Configuring zsecure To Send Data to QRadar

Similar documents
IBM Threat Protection System: XGS - QRadar Integration

ISAM Advanced Access Control

XGS & QRadar Integration

IBM MaaS360 Kiosk Mode Settings

ISAM Federation STANDARDS AND MAPPINGS. Gabriel Bell IBM Security L2 Support Jack Yarborough IBM Security L2 Support.

Disk Space Management of ISAM Appliance

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

Junction SSL Debugging With Wireshark

IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions

IBM Security Network Protection Open Mic - Thursday, 31 March 2016

XGS: Making use of Logs and Captures

Security Support Open Mic: ISNP High Availability and Bypass

BigFix Query Unleashed!

IBM. Enhancements for data encryption and SIEM feeds Documentation Updates zsecure CARLa-Driven Components Installation and Deployment Guide

Security Support Open Mic Build Your Own POC Setup

Understanding scan coverage in AppScan Standard

IBM Security Guardium: : Sniffer restart & High CPU correlation alerts

Ponemon Institute s 2018 Cost of a Data Breach Study

Integrated, Intelligence driven Cyber Threat Hunting

Security Support Open Mic Client Certificate Authentication

IBM Security Access Manager v8.x Kerberos Part 2

Fabrizio Patriarca. Come creare valore dalla GDPR

QRadar Feature Discussion IBM SECURITY SUPPORT OPEN MIC

Analyzing Hardware Inventory report and hardware scan files

IBM Security Directory Server: Utilizing the Audit.log

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

GX vs XGS: An administrator s comparison of the two products

What's new in AppScan Standard/Enterprise/Source version

More on relevance checks in ILMT and BFI

Deploying BigFix Patches for Red Hat

IBM Security Network Protection

Remote Syslog Shipping IBM Security Guardium

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

IBM Security Guardium: Troubleshooting No Traffic Issues

How to Secure Your Cloud with...a Cloud?

IBM BigFix Relays Part 2

XGS Administration - Post Deployment Tasks

How AppScan explores applications with ABE and RBE

IBM Security Support Open Mic

May the (IBM) X-Force Be With You

Configuring your policy to prevent appliance problems

IBM Security zsecure. Documentation updates: 64-bit Service Stream Enhancement IBM

IBM Security Identity Manager New Features in 6.0 and 7.0

QRadar Open Mic: Custom Properties

Introduction to IBM Security Network Protection Manager

Security zsecure Audit for ACF2 Version Getting Started IBM GI

zsecure Alert Version User Reference Manual IBM SC

Security zsecure Alert Version User Reference Manual IBM SC

BigFix 101- Server Pricing

Using Buffer Usage Monitor Report & Sniffer must_gather for troubleshooting

How to properly deploy, configure and upgrade the NAB

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

Be effective in protecting against the cybercrime

HTTP Transformation Rules with IBM Security Access Manager

The New Era of Cognitive Security

Let s Talk About Threat Intelligence

Optimizing IBM QRadar Advisor with Watson

Interpreting relevance conditions in commonly used ILMT/BFI fixlets

Let s talk about QRadar 7.2.5

Performing a z/os Vulnerability Assessment. Part 2 - Data Analysis. Presented by Vanguard Integrity Professionals

zsecure New features and functions

Predators are lurking in the Dark Web - is your network vulnerable?

IBM Guardium Data Encryption

SWD & SSA Updates 2018

What's new in AppScan Standard version

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

IBM Security zsecure IBM MFA for z/os

Debug DB2 COBOL stored procedure with IBM Developer for z Systems and IBM Debug for z Systems v14.1

Is Your z/os System Secure?

Security Update PCI Compliance

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

Benchmarking z/os Development Tasks - Comparing Programmer Productivity using RDz and ISPF

The McGill University Health Centre (MUHC)

Securing Mainframe File Transfers and TN3270

Overview. Business value

The Myth of Mainframe Security

IBM Application Performance Analyzer for z/os Version IBM Corporation

CARLa programming how was it again? 2013 IBM Corp.

