CorreLog Integrates McAfee Security into Mainframes

CorreLog, a provider of IT security solutions, announced integration between its IBM z/OS mainframe agent and the McAfee ePolicy Orchestrator (ePO) platform. The integration helps financial services, retail/hospitality, health care, and government sectors that store massive quantities of credit card, HIPAA, or other compliance standards-related data (FISMA, NERC, Sarbanes-Oxley) in mainframe environments.

CorreLog is a certified McAfee ePO partner and has integrated its solution with the McAfee ePO security management platform using a software development kit (SDK), followed by testing by McAfee. This integration enables organizations of any size to proactively monitor and manage IT security and regulatory compliance from a single console.

The rise of heterogeneous systems in addition to mainframes makes a cross-platform solution essential, George Faucher, president and CEO of CorreLog, tells 5 Minute Briefing. “First, with more and more organizations deploying security information and event management systems, data for IT security is becoming more centralized. So the question isn’t so much 'should we focus on mainframe security less because it is more secure?' It's a matter of collecting all log data from all sources and centralizing it within the systems.”

IBM mainframe integration to ePO enables security professionals access to a wider swath of message log data, to manage cyber-threat and malware across their entire enterprises. A key component of the integration is the CorreLog z/OS Mainframe Agent which can convert critical SMF events (invalid logins and denied resource notifications) to Syslog in real time, straight into ePO. To minimize enterprise bandwidth, CorreLog correlates multiple mainframe events into a single event for passing over to ePO.

“You can now run that log data through a correlation engine that looks at log messages for patterns of user behavior that could indicate a threat,” Faucher says. “For instance, suppose user Jon Smith has an unsuccessful mainframe login, and then has a login from a Windows desktop at 2:00 a.m. that night to a web server he never hits. Then he enters the building at 8:00 pm the next day, three hours after he normally leaves, and accesses server files he’s never hit before. If you don’t have a [security information and event management system] and you are only monitoring the mainframe logs, you might think the login is nothing more than keystroke error. But including the bad mainframe login with the other user behavior outside the mainframe – correlating the log data – poses a different picture that is more indicative of threat. For better visibility to anomalous user behavior, you need a centralized system and you need to compile and correlate data from all systems to unveil the potential malicious behavior. You can no longer think about security by system, you need to address the aggregate enterprise.”

The CorreLog agent for IBM z/OS mainframe assures mainframe compliance with FISMA, PCI DSS, HIPAA, NERC, and Sarbanes-Oxley. It forwards security, RACF, ACF2, DB2, TCP/IP, job and database events to the ePO console and is compatible with all current releases of z/OS. The agent installs in just a few hours and uses just a few seconds of CPU time per day, the vendor says.

The ePO agent also supports Linux partitions within the mainframe environment. “CorreLog has certified integration to ePO via McAfee SDK. Linux has its own Syslog agent and would link to ePO through CorreLog Server,” says Faucher. “CorreLog does capture z/OS UNIX System Services (USS) events. If CorreLog has access to the virtual store, it can monitor any virtual environment that produces a Syslog file or file that can be easily converted to Syslog.

For more information, visit the CorreLog site.