Whether you work for a bank, healthcare provider, insurance company or other large organization, your company’s risk management team likely uses a system security product to protect its mainframe and prevent unauthorized access of its applications and data.
A common method relies on gathering various available records, such as from SMF, where activities like logging on and off are tracked, along with attempts to access systems, applications and data for which an ID is not authorized. These SMF records are then processed to produce audit reports.
However, these types of audit reports—produced by data contained in SMF records, database log files, and other locations—offer limited visibility and exclude critical information about users. Audit reports can’t answer questions about who a user is, what they were doing, when they were doing it, or how they found access to sensitive data in the first place.
Without a good view of mainframe activity, what happens when an unauthorized user gets their hands on an authorized user’s credentials and gains unapproved access to sensitive mainframe applications or data?
The Threat of Insider Data Breaches
In a data breach at Sage, a U.K. provider of business software, an employee gained unauthorized access to internal login data and committed a data breach affecting 200-300 U.K. customers. London police arrested the employee, but the breach and its impacts are virtually indelible from a customer experience standpoint.
Insider security breaches like this have escalated to levels that critically damage businesses’ financial outcomes and reputations and now account for 43% of data loss, according to a report from Intel.
One study put the worldwide average cost of a data breach at $4 million, an increase from $3.79 million in 2015, with the highest average cost per breach in the U.S. and Germany ($7.01 million and $5 million, respectively).
According to IBS Intelligence, data from public databases and government-mandated disclosures indicates data leakage almost doubled between 2014 and 2015. And data from the cloud security software company Bitglass indicates five of the top 20 U.S. banks have experienced a data breach in 2016.
“Financial institutions are prime targets for hackers and are rightfully concerned about the threat of cyberattacks, device theft, and malicious insiders,” Bitglass CEO Nat Kausik said.
Despite an obvious increase, the threat from insiders is seldom discussed publicly. The media highlights external data breaches but rarely mentions internal risks. Yet, according to a 2016 Cisco study, 47% of respondents say preventing breaches by employees is their top internal security challenge.
Is your company prepared to face this challenge?
Gain Visibility, Improve Security, Reduce Threats
Under the growing risk of insider data breaches, simply collecting and analyzing mainframe log data is not enough. By merely scratching the surface of user activity, you’re letting critical knowledge about mainframe applications and data access fall between the cracks.
Rather than relying on security violations and SMF records, which primarily notify you of issues after someone did something they weren’t supposed to, why not collect deeper information on the activities of users and push that information to a reliable SIEM tool like Splunk?
Unfortunately, having limited visibility is the reality for many companies. As one large financial institution stated, “We do not have a good view of mainframe activity. This is a huge blind-spot for us. Pushing mainframe info into Splunk would be incredibly valuable.”
Monitoring users and capturing their activities can provide visibility into:
- Who saw the data.
- What sensitive data a user accessed and what they did with the data.
- When the data was found.
- How they gained access to the data.
Without this in-depth level of visibility, security teams are left with significant blind spots, forcing them to sift through volumes of false positives looking for actual threats. Deeper insights into mainframe user activity can illuminate other areas that should be of concern as well, such as:
- Why is a user’s behavior veering toward suspicious?
- Why is an authorized user looking at masses of particularly sensitive data so often and for so long?
Many assume that because the mainframe was built with security in mind, the information residing on it reflects the same level of protection. However, your company’s authorized users can access applications and data that a typical hacker would have trouble getting into. This opens the door for unauthorized users obtaining credentials to access sensitive information without you knowing.
By limiting risk management capabilities and only tracking user flows in your mainframe environment, your company could face major consequences. Be it a damaged reputation with customers, or penalties incurred by a failure to comply with tightening government regulations or company security policies. Only with the proper application auditing tool can your company keep a closer eye on what’s going on in its mainframe environment and prevent these detriments.