Securing global enterprise with innovation

IBM Security Access Manager Single Sign-on with Federation

IBM Security Network Protection Solutions

Identity Governance Troubleshooting

IBM BigFix Client Reporting: Process, Configuration, and Troubleshooting

Worrying About Your Whitelists

The Challenge of Managing WebSphere Farm Configuration. Rational Automation Framework for WebSphere

IBM Security zsecure Service Stream Enhancement for IBM Operations Analytics for z Systems (IOAz) Documentation updates IBM

IBM Db2 Warehouse on Cloud

IBM Application Security on Cloud

Aligning with HIPAA mandates in healthcare

IBM SPSS Text Analytics for Surveys

Vanguard Configuration Manager Customization and Use

IBM United States Software Announcement , dated February 17, 2015

CA EPIC for z/vse. Release Notes. r5.2

Healthcare Cognitive Security

RA/2 RACF CLI Version 1 - Release 1

IBM. PDF file of IBM Knowledge Center topics. IBM Operations Analytics for z Systems. Version 2 Release 2

Notice on Names and Logos Used in This Presentation

Securing communication between SDS VA and its remote DB2 DB

WebSphere Commerce Developer Professional

Modern Realities of Securing Active Directory & the Need for AI

Transcription:

Configuring zsecure To Send Data to QRadar CONFIGURATION, SETUP, AND EXAMPLES Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA toll-free: 866-803-2145 USA toll: 210-795-1099 Participant passcode: 3933241 NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.

About the panelists Alan Brown, zsecure Level 2 Support Jared Franze, zsecure Level 2 Support Jeroen Tiggelman, zsecure Level 3 Manager Hans Schoone, zsecure Chief Architect Guus Bonnes, zsecure Architect and Designer Jonathan Pechta, IBM Security QRadar - Support Technical Writer 2 IBM Security

A comprehensive suite of products zsecure Audit Vulnerability analysis for the mainframe infrastructure; automatically analyze and report on security events and monitor compliance zsecure Adapters for QRadar Collects, formats and sends enriched mainframe System Management Facility (SMF) audit records to IBM Security QRadar SIEM zsecure Alert Real-time mainframe threat monitoring of intruders and alerting to identify misconfigurations that could hamper compliance zsecure Command Verifier Policy enforcement solution that helps enforce compliance to company and regulatory policies by preventing erroneous commands zsecure Manager for RACF z/vm Combined audit and administration for RACF in the VM environment including auditing Linux on System z zsecure Admin Enables more efficient and effective RACF administration, identity governance, tracking and statistics using significantly fewer resources zsecure Visual Helps reduce the need for scarce, RACF-trained expertise through a Microsoft Windows based GUI for RACF administration zsecure CICS Toolkit Provides access RACF command and APIs from a CICS environment, allowing additional administrative flexibility 3 IBM Security

A comprehensive suite of products zsecure Audit Vulnerability analysis for the mainframe infrastructure; automatically analyze and report on security events and monitor compliance zsecure Adapters for QRadar Collects, formats and sends enriched mainframe System Management Facility (SMF) audit records to IBM Security QRadar SIEM 4 IBM Security

About the presentation Focus of this presentation is on setting up zsecure to send data to QRadar Security Information and Event Management (SIEM) We will only be looking at sending SMF data as enhanced by zsecure Using zsecure Alert to send data to QRadar SIEM is planned for a later presentation We will be utilizing screenshots and documentation from zsecure 2.2.0 5 IBM Security

Functional Overview A z/os image can contain many log sources: o z/os o RACF/ACF2/TSS o DB2 o CICS To integrate these sources with QRadar, a procedure must be in place to enrich standard SMF data into something QRadar can understand Log Event Enhanced Format (LEEF). These files are created and stored as z/os Unix files, and regularly fetched by QRadar SIEM for processing. 6 IBM Security

Methods Integrated functionality with zsecure Audit Standalone zsecure Adapters for QRadar SIEM product o The Adapters product uses fewer NEWLIST types, lookups, and members. It instead relies on a number of newly introduced fields in order to maintain functionally equivalent to the product built into zsecure Audit. Near Real-time integration with zsecure Alert (to be discussed at a later date) o This method transfers Alerts via UNIX Syslog 7 IBM Security

Key Benefits Integrating with QRadar replaces manual security event analysis with an automated and trusted process for detection of security exposures. Collecting event data from multiple z/os sources creates a comprehensive view of your system. Enriching data with audit and user information results in strong, and complete reports. The ability to use the data analytics and dashboard reporting built into QRadar. 8 IBM Security

Preparation Taken from Security zsecure CARLa-Driven Components Version 2.2.0 Installation and Deployment Guide, Chapter 15 Complete installation/configuration of zsecure even if only using the Adapters Ensure the following prerequisites are performed o The SCKRLOAD library must be APF-authorized o You must setup a process to periodically refresh your CKFREEZE and UNLOAD (N/A to Top Secret) datasets o If only licensed for the Adapters, you must use the live security database instead of an unload file o We provide a sample job (C2RJPREP) to assist you in setting up the creation of your CKFREEZE and the security database UNLOAD files. o You must have an FTP or SFTP server on your z/os image in order for QRadar to be able to download the LEEF files that are created o Your zsecure configuration must be updated to contain the specific parameters required for QRadar SIEM (specifics will be described later) 9 IBM Security

SMF Records SMF processing must be turned on and the appropriate records for your shop must be created and saved o The exact SMF records required must be determined by your security staff o A list of standard records is on page 152 of the installation Guide Making the SMF records available to QRadar o Determine whether you are using SMF data from a dataset or a logstream When using an SMF logstream, ensure that your data collection for QRadar runs on a frequency to ensure that the SMF data retention period does not expire before data is collected For dataset processing, the SMF data must be prepared using your SMF offload process (e.g., IFASMFDP or a third-party utility that performs the same function) o When using SMF data from multiple z/os images The SMF data must be broken out by z/os image (examples to follow) The CKFREEZE and UNLOAD (not applicable to Top Secret or an Adapter-only license) from the SMF source images must be available 10 IBM Security

Using combined SMF data from multiple z/os images Specify an EXCLUDE statement in member CKQXES or C2EQXES in your zsecure configuration dataset o Each collection process will require its own member in its zsecure configuration dataset. o The combined SMF dataset is read multiple times when using this method Run a special CARLa job or job step that will read the combined SMF data and output separate datasets for each of the z/os images o The combined SMF dataset is read only once o Sample CARLa code snippet for one system is below alloc type=smf DD=C1SMF0 <== combined SMF input dataset newlist type=smf name=smfsel select system(ipo1) type=(0:69,80:120,230) <== SMF records to extract unload dd=smfunld <== SMF file for system IPO1 (allocated in JCL) 11 IBM Security

Setup of the collection process HEADER CONTENT 1 HEADER CONTENT 2 Two sets of members are provided o The C2E prefixed members are only for zsecure Audit o The CKQ prefixed members are for zsecure Audit and zsecure Adapters for QRadar SIEM o New installations should use CKQ prefixed members and are what we use in this presentation Decide how the collection process should be run o Batch using a job scheduling system o Started task Customize the JCL and point to the zsecure configuration member (default is C2R$PARM) o Store configuration member where it can be accessed For a started task, this is the JES procedure library For batch, use the JCLLIB statement o Customize C2EQCUST/CKQCUST and C2EQPATH/CKQPATH 12 IBM Security

Setup of the collection process - continued HEADER CONTENT 1 HEADER CONTENT 2 Assigning a user ID for the collection process and creating a z/os Unix directory for the LEEF data o Use supplied jobs as described on page 155 for your specific security subsystem C2EQAUSA/CKQAUSA for ACF2 C2EQAUSR/CKQAUSR for RACF C2EQAUST/CKQAUST for Top Secret o We will use CKQAUSR for our RACF system Preparing the LEEF directory Customize the configuration members Start the job or started task 13 IBM Security

WALKTHROUGH Configuration examples

Customize CKQCLEEF Proc HEADER CONTENT 1 HEADER CONTENT 2 Source: Title, Published date, author, company 15 IBM Security

zsecure Configuration Member 16 IBM Security

Assigning a userid and preparing a directory to store the LEEF data 17 IBM Security

Assigning a userid and preparing a directory to store the LEEF data 18 IBM Security

Assigning a userid and preparing a directory to store the LEEF data 19 IBM Security

