Accidental changes

Preventing mistakes from creating significant outages can be just as important as thwarting malicious attacks. Often hard to detect forgotten files, wrong LPARs, wrong versions can be just as disruptive to normal operation as a real break-in. In addition, since the individuals making the updates are typically authorized to update the files and are probably making an approved change; it is virtually impossible to track with event logging and looking for signatures - perhaps you can fix one right now. In normal course of business, procedures, hardware and software often change. Most of the policies currently in place are designed to prevent mistakes from occurring, or at least minimize their impact to production. However, even with the best workflows and tools in place, mistakes still happen.

Active verification

MainTegrity creates a new standard for intrusion detection. Typically, since clear comparisons are hard to get, the audit team is forced to look at the processes involved, hope that people follow them rigorously and trust that the end result is consistent. When looking critically at this method it is often difficult to give a response based on evidence. Now, by running a MainTegrity scan on demand, management can provide immediate, conclusive evidence that production files match the control environment. Audit becomes a breeze - not only can you drive home the point that you have sufficient audit processes in place, you can irrefutably prove all systems are completely in sync. By utilizing scheduled or random interval scans, customers can detect all changes, authorized or otherwise, while creating an evidence base of compliance data for future reference.

Ultimately, MainTegrity looks for, and addresses the following issues:

  1. Incorrect versions of the application in use
  2. Mismatches resulting from an update to the wrong system (prod vs test)
  3. Incorrect deployments – detects incomplete or wrong components
  4. Additional components in controlled environments
  5. Find components not changed that should be
  6. Corrupted and Unreadable files
  7. Incomplete back-outs
  8. Superseded versions
  9. No longer used components that that could create a back door

False positives

FIM processing identifies all changes – correct and otherwise. Unmanaged, this can lead to “noise” in the system which creates disregard for alerts when they are most important. MainTegrity implements FIM+, so an entire business application can be scanned as a group. At the end of the QA cycle MainTegrity creates TrustKeys for the whole application as well as for each component. This insures that the proper components of prior, current and perhaps future releases are know in advance. Subsequently, if MainTegrity detects a modification it can determine if the components are unknown or just from a different version. By distinguishing between a malicious hack and an incomplete update; MainTegrity cuts down on false positives providing valuable information to incident responders. Other benefits of this reduction include less stress on employees and better adherence to alert procedures.

Deployments gone wrong

The same logic that identifies the wrong components above can be used proactively at the end of the deployment cycle to ensure all components contain exactly what the should and conform to the QA / trusted version. By automatically doing file by file checksum comparisons, you can be sure that all steps, copies, renames, transfers, parameter changes, etc were completed exactly as they should have been. Then, for the first time, you can say “this change is certified correct” and have the evidence to prove it.

Saving time and errors with FIM+

Mainframes, specifically z/OS represent a massive blind spot when it comes to FIM and conclusive change detection. Typical support staff lack the capabilities and language to properly test the security of this critical corporate infrastructure. These systems sit largely untouched by IT security professionals, until that is, a breach occurs. Chances are it’s never been adequately tested and changes go in unverified because of a lack of easy to use tools. That has just changed! You can implement FIM+ or you can implement the next best thing but regulatory standards and common sense suggest you had better implement something.