%
concerned with web-
enabled z/OS apps29
%
of customers agree that deploying multiple layers of defense
provides the best mainframe protection86

8. 8 IBM Security
8
Can you prove that
privileged users have not
inappropriately accessed
or jeopardized the
integrity of your sensitive
customer, financial and
employee data?

9. 9 IBM Security
Where is the
sensitive data?
How to prevent
unauthorized
activities?
How to protect
sensitive data
to reduce risk?
How to secure
the repository?
Discovery
Classification
Identity & Access
Management
Activity
Monitoring
Blocking
Quarantine
Masking
Encryption
Vulnerability
Assessment
Who should
have access?
What is actually
happening?
Discover Harden Monitor Block Mask
Data Security best practices

10. 10 IBM Security
Comprehensive protection requires watchfulness and control
 Watch sensitive data &
data access all the time
 Monitor it everywhere it lives
 Protect against unauthorized access
 Easily review results and monitor
your data security heartbeat

11. 11 IBM Security
Automated analytics can highlight behavioral risks …
Apply machine learning & intelligence to uncover behavioral changes and risks
1. Policy-based, real-time
monitoring* reveals behavior
patterns over time
2. Analytics run and anomalies
are surfaced
3. Anomalies are sent for
manual review OR triggers
action
*including actions by privileged users

12. 12 IBM Security
… and specialized threat detection analytics can spot and
stop attack symptoms early
• Scan and analyze data to detect
symptoms of data repository attacks
• Look for specific patterns of events
and behaviors that indicate trouble
• Identify both SQL injections and
malicious stored procedures
• Do not rely on attack signature
dictionary comparisons (they go out
of date quickly)
Drill down on any aspect of a threat

13. 13 IBM Security
Security challenges specific to the mainframe:
Lack of visibilityIncreasing complexity
Ensuring complianceRising costs
Mainframe security
administration is typically
a manual operation
and relies upon old
and poorly-documented scripts; highly-skilled
mainframe administration resources are limited
Compliance verification
is a manual task
with alerts coming
only AFTER a problem
has occurred, if at all!
The mainframe is an integral
component of many large
business services, making
managing security threats
extremely complex creating
a higher risk to the business
Mainframe processes,
procedures, and
reports are often
siloed from the rest
of the organization

14. 14 IBM Security
But System z is already secure – why do we need more?
 Separation of duties
– Privileged users “need to know” vs abuse or mistake
– Trace-based auditing controlled by privileged users
– System Authorization Facility (SAF) plays a vital role in protection of
data on z/OS, but is not tamper-resistant and actionable
 Achieving audit readiness is labor-intensive and
introduces latency
– RACF lacks sufficient granularity for reporting
– DB2 Audit Trace requires externalization to SMF and customer
provided reporting infrastructure
 Real-time event collection
– Batch processing of audit data from external sources prevents real
time alerts

15. 15 IBM Security
Guardium helps secure mission-critical mainframe data
Guardium extends z Systems data security to provide
 End-to-End access rights management and controls
 Separation of Duty (SOD) with privilege users
 Real-time data activity monitoring and actionable alerts
 Block unauthorized database activities & quarantine at risk
users
 Low monitoring overhead, can be offloaded to zIIP
 Proof points to quickly and efficiently meet audit
requirements
 Lower cost and complexity of meeting compliance
Guardium enhances mainframe security intelligence
 Single consolidated view of security events across the entire enterprise
 Bi-directional integration with Qradar, send alerts to Guardium of asset
risks such as rogue users and IP addresses
 Machine learning and outlier activities detection, send real-time alerts
for investigation
 Enterprise-wide search and forensics investigation of anomalous events

