Active monitoring (e.g., continuous monitoring, system logging) is a top critical security control for a good reason. Data breaches can be prevented through early detection through active monitoring. You save a lot of time and money if you can stop a breach before it happens. That is why compliance regulations such as PCI-DSS, HIPAA, FFIEC and many others require the monitoring of system logs. It’s a proven way to prevent a data breach!
As you develop your active monitoring strategy, there are some core requirements to keep in mind. Your monitoring strategy can only work well when security information is collected across all of your IT systems. This means data from your IBM i servers, user PCs, firewalls, switches, routers and application servers all have to be a part of the picture. This is no time to go it alone with an IBM-only strategy!
Cybercriminals rarely start an attack on the IBM i server, so visibility across all systems is crucial. Here are the core features of an active monitoring system:
Centralized event data store
Real-time event collection
Real-time event correlation
The IBM i server presents some special challenges for an active monitoring strategy. IBM i security events are collected and stored in internal data formats that are incompatible with common monitoring solutions. And multiple sources of events exist including the security audit journal QAUDJRN, the system message file QHST, exit points and many others. Once you solve the issue of multiple sources of security events, you have to get those events in industry-standard formats (e.g., syslog, common event format or CEF and log event extended format or LEEF). And once you have them in a common format, you have to transmit the events using syslog communication protocols with UDP, TCP and encrypted TLS. Unlike UNIX* and Linux* platforms, the IBM i server does not have a standard syslog communications facility, and that will be an important component.
No human could possibly review the massive amount of security information that our IBM i and other servers generate in a single day. And no human could intuitively see the patterns of a sophisticated attack. Fortunately we have a large choice of third-party security information and event management solutions to choose from, and many that are very affordable. These solutions automate the mundane tasks of event correlation, anomaly detection and alerting.
If you haven’t done so already it is time to deploy this critical security control.