IT Security News

IT Security and Compliance. We take it to the max.

08/2018 – SF-SafeDump supports the integration of external confidential data scanner (CDS) and data leakage prevention (DLP)

Companies dealing with extremely sensitive data often use confidential data scanner (CDS) or data leakage prevention (DLP) applications to do a general scan of all documents before they may leave house. It’s important to emphasize that such CDS and DLP solutions do not perform anonymization, but instead scan documents (files) for possible sensitive content and create a corresponding report. With SF-SafeDump’s new PTF level 017 it’s easy to exploit the performance of any CDS or DLP, namely, to double-check any anonymized dumps and log files as regards possible “leftovers.” But we don’t want to give you the wrong impression: the principal quality check, which is highly comprehensive and fully sufficient, also happens within SF-SafeDump. This means that you are safe and covered without a CDS or DLP. You should also be aware of the fact that SF-SafeDump covers many more categories of sensitive information than a CDS or DLP solution.

Overall, the integration of a given CDS or DLP solution into SF-SafeDump is fully optional. On the other hand, it’s a nice feature, since a CDS/DLP scan may increase a company’s internal level of compliance and promote good feelings while applying the “golden rule” of mandatory document scanning fully effectively to in fact any document, i.e. even to dump and log files originating from the mainframe. We will definitely support any such scenario and won’t take it “personally” if users extend the already powerful quality assurance provided by SF-SafeDump through additional review capabilities. We are confident about this, since SF-SafeDump learns from the results of the CDS or DLP. Just to be clear: it’s still the goal and duty of SF-SafeDump to leave all CDS or DLP reports empty.

With PTF Level 017, everything is provided for such an integration of a CDS or DLP application and even to fully automate the related procedures; the tools provided also solve all problems of best practice that occur within such an integration. The new PTF level 017 is now released and ready for download.


07/2018 – SF-Sherlock’s new PTF level provides performance improvements for environments with massive amounts of event data (SIEM, Splunk, etc.)

SF-Sherlock, and thus also SF-NoEvasion, has passed additional intensive performance reviews – driven by z/OS installations that process huge amounts of event data within their z/OS-SIEM, log archive, or Splunk integration. Larger amounts of event data easily result from the monitoring of DB2, CICS, MQ, Webshpere as well as other subsystems.

We achieved these great results by using the latest machine instructions supported by System Z machines as well as by further improving SF-Sherlock’s “event consolidation” feature supported by the real-time sniffer. Especially if your SIEM, log archive, or operational intelligence solution is  licensed by the data volume it receives the event consolidation feature is of great benefit and will help you to reduce costs by not wasting your licensed data volume on redundant event data.

The new PTF level 080 is now released and ready for download.

01/2018 – Are you aware of the important date for your data center of May 25th 2018?

 In only five months, the new General Data Protection Regulation, known in brief as GDPR, in German “EU-Datenschutz-Grundverordnung,” will come into effect. This will have a deep impact on the utmost technical and least transparent processes of the daily operations within your data center.

Concretely, the matter at hand is the transfer of system dumps and logs to software vendors by the operational teams of your data center for the purpose of any necessary error analysis, and the new cost-intensive risks given from May 25 onwards resulting from violating the GDPR by simply continuing this old best practice.

We allow ourselves to point toward SF-SafeDump, our top-performing, patented and fully- automatically working system dump and log anonymization solution, to sustainably solve this problem. The proven, current Version 5.1 contains everything you need for a secure anonymization of all diagnosis files, and works in an extremely cost-effective fashion (on the z/OS mainframe, for example, for up to 95% and more the CPU time is offloaded to zIIP; in total this means “no” CPU costs).

11/2017 – Splunk is a leading platform when it comes to implementing a SOC.

Splunk is a leading platform when it comes to implementing a SOC. One reason is given with the Enterprise Security App based on Splunk’s Common Information Model (CIM).

To simplify a harmonious, effective and efficient SOC integration of the mainframe SF-Sherlock now also supports Splunk’s CIM. This allows you to directly “feed” corresponding SOC apps in Splunk with the corresponding vulnerability, event monitoring and intrusion detection results from z/OS. Since false-positives in a SOC context significantly more challenge your organization, compared to a classic and more isolated audit or IDS environment, it’s even more important that SF-Sherlock gives you full control on contributing the right “mainframe topics” to your SOC, step-by-step and in the right dose.

These are great news for all companies implementing a SOC. Running a real cross-platform SOC by also including the z/OS mainframe has never been easier.