16. 16 IBM Security
Guardium for System z: Components
 Guardium Collector appliance for System z
̶ Securely stores audit data collected on the mainframe
̶ Provides analytics, reporting & compliance workflow automation
̶ Integrated with Guardium enterprise architecture
 Centralized, cross-platform audit repository for enterprise-wide analytics and compliance
reporting across mainframe & distributed environments
• S-TAP (for DB2, IMS or Data Sets) on z/OS event capture
̶ Mainframe probe
̶ Collects audit data for Guardium appliance
̶ Collection profiles managed on the Guardium appliance
̶ Extensive filtering available to optimize data volumes and performance
̶ Enabled for zIIP processing
̶ Audit data streamed to appliance – small mainframe footprint
16

17. 17 IBM Security
Guardium for DB2/z protection
• Capture all database activities on DB2 for z/OS
̶ Including: SELECTs, DML, DDL, and authorization changes
• Very low performance overhead (typically less than using DB2 traces)
̶ zIIP eligible processes
• Flexible filtering
̶ Helps manage data volume and performance overhead
• Direct streaming of audit data
• Centralized interaction
̶ Goes through the Guardium appliance
• Common event collection
̶ Is supported with IBM Query Monitor

18. 18 IBM Security
Guardium for Datasets protection
• Activity monitoring for files outside of a DBMS
̶ Monitor VSAM files, PDS, sequential file access activity
• Why should we monitor data store outside a DBMS?
̶ Sensitive data may be stored in these files
̶ DB2 and IMS store data in VSAM files
• Utilities operate directly on the VSAM LDS files
• Guardium for Datasets reports when the VSAM LDS files are accessed
̶ Monitor and audit configuration files
̶ Capture CICS transaction information and identify the CICS sign-on that was used
for a specific file access event

19. 19 IBM Security
Guardium for IMS protection
• Monitor all READ, INSERT, UPDATE and DELETE access to
databases and segments
• Applies to IMS Batch and IMS Online regions
• You can select which calls to audit per target
̶ For example: all databases, all segments, one DB and one segment of the DB, etc.
̶ Each segment can have different calls audited
• When a call is collected, all relevant information is captured
• call type, userid, PSB name, DBName, Segment Name, etc.

20. 20 IBM Security
Pervasive Encryption: Multiple layers of data privacy protection
App
Encryption
hyper-sensitive data
Database Encryption
Provide protection for sensitive data in-
use at DB level, in-flight & at-rest
File or Dataset Level Encryption
Provide broad coverage for sensitive data using
encryption tied to access control for in-flight &
at-rest data protection (from unauthorized
copying of the files)
Full Disk and Tape Encryption
Provide 100% coverage for in-flight & at-rest data with zero
host CPU cost
Coverage
Complexity&SecurityControl
Protection against
intrusion, tamper or
removal of physical
infrastructure
Broad protection & privacy
managed by OS… ability to
eliminate storage admins from
compliance scope
Granular privacy protection from DB
Privilege Users accesses … selective
encryption & key management to control
sensitive data access
Data protection & privacy provided and
managed by the application… encryption of
sensitive data when lower levels of encryption
not available or suitable

21. 21 IBM Security
Filters and
Sort
Controls
Result
History
Current Test
Results
Detailed
Remediation
Suggestions
Harden DB2/z further with Vulnerability Assessment
Prioritized
Breakdown
Detailed Test
Results
Identify key APARs and mis-configured systems

22. 22 IBM Security
Chosen by leading organizations worldwide to secure sensitive data
5 of the top 5 global banks XX
Protecting access to over
$10,869,929,241 in financial
assets
2 of the top 3 global
retailers XX
Safeguarding the integrity of
2.5 billion credit card or personal
information transactions per year
5 of the top 6 global insurers
Protecting more than 100,000
databases with personal and
private information
Top government agencies
Safeguarding the
integrity of the
world’s government
information and
defense
8 of the top 10 telcos worldwide
Maintaining the privacy of over
1,100,000,000 subscribers
4 of the top 4 global managed
healthcare providers
Protecting access to
136 million patients
private information
The most recognized name in
PCs Protecting over 7 million
credit card transactions per year

23. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU