FIM+ Compliments SMF/SIEM Tools
The Bottom Line
RACF, TSS, ACF/2, SMF, SIEMs and other mainframe security tools are excellent, but leave gaps that are problematic. By contrast, FIM+ determines if components and whole applications are in their trusted state. FIM+ provides intrusion detection, rapid incident response / recovery and compliance, that are simply not available from existing z/OS products. FIM+ does not replace SMF recording or SEIMs. FIM+ interoperates with these tools to provide cohesive security defenses against malicious attacks and internal mistakes. In so doing it eliminates false positives while saving time, effort and cost. For specific advantages see below.
| Only FIM+ can | FIM+ Monitoring | Other tools | Which means… |
|---|---|---|---|
| Only FIM+ can: Detect gaps other tools miss | FIM+ Monitoring: Yes | Other tools: No | Which means… SMF, the primary activity logging tool on z/OS, fails to record many actions that hackers can exploit. If not in SMF then the info is never passed on to other monitoring tools. For instance SMF may be bypassed by an authorized program (USS being a major concern), it will not know the interval of the attack since it does not know when things were last correct, it can not tell you the scope of attack (all components affected), and it results in many false positives in times of high change. This is why NIST, PCI, SOX, Cyber Resilliency require integrity monitoring, such as FIM+, on every platform. |
| Only FIM+ can: Verify components in use match desired state | FIM+ Monitoring: Verified correct | Other tools: NO | Which means… FIM+ provides absolute clarity that executables, config members, log files, JCL, tables are correct. Conclusively answer the question “Are We Compromised?“. Raise an alert and invoke failure analysis if there is a mismatch. Determine attack interval using FIM+ records and immediately know the entire scope of the attack. No comparable solution on z/OS systems . |
| Only FIM+ can: Prevent False Positives | FIM+ Monitoring: multi-version support | Other tools: No | Which means… As a learning system FIM+ knows the make up every system version. Integrated with deployment processes, FIM+ knows which version should be active. This means there should be zero false positives even after major changes or backouts. Other layers of validation, like querying to see if the change was authorized in ServiceNOW, Remedy or other control tools remove false positive raised by activity monitors. FIM+ intrgration with Changeman, ISPW and Endevor is also available.Activity monitors, using SMF data detect suspicious actions. Many of them are false. |
| Only FIM+ can: Early Warning - Ransomware, malicious attacks | FIM+ Monitoring: Backup verify | Other tools: Some | Which means… Ransomware attacks on mainframes are one of the easiest acts to perpetrate. To be successful they must compromise the target’s restore capability (backups, image copies). FIM+ implements hashing (checksums) for high speed verification of backups. FIM+ and other tools have other early warning features. |
| Only FIM+ can: Reduce security admin effort | FIM+ Monitoring: Discover sensitive components | Other tools: NO | Which means… Continuously discovers all APF authorized libraries, all subsystem (JES, CICS, DB2 …) and application datasets. The FIM+ GUI allows even staff with limited mainframe knowledge to make the right decisions quickly. Produces results in the first hour and eliminates admin work. |
| Only FIM+ can: Slash compliance costs | FIM+ Monitoring: Automate compliance | Other tools: NO | Which means… FIM+ detects every changed component. FIM+ identifies all unauthorized changes through integration using the realtime ServiceNOW or BMC Helix gateway. With this and other automation FIM+ can deliver immense savings in SOX, PCI, HIPAA and other compliance reporting each change can be |
| Only FIM+ can: Compliance - PCI/DSS V3.2.1 & V4 | FIM+ Monitoring: YES | Other tools: NO | Which means… Simply put z/OS sites are not compliant with PCI DSS section 11.5 unless file integrity monitoring is run on all platforms that process credit or debit card information. No compensating controls, no excuses. PCI urgent bulletin, Oct 7 further underscores the need for FIM now. FIM+ success records provide evidentiary compliance. |