Assigning a userid and preparing a directory to store the LEEF data 20 IBM Security

Configuring environment - CKQSPEC 21 IBM Security

LEEF Files and maxdate file 22 IBM Security

Resources HEADER CONTENT 1 HEADER CONTENT 2 Documentation on IBM Knowledge Center http://www.ibm.com/support/knowledgecenter/ss2rws_2.2.0/kc_gen/toc_kc_master220-gen1.html zsecure Forum on developerworks https://www.ibm.com/developerworks/community/forums/html/forum?id=11111111-0000-0000-0000- 000000001255 zsecure Wiki on developerworks https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/wa6857722838e_491e_ 9968_c8157c8cf491 zsecure Q&A on dw Answers https://developer.ibm.com/answers/topics/zsecure/ and https://developer.ibm.com/answers/search.html?f=&type=question&redirect=search%2fsearch&sort=r elevance&q=zsecure Technotes - QRadar Processing large amounts of SMF data http://www.ibm.com/support/docview.wss?uid=swg21688548 Loading CARLa EXCLUDES for zsecure QRadar http://www.ibm.com/support/docview.wss?uid=swg21967519 User group 23 IBM Security

Questions HEADER CONTENT 1 HEADER CONTENT 2? 24 IBM Security

Appendix Complete job log for splitting an SMF file by system name (1 of 4) //SMFEXT JOB (),'Alan Brown', MSGCLASS=X,MSGLEVEL=(1,1), // NOTIFY=&SYSUID //CKRCARLA EXEC PGM=CKRCARLA,REGION=64M,PARM='I DD=CKRSPROF' //********************************************************************* //* Change ZSEC220 to the location your zsecure installation * //********************************************************************* //STEPLIB DD DISP=SHR,DSN=ZSEC220.SCKRLOAD //CKRCARLA DD DISP=SHR,DSN=ZSEC220.SCKRCARL //********************************************************************* //SYSPRINT DD SYSOUT=* //CKREPORT DD SYSOUT=* //CKRCMD DD SYSOUT=* //CKR2PASS DD SYSOUT 25 IBM Security

Appendix Complete job log for splitting an SMF file by system name (2 of 4) //****************************************************************** //* Replace the following DSN with the DSN of your SMF unload file * //****************************************************************** //C1SMF0 DD DSN=CRMA.X.TVT8010.SMF.DAY, DISP=SHR //****************************************************************** //* //************************************************************** //* Replace the DSN with the name of your new system-specific * //* and SMF-filtered SMF unload file. * //* Replace space parameter as needed to accommodate the size * //* of your output SMF unload file. * //* If you reuse this file, change DISP to OLD after first run * //************************************************************** //SMFUNLD DD DISP=(NEW,CATLG), DSN=CRMBAB1.P01395.IPO1.SMF, // SPACE=(27998,(300,300),RLSE,,ROUND), // DCB=(LRECL=32760,BLKSIZE=27998,RECFM=VBS) //************************************************************** //* 26 IBM Security

Appendix Complete job log for splitting an SMF file by system name (3 of 4) //* //************************************ //* Standard CARLa environment setup * //************************************ //CKRCMD01 DD SYSOUT=* //* Standard profile for zsecure Suite run //CKRSPROF DD DATA,DLM='\/' PRINT DD=CKREPORT SUP CONNECTOWNER; IMBED MEMBER=CKRXDEF1 NOLIST \/ 27 IBM Security

Appendix Complete job log for splitting an SMF file by system name (4 of 4) //**************************************************** //* CARLA code to extract SMF records that //* meet the following criteria: * * //* 1. System is IPO1 * //* 2. SMF records are equal to the following ranges * //* A. 0-69 * //* B. 80-120 * //* C. 230 * //* Input is from DD C1SMF0 * //* Output is to DD SMFUNLD * //**************************************************** /SYSIN DD DATA,DLM='\/' /* Daily SMF dump */ alloc type=smf DD=C1SMF0 alloc type=ckrcmd DD=CKRCMD01 suppress CKFREEZE newlist type=smf name=smfsel select system(ipo1) type=(0:69,80:120,230) unload dd=smfunld include member=ckalfsum \/ /* 28 IBM Security

THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback