Detecting Data Exfiltration on IBM z/OS Before It Becomes a Breach
Mainframe environments have long treated trusted connections as inherently safe. Batch jobs, file transfers, partner integrations, and user sessions move data every day, and in most cases they do so through approved tools, valid credentials, and expected network paths. That is exactly what makes data exfiltration difficult to detect.
A compromised partner system, a misconfigured endpoint, or a valid user ID with the wrong intent can request more data than expected, send it to a secondary destination, or alter the pattern of a transfer without appearing obviously malicious. From the system’s perspective, the activity can still look routine. By the time anyone recognizes that something is wrong, the data may already be gone.
NetWatch addresses this gap by providing continuous visibility into how data moves through your z/OS environment. Rather than depending on logs or after-the-fact analysis, it monitors live network activity and establishes a baseline for normal transfer behavior across endpoints, jobs, and workloads. When that behavior changes through increased volume, a new destination, or an unexpected secondary connection, NetWatch identifies it at the point where the transfer is happening.
Because monitoring runs directly on z/OS, NetWatch provides visibility into both internal systems and external nodes you do not control, without requiring agents on partner infrastructure or additional software outside the mainframe. It observes activity where data is actually being accessed and moved, which makes it possible to detect the kinds of transfers that would otherwise blend into normal operations.
That matters because most data theft does not announce itself as an attack. A transfer job that suddenly requests gigabytes instead of kilobytes, a secondary TSO session opened to copy data elsewhere, or an endpoint allowing unencrypted transfers can each appear unremarkable on their own. Taken together, they show how a breach can develop through activity that still looks legitimate on the surface.
NetWatch makes those patterns visible and provides the context needed to understand what is happening, including who initiated the transfer, where the data is going, how much is being moved, and when the activity began. From there, the broader CSF platform can take action with precision, whether that means suspending a transfer, revoking access, or initiating response and recovery workflows.
The result is a capability z/OS environments have traditionally lacked: the ability to distinguish expected data movement from behavior that signals the beginning of a breach, before the data leaves your control.
Learn how NetWatch helps identify abnormal data movement before it becomes a breach.
Request a Personalized Walkthrough