> You are making a mistake if you discount the effectiveness of > industry-standard tools in analyzing mainframe data.
Let me clarify... I'm not saying don't use it at all. Just saying that there seems to be a tendency to lean too heavily on it, after it has gotten its foot through the door (for receiving security events). I don't expect it to be great for either real-time processing of high volume perf data or for archival of said data efficiently, and allowing for historical reporting/charting etc. On Wednesday, March 6th, 2024 at 21:32, Charles Mills <charl...@mcn.org> wrote: > I of course saw first-hand a lot of mainframe -> SIEM or Splunk integrations, > and they ran the gamut. Some were as you describe; some were quite effective. > The worst I saw was one company that was printing an SMF report to spool, > using a mainframe product to convert the spooled report to a PDF, and sending > it to the SIEM, which dutifully archived it. Made the auditors happy: mission > accomplished. On the other hand, believe me, there were customers doing truly > amazing "production" and ad hoc analyses both of security and performance > data, using Splunk and other tools. (Recall I have no financial or similar > interest in BMC, Splunk, or anything similar.) Splunk is not my favorite > product -- the company was extremely difficult to deal with and the product > is expensive to license, but it is an AMAZING product and many customers and > customer people absolutely LOVE it. (That of course is why they are able to > charge what they charge.) > > > I was personally on a Zoom call with a very major financial institution that > you would recognize in a heartbeat, doing a product new-feature demo, when we > caught an intruder in the mainframe, real time. It was a contractor who was > authorized to be on the mainframe but who had managed to improperly elevate > his privileges to SPECIAL. it was an amazing moment, going from routine > vendor product demo to "what the heck is HE doing -- hey, we gotta go." > > I was not aware of all of the exact details but our processing in conjunction > with a SIEM was instrumental in uncovering a money-laundering scheme at a > large bank in Mexico. > > My main interest was the security stuff, but yes, customers are doing very > effective analysis of RMF and similar data. You are making a mistake if you > discount the effectiveness of industry-standard tools in analyzing mainframe > data. > > Charles > > On Wed, 6 Mar 2024 15:26:47 +0000, kekronbekron kekronbek...@protonmail.com > wrote: > > > Exactly. I have my reservations on whether we as mainframe folks are > > choosing this (log analytics products) or are defaulting to it because no > > one is challenging for appropriate options from the mainframe technical > > side. > > For an org, there is of course the valid point of correlation that Charles > > mentions, however, if you objectively work out costs and that, I don't > > think it works out as cost-effective. > > > > We may see kubernetes platforms sending auth logs, syslog, and whatever > > else to log analytics, but they don't send system metrics. > > Time-series data is a different beast altogether. However much > > elastic/splunk/whoever else says they also do metrics, they're only > > secondary features at best. > > There's a reason time-series databases exist, and are necessary. > > > > On Wednesday, March 6th, 2024 at 20:48, Dave Beagle > > 00000525eaef6620-dmarc-requ...@listserv.ua.edu wrote: > > > > > We used Splunk at a former employer. Well, not really used it. An auditor > > > “suggested” we implement it to “improve” our mainframe security. The > > > auditor knew nothing about mainframe security. Likely read about Splunk > > > somewhere or saw a session on it at a conference. And of course the topic > > > of “security” is at the top of the heap among executives who wouldn’t > > > know Top Secret from ACF2 from RACF. Especially when they hear that other > > > companies are being hacked or blackmailed in the media nearly every day. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
