FIM+ Compliments SMF/SIEM Tools

The Bottom Line

RACF, TSS, ACF/2, SMF, SIEMs and other mainframe security tools are excellent, but leave gaps that are problematic. By contrast, FIM+ determines if components and whole applications are in their trusted state. FIM+ provides intrusion detection, rapid incident response / recovery and compliance, that are simply not available from existing z/OS products. FIM+ does not replace SMF recording or SEIMs. FIM+ interoperates with these tools to provide cohesive security defenses against malicious attacks and internal mistakes. In so doing it eliminates false positives while saving time, effort and cost. For specific advantages see below.

Only FIM+ canFIM+ MonitoringOther toolsWhich means…
Only FIM+ can: Detect gaps other tools missFIM+ Monitoring: YesOther tools: NoWhich means… SMF, the primary activity logging tool on z/OS, fails to record many actions that hackers can exploit. If not in SMF then the info is never passed on to other monitoring tools. For instance SMF may be bypassed by an authorized program (USS being a major concern), it will not know the interval of the attack since it does not know when things were last correct, it can not tell you the scope of attack (all components affected), and it results in many false positives in times of high change. This is why NIST, PCI, SOX, Cyber Resilliency require integrity monitoring, such as FIM+, on every platform.
Only FIM+ can: Verify components in use match desired stateFIM+ Monitoring: Verified correctOther tools: NOWhich means… FIM+ provides absolute clarity that executables, config members, log files, JCL, tables are correct. Conclusively answer the question “Are We Compromised?“. Raise an alert and invoke failure analysis if there is a mismatch. Determine attack interval using FIM+ records and immediately know the entire scope of the attack. No comparable solution on z/OS systems .
Only FIM+ can: Prevent False PositivesFIM+ Monitoring: multi-version supportOther tools: NoWhich means… As a learning system FIM+ knows the make up every system version. Integrated with deployment processes, FIM+ knows which version should be active. This means there should be zero false positives even after major changes or backouts. Other layers of validation, like querying to see if the change was authorized in ServiceNOW, Remedy or other control tools remove false positive raised by activity monitors. FIM+ intrgration with Changeman, ISPW and Endevor is also available.Activity monitors, using SMF data detect suspicious actions. Many of them are false.
Only FIM+ can: Early Warning - Ransomware, malicious attacksFIM+ Monitoring: Backup verifyOther tools: SomeWhich means… Ransomware attacks on mainframes are one of the easiest acts to perpetrate. To be successful they must compromise the target’s restore capability (backups, image copies). FIM+ implements hashing (checksums) for high speed verification of backups. FIM+ and other tools have other early warning features.
Only FIM+ can: Reduce security admin effortFIM+ Monitoring: Discover sensitive componentsOther tools: NOWhich means… Continuously discovers all APF authorized libraries, all subsystem (JES, CICS, DB2 …) and application datasets. The FIM+ GUI allows even staff with limited mainframe knowledge to make the right decisions quickly. Produces results in the first hour and eliminates admin work.
Only FIM+ can: Slash compliance costsFIM+ Monitoring: Automate complianceOther tools: NOWhich means… FIM+ detects every changed component. FIM+ identifies all unauthorized changes through integration using the realtime ServiceNOW or BMC Helix gateway. With this and other automation FIM+ can deliver immense savings in SOX, PCI, HIPAA and other compliance reporting each change can be
Only FIM+ can: Compliance - PCI/DSS V3.2.1 & V4FIM+ Monitoring: YESOther tools: NOWhich means… Simply put z/OS sites are not compliant with PCI DSS section 11.5 unless file integrity monitoring is run on all platforms that process credit or debit card information. No compensating controls, no excuses. PCI urgent bulletin, Oct 7 further underscores the need for FIM now. FIM+ success records provide evidentiary compliance.