08/2017 – SF-NoEvasion for DB2

Mainframe users currently (have to) focus on DB2 security and compliance real-time monitoring. Since we recognized a peak of interest in a solution exclusively focusing on DB2, we decided to offer such a mission-specialized package. With “SF-NoEvasion for DB2” we provide a powerful solution allowing you to implement the required security and compliance real-time monitoring for DB2in a cost-effective and efficient way. It will be available from August 2017 onwards.

07/2017 – The implementation of an SOC

The implementation of an SOC is the current trend, often also connected with the goal of overarching synergies, with the various auditing and monitoring goals or tasks and requirements in the future being realized through just 1 central division and optimal in terms of personnel and cost thanks to the synergy.

Therefore, the topic of SOC is of increasingly greater importance, connected with the new requirements, such as – among other things – the

> Implementation of the SOC: Decision about “internal or external?”, “Europe or even Bangalore?”
> Operation of the SOC: Cost-optimal SOC team without the CSOs, CIOs and other leadership levels having to be awakened at night to clarify irrelevancies or false alarms,
> Fulfillment of content-related hopes and expectations of everything, namely factual effectiveness on a top level for the protection of the company, since in future your SOC will be the only one that is watching, as well as
> Fulfillment of all regulatory expectations.

Overall, the SOC development is no easy task when the result may not be a “paper tiger,” but rather professional attacks and offensives, policy violations, etc. have to be factually recognized and alerted, and all regulatory authorities will be satisfied at their next onsite visit.

Where does the high responsibility come from? Through the above-outlined merge of departments, at one and the same time redundancy which before now had led to a sufficient detection quota is eliminated; had the one division not noted it, the other division might have been in a position to do so. If there is only the 1 SOC, it will be the Achilles’ heel of all company-wide security measures, and the company is reliant on its 200% effectiveness.

Openly expressed SOC requirements are thus:

> You have to know what is important and even critical.
> You must have sustainably understood ALL of your platforms.
> You must be in a position to crack the complexity sustainably of all important detailed topics so that the SOC team can work optimally or sensibly, in particular when it is located offshore.

You’re asking yourself with which partner you can be sure of mastering thez/OS-related SOC topics? With us! We know the mainframe inside out, we have developed unique far-reaching monitoring solutions, have coupled our solutions to all leading SIEM solutions, and we master the “intellectual requirement” in the SOC context for the mainframe on the “FF”.

Feel free to contact us when searching for an experienced partner to accompany your SOC implementation if this also includes the mainframe.

06/2017 – Real-time DB2 auditing and event monitoring without SMF and cost burdens.

Industries “particularly plagued by regulations” are currently confronted by a challenging overall task in the area of DB2:
a) Activation of the audit traces; for many it is even a “dreaded first activation after decades,”
b) Monitoring of access to chosen critical tables through the activation of table auditing, although the number of accesses and thus of SMF records can potentially be high and cannot be exactly foreseeable in advance, and
c) a real-time delivery of the SIEMs with the corresponding events.

Large installations that fulfill their regulatory tasks with efficiency with SF-Sherlock have influenced the current further development of SF-Sherlock in the context of these requirements. It was a clear goal to do away with or remove special DB2 add-ons in the form of additional products and thus to be able to further reduce the total cost of the auditing and event monitoring.

The order is now fulfilled, and the result lies in SF-Sherlock’s functional, sustainably expanded real-time sniffer: 1) Chosen SMF records can now be excluded from recording in the SMF archiving as desired; that means that the event reaches SF-Sherlock and thus the event monitoring or SIEM, but is no longer written in the SMF file or the SMF log stream. 2) In the case of DB2 SMF records 100 to 102, high-volume events, such as IFCID 143 (table-update audit) and 144 (table-read audit), can now be excluded from the SMF archiving analog to the exclusion of entire record types, and “only” reach SF-Sherlock’s event monitoring. In total, all involved parties are satisfied, because everything is audited, the SIEM with events is provided, but the SMF archiving medium is not further “distended.”

That means that, thanks to SF-Sherlock, regulatory conditions in the area of DB2 can now be fulfilled cost-neutral with “standard tools.”

05/2017 – Fully automatic SF SafeDump operation

Fully automatic SF SafeDump operation. In companies acting professionally and legally safe when it comes to system dumps and logs, SF SafeDump was established as a firm component of the daily mainframe IT operation. In most cases all processes are even taking place fully automated in a 24×7 operation. A completely autonomous running dump- and log-anonymization operation made special operational features necessary that are now available: a) the zIIP-offload self-monitoring, b) the support of modify system commands, and c) the opportunity to automatically circumvent CPU peak load times through so-called “avoid-time intervals.”

