Real-Time Alerting, Monitoring External Security Monitor

Real-Time Alerting, Monitoring External Security Monitor (ESM) Control Options with CA Compliance Event Manager Security Essentials

JIM BROADHURST, PRODUCT MARKETING ENGINEER (PRODUCT OWNER)

[email protected]

1.19.2020

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights

and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software

product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current

information and resource allocations as of 13th October 2020 and is subject to change or withdrawal by CA at any time without

notice. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole

discretion.

Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this

presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such release

may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-available

basis. The information in this presentation is not deemed to be incorporated into any contract.

Copyright © 2020 Broadcom. All rights reserved. The term “Broadcom” refers to Broadcom Inc. and/or it’s subsidiaries. Broadcom, the pulse

logo, Connecting everything, CA Technologies and the CA Technologies logo are among the trademarks of Broadcom.

THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. Broadcom assumes no responsibility for the accuracy or

completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, BROADCOM PROVIDES THIS DOCUMENT “AS IS”

WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will Broadcom be liable for any loss or damage, direct or

indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost

data, even if Broadcom is expressly advised in advance of the possibility of such damages.

Disclaimer


About Me

3

The Importance of Monitoring ESM Control Options


The Importance of Monitoring ESM Control Options

• Changes to control options could weaken or

completely compromise your security posture

• Such changes could be human error or malicious

intent

• Insider Threat

• An employee that has permissions to

access data, but uses that access for

personal gain or nefarious purposes.

Difficult to access because behavior is often

normal for their role.

• Vulnerabilities

• prerequisites, software updates or

components that are found to provide a

pathway to access or increased

permissions to a resource

5


ESM Control Options Monitoring

6

Establish Baseline Following

Best Practices

Define Change Control Process

Setup Continuous Monitoring

Monitor for

Changes

Periodic Review, Adjustments and Improvements


Establishing a Baseline

• CA Mainframe Resource Intelligence Security

Assessment

• Security Assessments can help you better understand the

level of risk in your mainframe environment.

• System Settings – Key system configuration and

settings and parameters

• Bypass Privileges – Review bypass privileges and flag

any which violate security best practices

• Password Controls – Examine the password controls &

requirements, highlight vulnerabilities

• Unix System Services (USS) – Identify key security

related issues related to USS

• And many more – this just represents some of what this

assessment will evaluate.

• Security Technical Implementation Guides

(STIGs)

• A set of recommended best practice for systems settings

including mainframe ESM control option settings.

7


CA Mainframe Resource Intelligence Security Assessments


Security Technical Implementation Guides

9


Security Technical Implementation Guides

CA Compliance Event Manager and Predefined Security Essentials Policy


12

Best Practices Protection Throughout the Entire Security Lifecycle

Advance Your Mainframe Protection with Modern Mainframe Security

12

CA Advanced Authentication

Mainframe / ESM

CA Trusted Access

Manager for z

CA Data Content

Discovery

CA Compliance Event Manager

CA Cleanup

10010101

Leverage new technology & controls

for Modern Mainframe Security

Locate and protect

sensitive data from

mainframe to mobile

Proactively identify

and respond to

security risks faster

Manage 24x7

privileged user

access with ease

Handle constant change

and reduce security

management load


Predefined Policy - Documentation


Predefined Policy - Documentation


Security Essentials Predefined Policy Sets


Security Essentials Predefined Policy Statements


Security Essentials Predefined Policy Statements


Security Essentials Predefined Policy Actions


Security Essentials Predefined Policy Actions


User-Defined Variables – A Prerequisite!


Security Essentials Predefined Policy Email Actions


Defining the Security Essentials Email Recipients

• The only site specific values needed for the predefined Policy Actions are email recipients

• The Email recipients in the email actions use User Defined Variables specified in a configuration file


Activating the Predefined Policy Sets

• To activate usage of the predefined Policy Sets you update the POLICYSET= value in the parmfile

member for each listener

• CEMLPRM – Logger

• CEMAPRM – Alert

• CEMMPRM – Monitor

• CEMWPRM – Warehouse

Security Essentials Email Alerts


Example Security Essentials Email Alerts – TSS

• TSS MODIFY(MODE(WARN)) will generate two alerts

• One from a “Security System Modify” event

• One from ESM Monitor



• This is the alert for a TSS Modify command



• Here is the alert from the ESM Monitor

• Note 1: the before and after ESM option values are not currently available as substitution variables in the alert. This

functionality is currently planned

• Note 2: ESM Monitor can detect changes asserted from TSS parmfile changes across IPLs. In this case there would only

be one alert since no MODIFY command would have been issued

Security Essentials Reporting through the UI


Security Essentials Reporting through the UI

• At this time we do not ship predefined reports. The steps to create are extremely simple and

documented.

• I have created one report for ESM Monitor and another for MODIFY commands


Report From ESM Monitor

The UI report shows the before and after values. Here we see some very

suspicious activity.


Sample Report for TSS Modify Commands

Security Essentials Batch Reporting



We provide template JCL for batch reporting

for Datacom/AD. Your reporting tool of choice

could be used with DB2


We provide sample queries for Security Essentials batch reporting. This

is the sample query for Modify commands.




This is the sample query for ESM Monitor.



• You can copy the template JCL and create a single job using both sample queries.



• The job currently sends both reports to SYSOUT. The output could be sent to a data set (e.g. a

GDG)



• Here is sample output from the report for Modify commands



• Here is the output from the ESM Monitor report

Predefined Policy – The Details


Event-Based vs ESM Monitor

41


Event-based Types Pertinent to Monitoring ESM Options

42

• For all three ESMs we will monitor

for Security System Modify events

• For ACF2 we will additionally need to

monitor for Other Administration

events

• For every event we will take the

following actions

• Generate an Email Alert

• Generate a WTO Alert

• Include in Warehouse

• Include in Logger

• Include in Data Mart


Security Essentials ESM Monitor Statements

• The ESM Monitor Statements are simple and specify to monitor for changes to any option for

each ESM

43


CA Security Essentials for IBM RACF Event-based Statements

• RACF is the simplest. System Security Modify will catch any SETROPTS commands

44


CA Security Essentials for CA TSS Event-based Statements

• For TSS we aren’t interested in TSS MODIFY(STATUS) commands so these need to be filtered out

45


CA Security Essentials for CA ACF2 Event-based Statements

• ACF2 is the most complex as the options can be changed but are not active until a

subsequent Refresh command is issued

46



• We use Other Administrative type events for the Change, Delete or Insert commands that

could affect ACF2 options. We could use a single statement for GSO, CPF and LDS

Infostorage records. But we separate them to allow for more granularity in the email

action alert text.

• Below is the Statement for GSO

47



• For CPF

48



• For LDS

49



• Here is the Statement for the System Security Modify event and we have the check for

REFRESH as part of the test conditions.

50

Thank You

Now, please join us for a live Question and Answer discussion. Click the meeting link at the bottom of the Session Description to join us.

This is your opportunity to connect with the presenter(s) and your peers, ask

questions, and share information related to this topic.

Documents

Real-Time Alerting, Monitoring External Security Monitor