Only FIM+ can: Compliance - NIST framework V2.1, bank resiliency GDPRFIM+ Monitoring: YESOther tools: NOWhich means… FISMA, HIPAA and NIST 800-53 recommend to base lining and whitelisting. The only practical way is with FIM+ on z/OS. Whitelisting and checksums required for bank resilience tests and GDPR standards. No other z/OS product fits these requirements. GDPR has heavy fines if best practices are not followed.
Only FIM+ can: Augments Immutable BackupsFIM+ Monitoring: Early Warning Build JCL Guide recoveryOther tools: NOWhich means… Having an immutable backup compromised before creation is of little value. Too much time spent selecting the right snapset can make it faster to recover from yesterday’s backup. FIM+ deals with both problems providing early warning of impending attacks and selection the optimum snapset. The right recovery steps can then br generated to guide you through a point-in-time recovery. Finally, FIM+ can validate the restore is 100% complete and correct.
Only FIM+ can: Enable WhitelistingFIM+ Monitoring: YESOther tools: NOWhich means… FIM+ discovers sensitive system, subsystem (JES, CICS, DB2, IMS …) and application datasets to create a NIST compliant Whitelist. Store with hash keys in an encrypted vault. This baseline provides certainty that the programs in use are the correct and unaltered versions.
Only FIM+ can: Verify suspicious findings of other toolsFIM+ Monitoring: Eliminate more false positivesOther tools: Raise false positivesWhich means… Most tools report suspicious findings. FIM+ provides clarity on real problems. By using the FIM+ ServiceNOW or BMC real-time gateway you know whether changes were approved eliminating false positives at source. FIM+ makes SMF-based monitoring more reliable lower cost and lower effort.
Only FIM+ can: Suspend / Quarantine malicious actionsFIM+ Monitoring: YESOther tools: NOWhich means… When an unauthorized change is detected, FIM+ can automatically quarantine the file. This is very important in Ransomware situations. It can also request suspension of the responsible userid.
Only FIM+ can: Missing events and changesFIM+ Monitoring: All expected changes verifiedOther tools: Can’t detect missed changeWhich means… FIM+ determines whether there is an exact match to prescribed levels. Missed changes from incomplete deployment or backout are detected. EMs report only changes not things missed. If Access rules are wrong or incomplete or a high level qualifier is changed events can be missed.
Only FIM+ can: Post-Deploy AuditFIM+ Monitoring: Initiate FIM+ after deployOther tools: NOWhich means… Verify all components are correct after deployment. Works with your SCM and client deployment processes. No good way to do that with just EM
Only FIM+ can: Detect Internal attacksFIM+ Monitoring: Yes - detect correctnessOther tools: PartialWhich means… FIM+ detects components that don’t match prescribed levels. Reveals malicious attacks from inside your network and approved changes in error. EMs have difficulty with this as attackers have legitimate credentials and knowledge of what, when to attack.
Only FIM+ can: Forensics browser Incident responseFIM+ Monitoring: GUI driven - faster response, less skillOther tools: Search multiple silos, vast amountsWhich means… Suspicious actions that plague other tools are hard to differentiate from legitimate updates. FIM+ provides attack interval and scope of attack to focus response and eliminates fruitless searching of millions of SMF actions. FIM+ Forensics Browser presents all relevant data in 1 place supporting a new generation of support staff.
Only FIM+ can: Integration with other toolsFIM+ Monitoring: YESOther tools: PartialWhich means… FIM+ interoperates with ServiceNow and Remedy to access change info and open alerts. FIM+ updates SIEM tools - QRadar, Splunk, etc. Extracts up to the second, relevant, SMF data. FIM+on works with mainframe SCM tools and with Open Systems / Cloud Devops tools
Only FIM+ can: Reduce Audit costsFIM+ Monitoring: Assure correctness & evidence storageOther tools: NOWhich means… FIM+ proves all components / whole applications are correct with clarity and central evidence storage. Audits are conclusive, shorter, and less expensive, with full separation of responsibilities. Staff can get back to work faster and save external and internal audit costs.
Only FIM+ can: FIM+ for z/OS, Windows, Linux, Unix, CloudFIM+ Monitoring: Windows, Linux, Unix agents plannedOther tools: No z/OS FIMWhich means… Future enhancements could provide agents for Windows, Linux, Unix and Cloud files