Thanks to SF SafeDump, mainframe users can fulfill the strong regulatory data protection requirements relevant to system dumps and logs with minimal time and costs – everything runs completely automatically and with a zIIP-offload rate of up to 95%. The risks associated with the transfer of dumps and logs to third parties and service providers cannot be eliminated in a more efficient and cost-effective way.

04/2017 – The so-called “total costs” of today’s SIEM systems are hard facts in terms of cost accounting

The so-called “total costs” of today’s SIEM systems are hard facts in terms of cost accounting, not only then when licenses are based on volume.

In addition to the license costs, there are “intellectual costs” in the form of the required configuration of the SIEM through the SIEM team in charge. For example, in order to classify the events as well as their access-related segregation. If the SIEM team does not have any mainframe know-how, integrating the mainframe to the SIEM easily becomes tedious. This is especially true if there are suddenly more mainframe users accessing the SIEM individually with their own spontaneous searches, evaluations and queries. Automatically supplied and predefined “standard reports” not always make specialists directly happy in all their complex situations. There are many reasons potentially preventing a “SIEM success story”.

We followed this thought, and with the new SF Sherlock Update Level 074, which will be released at the beginning of April, the following new features for a cost-effective SIEM integration will be available:

» Sherlock’s own “event world model”, which classifies and describes events in a “comprehensible manner” to non-mainframe specialists, now also lets you “enrich” events with additional installation-defined information. This feature is particularly useful for a “content-based comprehension optimization”, for example, to support your SOC team in directly better understanding the given situation caused by an incident.

» The z/OS Productivity Warehouse was further improved due to our customers’ request. It’s now much more intuitive, and defining installation-defined queries became much more easy. Localized on the mainframe, it’s potentially available to even more mainframe users as a cost-effective and valuable instrument when searching for errors, reasons, etc. It thus helps you to fill the SIEM even more limited and thus cost-effectively, and this lets you reduce the SIEM’s operational costs. Overall, it will provide the mainframe teams with more productivity during daily operations, such as troubleshooting, auditing, forensic investigations, etc., and thus also boosts your mainframe’s availability.

With that, SF Sherlock has further expanded its position as a mainframe SIEM connector that provides optimum performance at optimal costs.

02/2017 – The real world shows clearly the possible disturbance and wrong decision that can be created by deliberately “injected” false reports.

So-called “fake news” or “alternative facts” are a daily topic. The real world shows clearly the possible disturbances and wrong decisions that can be created by deliberately “injected” false reports.

The same risk also applies to SIEM systems. These solutions are used to “form an opinion” by filtering, correlating, and evaluating incoming events, and if necessary, deriving alerts and decisions on what to do.

Deliberately created “fake events,” e.g. as part of a professional attack, are able to distract an SIEM from, for example, its own actions, or to blame others or non-involved employees, to trigger alerts or implemented automations. In addition to suppressed events, fake events create a parallel risk, in particular, for critical infrastructures.

Our leading z/OS security and compliance solution, SF-Sherlock, is already trained for these “audit trail breaks”, and we would like to inform you that our upcoming updates will have the “fake events” topic as a sustainable focus for supplementary measures.

Therefore, SF-Sherlock is one of the most powerful and high-quality SIEM real-time connectors for z/OS, and supports all SIEM solutions available on the market. SF-Sherlock covers, in particular, all event sources, such as z/OS, RACF, DB2, CICS, IMS, MQ, SMF, Syslog, TCP/IP, WebSphere, USS, VTAM, etc.

Our high SIEM project competence makes us the ideal partner for your SIEM team during the SIEM implementation and integration of the mainframe. We know exactly what and how to monitor, correlate and alert to ensure that your SIEM becomes a “success story”, and complies with today’s compliance requirements (Bafin, SOX, PCI, …).

Join our newsletter list

Worldwide toll-free phone number

++800 - 37 333 853
or simply dial:
++800 - DRFEDTKE

+41 41 710 4005

(++ represents the prefix for international calls; in most countries it is 00; in the U.S. it corresponds to 011)

Find Us


Seestrasse 3a, 6300 Zug, Switzerland


Visitors & Training

Dammstrasse 19, 6301 Zug, Switzerland


Social Media

Xing → Linkedin →

Write Us


copy the address

Technical support and hotline:

copy the address