| Only FIM+ can: Compliance - NIST framework V2.1, bank resiliency GDPR | FIM+ Monitoring: YES | Other tools: NO | Which means… FISMA, HIPAA and NIST 800-53 recommend to base lining and whitelisting. The only practical way is with FIM+ on z/OS. Whitelisting and checksums required for bank resilience tests and GDPR standards. No other z/OS product fits these requirements. GDPR has heavy fines if best practices are not followed. |
| Only FIM+ can: Augments Immutable Backups | FIM+ Monitoring: Early Warning Build JCL Guide recovery | Other tools: NO | Which means… Having an immutable backup compromised before creation is of little value. Too much time spent selecting the right snapset can make it faster to recover from yesterday’s backup. FIM+ deals with both problems providing early warning of impending attacks and selection the optimum snapset. The right recovery steps can then br generated to guide you through a point-in-time recovery. Finally, FIM+ can validate the restore is 100% complete and correct. |
| Only FIM+ can: Enable Whitelisting | FIM+ Monitoring: YES | Other tools: NO | Which means… FIM+ discovers sensitive system, subsystem (JES, CICS, DB2, IMS …) and application datasets to create a NIST compliant Whitelist. Store with hash keys in an encrypted vault. This baseline provides certainty that the programs in use are the correct and unaltered versions. |
| Only FIM+ can: Verify suspicious findings of other tools | FIM+ Monitoring: Eliminate more false positives | Other tools: Raise false positives | Which means… Most tools report suspicious findings. FIM+ provides clarity on real problems. By using the FIM+ ServiceNOW or BMC real-time gateway you know whether changes were approved eliminating false positives at source. FIM+ makes SMF-based monitoring more reliable lower cost and lower effort. |
| Only FIM+ can: Suspend / Quarantine malicious actions | FIM+ Monitoring: YES | Other tools: NO | Which means… When an unauthorized change is detected, FIM+ can automatically quarantine the file. This is very important in Ransomware situations. It can also request suspension of the responsible userid. |
| Only FIM+ can: Missing events and changes | FIM+ Monitoring: All expected changes verified | Other tools: Can’t detect missed change | Which means… FIM+ determines whether there is an exact match to prescribed levels. Missed changes from incomplete deployment or backout are detected. EMs report only changes not things missed. If Access rules are wrong or incomplete or a high level qualifier is changed events can be missed. |
| Only FIM+ can: Post-Deploy Audit | FIM+ Monitoring: Initiate FIM+ after deploy | Other tools: NO | Which means… Verify all components are correct after deployment. Works with your SCM and client deployment processes. No good way to do that with just EM |
| Only FIM+ can: Detect Internal attacks | FIM+ Monitoring: Yes - detect correctness | Other tools: Partial | Which means… FIM+ detects components that don’t match prescribed levels. Reveals malicious attacks from inside your network and approved changes in error. EMs have difficulty with this as attackers have legitimate credentials and knowledge of what, when to attack. |
| Only FIM+ can: Forensics browser Incident response | FIM+ Monitoring: GUI driven - faster response, less skill | Other tools: Search multiple silos, vast amounts | Which means… Suspicious actions that plague other tools are hard to differentiate from legitimate updates. FIM+ provides attack interval and scope of attack to focus response and eliminates fruitless searching of millions of SMF actions. FIM+ Forensics Browser presents all relevant data in 1 place supporting a new generation of support staff. |
| Only FIM+ can: Integration with other tools | FIM+ Monitoring: YES | Other tools: Partial | Which means… FIM+ interoperates with ServiceNow and Remedy to access change info and open alerts. FIM+ updates SIEM tools - QRadar, Splunk, etc. Extracts up to the second, relevant, SMF data. FIM+on works with mainframe SCM tools and with Open Systems / Cloud Devops tools |
| Only FIM+ can: Reduce Audit costs | FIM+ Monitoring: Assure correctness & evidence storage | Other tools: NO | Which means… FIM+ proves all components / whole applications are correct with clarity and central evidence storage. Audits are conclusive, shorter, and less expensive, with full separation of responsibilities. Staff can get back to work faster and save external and internal audit costs. |
| Only FIM+ can: FIM+ for z/OS, Windows, Linux, Unix, Cloud | FIM+ Monitoring: Windows, Linux, Unix agents planned | Other tools: No z/OS FIM | Which means… Future enhancements could provide agents for Windows, Linux, Unix and Cloud files |