Consul
Mainframe plug-ins: zAlert
Intrusion Detection and Alerting.
The mainframe is the core repository of crucial company data. Increasingly, though, the mainframe is also at the center of the networked enterprise - with employees, consultants and customers accessing it for vital information. It must, therefore, be monitored for the threat of external intruders and for configuration errors from within. Consul InSight zAlert draws upon Consul's extensive intrusion, monitoring and mainframe know-how to offer a premium real-time monitoring solution for your company's core IT asset. Consul InSight zAlert is part of Consul's zSecure Suite of tools and seamlessly extends Consul's Consul InSight Security Manager solution to include real-time mainframe alerts.
Consul InSight zAlert resides on the mainframe, monitoring z/OS, RACF and UNIX sub-systems (USS). It draws on extensive system information, beyond just the data stored in SMF records, to monitor the mainframe. zAlert combines a threat knowledge base with parameters from your active configuration to identify resources that need protection and isolate relevant attack patterns.
zAlert features include:
In-depth detection capability
- Detects breaches from SMF and non-SMF information.
- Correlates real-time activity with recent patterns to detect sophisticated threats.
- Monitors z/OS, RACF and UNIX sub-systems (USS).
- Consolidates IBM's IDS functionality in the TCP/IP stack.
Robust alerting and action capability
- SNMP alerts to Consul InSightâ„¢ Security Manager, IBM Tivoli and other consoles.
- WTO generation: Triggers AOC (Netview, AutoOper) routine.
- Actions: triggers any RACF command instantly when a threat is detected.
- E-mail: Customized e-mail alerting.
- Cell phones, pagers and text messaging.
Flexible and easy configuration
- Selection and layout of alerts configurable with easy-to-use CARLa programming.
- Controlled by MVS operator commands, dynamically re-configurable.
- Low system overhead.
Beyond Intrusion Detection
Consul InSight zAlert goes beyond the conventional intrusion detection solutions. It offers intrusion prevention, as it can act instantly to stop any attack. These counter measures can be predefined and customized. And, unlike an IDS, zAlert also makes sure that no configuration mistakes go unnoticed.
A Unique Alerting Solution
Consul InSight zAlert is the first truly comprehensive real-time monitoring solution for mainframes. Consul's mainframe experts have incorporated the experience gained in conducting penetration tests on customer mainframes into a threat knowledge base that alerts you of any activities you need to know about. Unlike other products, zAlert can also detect malicious activity even if it is not registered in the event log (SMF record). zAlert can also compare real-time activity with recent patterns, allowing it to detect additional threats.
Supported Attacks
Examples of some of the attacks and configuration threats zAlert can detect:
Unwanted logons and user activity
- Logon by unknown users.
- Logon with emergency user ID.
- UNIX superuser logons.
- Password recycling.
Changes that violate security policy
- Addition or removal of system authority.
- Revoking of production user IDs.
- Granting of excessive universal access.
- Disabling of system security options (setropts).
- Disabling of audit trail.
Core system resources at risk
- Update on a system data set.
- Dynamic addition of APF data set.
- SMF buffers becoming full, risking data loss.
- Tasks started with unspecified authority.
Suspicious activity on the UNIX sub-system
- File access violations.
- APF or controlled program assignment.
- Global write or read specification.
Business Benefit:
- Stop a breach before things get serious If a breach occurs on your most crucial IT asset - the mainframe and its data - you need to know about it quickly. zAlert lets you know instantly so you can stop intruders in their tracks.
- Monitor crucial data for misuse When certain crucial data is touched, even by authorized users, you should know about it. zAlert maintains data integrity and confidentiality.
- Fix mistakes before others exploit them Often the biggest danger comes from within, as self-inflicted wounds leave security holes that can be exploited. zAlert lets you know when a configuration change violates security policy or leaves you vulnerable.
- Action, not just alerting zAlert allows you to determine what counter measures to take when it detects abuse. Revoking a user or shutting down an application are examples of how zAlert goes beyond monitoring and notification to take real action.
- Lower operational cost Through improved security, faster incident management, less costly breaches and cleaner audits, zAlert minimizes security housekeeping on the mainframe and enhances system availability.