Select Page

IT Security News

IT Security and Compliance. We take it to the max.

Our presentation at the cyber insurance symposium

At the symposium “Cyber insurance in practice – from product development to underwriting to claims management”, we will be giving a presentation on the topic “After Microsoft key theft from crash dump: updating cyber insurance obligations”. You can find all further details here.

Vortrag auf der “Datenschutzkongress DuD 2023”

Wir freuen uns über die Einladung als Referent auf der für Datenschützer seit mehr als 10 Jahren wichtigen DuD-Konferenz. Der Vortrag hat den Titel “IT-Diagnose-Daten als Datenschutz-Herausforderung des IT-Betriebs” und findet am Dienstag um 12:05 statt. Er ist auch für Datenschützer und Underwriter von Versicherungen von hohem Interesse, insbesondere der Sparten Cyber-Versicherung und IT-bezogene Haftpflicht.

Automated STIG-based mainframe assessment

With software level 091, SF-Sherlock supports the automated STIG compliance monitoring for z/OS. The new cross reference allows you an easy mapping of SF-Sherlock standard check and event IDs to your different security and compliance standards. STIG was just the kick-off. Further standards will be integrated soon, such as BSI Baseline Protection (“BSI Grundschutz”) and others.

WEBINAR for German speaking Switzerland on Data Privacy for Diagnostics and DSG

Erfahren Sie in dem WEBINAR „IT-Diagnose- und Protokoll-Daten – datenschutzrechtliche Anforderungen und technische Schutz-Massnahmen“ von einem führenden Datenschutz-Experten RA Dr. David Vasella, CIPP/E, CIPM, Walder Wyss AG, Zürich, unter welchen Voraussetzungen IT-Diagnose-Daten unter das Datenschutzgesetz fallen und welche Auflagen und Restriktionen sich daraus ableiten.

Informieren Sie sich bei diesem Online-Experten-Briefing am 27.9.2022 oder 30.11.2022, jeweils um 13.30-14.15 Uhr, über das für jeden IT-Betrieb wichtige Datenschutz- und Sicherheitsthema der IT-Diagnose-Daten.

Hier finden Sie weitere Details; auch gibt es eine zugehörige Pressemitteilung.

SF-Sherlock Continuous Delivery Level 089

Begin of april we launch SF-Sherlock’s Continuous Delivery Level 089. It provides a broad spectrum of new and innovative monitoring, protection and alerting capabilities. For example, the policy compliance checker contributes new “superpower” to the SF-Sherlock performance. This new level also supports your cost savings by adapting the SF-Sherlock workload to the “Tailored Fit Pricing.”

12/2021 – Happy Holiday!

Obviously the world needs to continue further with its highly disciplined „lifestyle.“ Let’s do it – for a good future. The entire team wishes you happy holiday and a successful 2022.

SF-Sherlock’s continuous software delivery level 088 includes the new and powerful system configuration compliance checker

SF-Sherlock’s software level 088, just released to make your mainframe‘s compliance automation ready for z/OS 2.5, also includes the latest update of our system configuration compliance checker. It allows you a highly individual and highly precise verification of your systems’ configurations via a fully automated procedure. It’s usable inside and outside of your constantly running SHERLOCK STC.

COVID-19 virus pandemic: great remote support experience thanks to Skype, MS Teams, etc.

The current COVID-19 virus pandemic represents a new level of personal and business experience. We hope that you, your loved ones, and your colleagues are safe and well. Now more than ever, we must do the right things and be prepared to take steps beyond what we’re typically required to do.

We are here to support your business continuity with cost efficiency, security and health in mind. As the COVID-19 virus pandemic continues, we want to contribute our part to help you navigate the challenges that will face us all. The last weeks have proven that Skype for Business, MS Teams, TeamViewer, FastViewer, and corresponding solutions, allow us to provide our premium support also from remote. This helps a lot to keep things rolling. Even our penetration testing and pre-audit deep-dive services are possible from remote.

Therefore, please do not hesitate in contacting us for receiving remote support or training as normally.

12/2019 – Happy Holiday!

Also this year definitely was exciting. Launching the non-mainframe version of SF-SafeDump enabled a breakthrough for our anonymization technologies. With SF-Sherlock’s new pervasive support of z/OS’s pervasive encryption we successfully targeted for you the next generation of mainframe risks, namely ransomware. Anyway, it’s Christmas time and the right moment to say “thank you” for cooperating with us. The entire team wishes you happy holiday and a successful 2020! See you next year.

Don’t miss our article in the German magazine KES about automatic reactions in a Security Operation Center (SOC)

KES is a leading security magazine in Germany and includes the official news of the BSI (“Bundesamt für Sicherheit in der Informationstechnik”) . At September 30, 2019 the new KES magazine becomes available (www.kes.de). You find our article “Auf dem Weg zu automatischen Reaktionen – Der SOCste Sinn – Gefahrenindikator „Objektivität“ am Beispiel BaFin-relevanter IT” at page 64; it also discusses the z/OS-specific topic “ACEE manipulations.”

SF-Sherlock’s pervasive support for pervasive encryption on z/OS

With SF-Sherlock’s next PTF level 082 new powerful features are provided to intensively support your activities in the field of pervasively encrypting your data. The support’s scope ranges from monitoring, compliance and health checking up to “ransom” prevention. SF-Sherlock thus supports your teams from the beginning onwards in properly and securely implementing pervasive encryption on z/OS.

SF-Sherlock filter to detect bypassing mandatory usage of Privileged Account Security solutions, such as CyberArk

Privileged Account Security solutions, such as CyberArk, became almost mandatory for larger data centers – definitely in case of critical infrastructures. They support your compliance by managing the passwords of your privileged users, recording their screen while working on given systems, and by strict policies it’s only allowed for privileged users to work when their sessions are recorded.

In case of mainframes, in order to comply with this regulation, the 3270 emulation session has to be established from specific servers for guaranteeing the required recording; the same is true for any session via PUTTY, FTP, etc. Accordingly it has to be detected, such as via the given SIEM solution, if someone tries to bypass this session recording obligation by connecting from outside the Privileged Account Security solution’s surveillance scope. For properly detecting any bypassing a corresponding monitoring is required on the mainframe.

All SF-Sherlock users may now participate in our latest experience to establish such a bypass detection. A set of specialized filters has been developed to select and forward all required details to your SIEM solution – almost spoon-ready for an easy filter and correlation definition.

SF-SafeDump supports XML and JSON files

SF-SafeDump’s new PTF level 021 supports high-quality anonymization of log files in the XML and JSON formats. This new feature supports mainframe data centers providing XML- and JSON-based diagnostic and debug information to their software vendors or internal development departments. Please ask our support to receive SF-SafeDump’s latest update.

03/2019 – SF-SafeDump’s new PTF level 020 allows for the anonymization of stand-alone dumps within a reasonable amount of time

In scenarios where a given dump is almost too huge to process as one unit, such as in the case of a stand-alone dump, or if the analysis of a regular dump is particularly urgent, this new feature of SF-SafeDump now lets you easily split a given dump file so as to anonymize several or even all parts of it in parallel. This new feature also allows you to exploit all the zIIPs your organization has “worldwide” in order to cut down on the required elapsed time. Anonymizing such larger dumps is now an easy and totally automated process.

12/2018 – Happy Holiday!

This year definitely was exciting and a breakthrough for our SF-SafeDump technology. Therefore, thanks for cooperating with us so intensively. The entire team wishes you happy holiday and a successful 2019!

10/2018 – SF-DeepDive – new due diligence (DD) software package for mainframe outsourcers

When it comes to making decisions about the future of a mainframe, outsourcing is one option to consider. Of course, both sides involved in such a step have their own interests, and there is even tough competition among today’s outsourcing service providers.

The new SF-DeepDive due diligence (DD) software package provides exactly what a mainframe outsourcer needs to get a clearer insight into given systems in a short amount of time.
As an option, it can be combined with local assessment services from our company.

08/2018 – SF-SafeDump supports the integration of external confidential data scanner (CDS) and data leakage prevention (DLP)

Companies dealing with extremely sensitive data often use confidential data scanner (CDS) or data leakage prevention (DLP) applications to do a general scan of all documents before they may leave house. It’s important to emphasize that such CDS and DLP solutions do not perform anonymization, but instead scan documents (files) for possible sensitive content and create a corresponding report. With SF-SafeDump’s new PTF level 017 it’s easy to exploit the performance of any CDS or DLP, namely, to double-check any anonymized dumps and log files as regards possible “leftovers.” But we don’t want to give you the wrong impression: the principal quality check, which is highly comprehensive and fully sufficient, also happens within SF-SafeDump. This means that you are safe and covered without a CDS or DLP. You should also be aware of the fact that SF-SafeDump covers many more categories of sensitive information than a CDS or DLP solution.

Overall, the integration of a given CDS or DLP solution into SF-SafeDump is fully optional. On the other hand, it’s a nice feature, since a CDS/DLP scan may increase a company’s internal level of compliance and promote good feelings while applying the “golden rule” of mandatory document scanning fully effectively to in fact any document, i.e. even to dump and log files originating from the mainframe. We will definitely support any such scenario and won’t take it “personally” if users extend the already powerful quality assurance provided by SF-SafeDump through additional review capabilities. We are confident about this, since SF-SafeDump learns from the results of the CDS or DLP. Just to be clear: it’s still the goal and duty of SF-SafeDump to leave all CDS or DLP reports empty.

With PTF Level 017, everything is provided for such an integration of a CDS or DLP application and even to fully automate the related procedures; the tools provided also solve all problems of best practice that occur within such an integration. The new PTF level 017 is now released and ready for download.

 

07/2018 – SF-Sherlock’s new PTF level provides performance improvements for environments with massive amounts of event data (SIEM, Splunk, etc.)

SF-Sherlock, and thus also SF-NoEvasion, has passed additional intensive performance reviews – driven by z/OS installations that process huge amounts of event data within their z/OS-SIEM, log archive, or Splunk integration. Larger amounts of event data easily result from the monitoring of DB2, CICS, MQ, Webshpere as well as other subsystems.

We achieved these great results by using the latest machine instructions supported by System Z machines as well as by further improving SF-Sherlock’s “event consolidation” feature supported by the real-time sniffer. Especially if your SIEM, log archive, or operational intelligence solution is  licensed by the data volume it receives the event consolidation feature is of great benefit and will help you to reduce costs by not wasting your licensed data volume on redundant event data.

The new PTF level 080 is now released and ready for download.

01/2018 – Are you aware of the important date for your data center of May 25th 2018?

 In only five months, the new General Data Protection Regulation, known in brief as GDPR, in German “EU-Datenschutz-Grundverordnung,” will come into effect. This will have a deep impact on the utmost technical and least transparent processes of the daily operations within your data center.

Concretely, the matter at hand is the transfer of system dumps and logs to software vendors by the operational teams of your data center for the purpose of any necessary error analysis, and the new cost-intensive risks given from May 25 onwards resulting from violating the GDPR by simply continuing this old best practice.

We allow ourselves to point toward SF-SafeDump, our top-performing, patented and fully- automatically working system dump and log anonymization solution, to sustainably solve this problem. The proven, current Version 5.1 contains everything you need for a secure anonymization of all diagnosis files, and works in an extremely cost-effective fashion (on the z/OS mainframe, for example, for up to 95% and more the CPU time is offloaded to zIIP; in total this means “no” CPU costs).

11/2017 – Splunk is a leading platform when it comes to implementing a SOC.

Splunk is a leading platform when it comes to implementing a SOC. One reason is given with the Enterprise Security App based on Splunk’s Common Information Model (CIM).

To simplify a harmonious, effective and efficient SOC integration of the mainframe SF-Sherlock now also supports Splunk’s CIM. This allows you to directly “feed” corresponding SOC apps in Splunk with the corresponding vulnerability, event monitoring and intrusion detection results from z/OS. Since false-positives in a SOC context significantly more challenge your organization, compared to a classic and more isolated audit or IDS environment, it’s even more important that SF-Sherlock gives you full control on contributing the right “mainframe topics” to your SOC, step-by-step and in the right dose.

These are great news for all companies implementing a SOC. Running a real cross-platform SOC by also including the z/OS mainframe has never been easier.

08/2017 – SF-NoEvasion for DB2

Mainframe users currently (have to) focus on DB2 security and compliance real-time monitoring. Since we recognized a peak of interest in a solution exclusively focusing on DB2, we decided to offer such a mission-specialized package. With “SF-NoEvasion for DB2” we provide a powerful solution allowing you to implement the required security and compliance real-time monitoring for DB2in a cost-effective and efficient way. It will be available from August 2017 onwards.

07/2017 – The implementation of an SOC

The implementation of an SOC is the current trend, often also connected with the goal of overarching synergies, with the various auditing and monitoring goals or tasks and requirements in the future being realized through just 1 central division and optimal in terms of personnel and cost thanks to the synergy.

Therefore, the topic of SOC is of increasingly greater importance, connected with the new requirements, such as – among other things – the

> Implementation of the SOC: Decision about “internal or external?”, “Europe or even Bangalore?”
> Operation of the SOC: Cost-optimal SOC team without the CSOs, CIOs and other leadership levels having to be awakened at night to clarify irrelevancies or false alarms,
> Fulfillment of content-related hopes and expectations of everything, namely factual effectiveness on a top level for the protection of the company, since in future your SOC will be the only one that is watching, as well as
> Fulfillment of all regulatory expectations.

Overall, the SOC development is no easy task when the result may not be a “paper tiger,” but rather professional attacks and offensives, policy violations, etc. have to be factually recognized and alerted, and all regulatory authorities will be satisfied at their next onsite visit.

Where does the high responsibility come from? Through the above-outlined merge of departments, at one and the same time redundancy which before now had led to a sufficient detection quota is eliminated; had the one division not noted it, the other division might have been in a position to do so. If there is only the 1 SOC, it will be the Achilles’ heel of all company-wide security measures, and the company is reliant on its 200% effectiveness.

Openly expressed SOC requirements are thus:

> You have to know what is important and even critical.
> You must have sustainably understood ALL of your platforms.
> You must be in a position to crack the complexity sustainably of all important detailed topics so that the SOC team can work optimally or sensibly, in particular when it is located offshore.

You’re asking yourself with which partner you can be sure of mastering thez/OS-related SOC topics? With us! We know the mainframe inside out, we have developed unique far-reaching monitoring solutions, have coupled our solutions to all leading SIEM solutions, and we master the “intellectual requirement” in the SOC context for the mainframe on the “FF”.

Feel free to contact us when searching for an experienced partner to accompany your SOC implementation if this also includes the mainframe.

06/2017 – Real-time DB2 auditing and event monitoring without SMF and cost burdens.

Industries “particularly plagued by regulations” are currently confronted by a challenging overall task in the area of DB2:
a) Activation of the audit traces; for many it is even a “dreaded first activation after decades,”
b) Monitoring of access to chosen critical tables through the activation of table auditing, although the number of accesses and thus of SMF records can potentially be high and cannot be exactly foreseeable in advance, and
c) a real-time delivery of the SIEMs with the corresponding events.

Large installations that fulfill their regulatory tasks with efficiency with SF-Sherlock have influenced the current further development of SF-Sherlock in the context of these requirements. It was a clear goal to do away with or remove special DB2 add-ons in the form of additional products and thus to be able to further reduce the total cost of the auditing and event monitoring.

The order is now fulfilled, and the result lies in SF-Sherlock’s functional, sustainably expanded real-time sniffer: 1) Chosen SMF records can now be excluded from recording in the SMF archiving as desired; that means that the event reaches SF-Sherlock and thus the event monitoring or SIEM, but is no longer written in the SMF file or the SMF log stream. 2) In the case of DB2 SMF records 100 to 102, high-volume events, such as IFCID 143 (table-update audit) and 144 (table-read audit), can now be excluded from the SMF archiving analog to the exclusion of entire record types, and “only” reach SF-Sherlock’s event monitoring. In total, all involved parties are satisfied, because everything is audited, the SIEM with events is provided, but the SMF archiving medium is not further “distended.”

That means that, thanks to SF-Sherlock, regulatory conditions in the area of DB2 can now be fulfilled cost-neutral with “standard tools.”

05/2017 – Fully automatic SF SafeDump operation

Fully automatic SF SafeDump operation. In companies acting professionally and legally safe when it comes to system dumps and logs, SF SafeDump was established as a firm component of the daily mainframe IT operation. In most cases all processes are even taking place fully automated in a 24×7 operation. A completely autonomous running dump- and log-anonymization operation made special operational features necessary that are now available: a) the zIIP-offload self-monitoring, b) the support of modify system commands, and c) the opportunity to automatically circumvent CPU peak load times through so-called “avoid-time intervals.”

Thanks to SF SafeDump, mainframe users can fulfill the strong regulatory data protection requirements relevant to system dumps and logs with minimal time and costs – everything runs completely automatically and with a zIIP-offload rate of up to 95%. The risks associated with the transfer of dumps and logs to third parties and service providers cannot be eliminated in a more efficient and cost-effective way.

04/2017 – The so-called “total costs” of today’s SIEM systems are hard facts in terms of cost accounting

The so-called “total costs” of today’s SIEM systems are hard facts in terms of cost accounting, not only then when licenses are based on volume.

In addition to the license costs, there are “intellectual costs” in the form of the required configuration of the SIEM through the SIEM team in charge. For example, in order to classify the events as well as their access-related segregation. If the SIEM team does not have any mainframe know-how, integrating the mainframe to the SIEM easily becomes tedious. This is especially true if there are suddenly more mainframe users accessing the SIEM individually with their own spontaneous searches, evaluations and queries. Automatically supplied and predefined “standard reports” not always make specialists directly happy in all their complex situations. There are many reasons potentially preventing a “SIEM success story”.

We followed this thought, and with the new SF Sherlock Update Level 074, which will be released at the beginning of April, the following new features for a cost-effective SIEM integration will be available:

» Sherlock’s own “event world model”, which classifies and describes events in a “comprehensible manner” to non-mainframe specialists, now also lets you “enrich” events with additional installation-defined information. This feature is particularly useful for a “content-based comprehension optimization”, for example, to support your SOC team in directly better understanding the given situation caused by an incident.

» The z/OS Productivity Warehouse was further improved due to our customers’ request. It’s now much more intuitive, and defining installation-defined queries became much more easy. Localized on the mainframe, it’s potentially available to even more mainframe users as a cost-effective and valuable instrument when searching for errors, reasons, etc. It thus helps you to fill the SIEM even more limited and thus cost-effectively, and this lets you reduce the SIEM’s operational costs. Overall, it will provide the mainframe teams with more productivity during daily operations, such as troubleshooting, auditing, forensic investigations, etc., and thus also boosts your mainframe’s availability.

With that, SF Sherlock has further expanded its position as a mainframe SIEM connector that provides optimum performance at optimal costs.

02/2017 – The real world shows clearly the possible disturbance and wrong decision that can be created by deliberately “injected” false reports.

So-called “fake news” or “alternative facts” are a daily topic. The real world shows clearly the possible disturbances and wrong decisions that can be created by deliberately “injected” false reports.

The same risk also applies to SIEM systems. These solutions are used to “form an opinion” by filtering, correlating, and evaluating incoming events, and if necessary, deriving alerts and decisions on what to do.

Deliberately created “fake events,” e.g. as part of a professional attack, are able to distract an SIEM from, for example, its own actions, or to blame others or non-involved employees, to trigger alerts or implemented automations. In addition to suppressed events, fake events create a parallel risk, in particular, for critical infrastructures.

Our leading z/OS security and compliance solution, SF-Sherlock, is already trained for these “audit trail breaks”, and we would like to inform you that our upcoming updates will have the “fake events” topic as a sustainable focus for supplementary measures.

Therefore, SF-Sherlock is one of the most powerful and high-quality SIEM real-time connectors for z/OS, and supports all SIEM solutions available on the market. SF-Sherlock covers, in particular, all event sources, such as z/OS, RACF, DB2, CICS, IMS, MQ, SMF, Syslog, TCP/IP, WebSphere, USS, VTAM, etc.

Our high SIEM project competence makes us the ideal partner for your SIEM team during the SIEM implementation and integration of the mainframe. We know exactly what and how to monitor, correlate and alert to ensure that your SIEM becomes a “success story”, and complies with today’s compliance requirements (Bafin, SOX, PCI, …).

Our presentation at the cyber insurance symposium

At the symposium “Cyber insurance in practice – from product development to underwriting to claims management”, we will be giving a presentation on the topic “After Microsoft key theft from crash dump: updating cyber insurance obligations”. You can find all further details here.

Vortrag auf der “Datenschutzkongress DuD 2023”

Wir freuen uns über die Einladung als Referent auf der für Datenschützer seit mehr als 10 Jahren wichtigen DuD-Konferenz. Der Vortrag hat den Titel “IT-Diagnose-Daten als Datenschutz-Herausforderung des IT-Betriebs” und findet am Dienstag um 12:05 statt. Er ist auch für Datenschützer und Underwriter von Versicherungen von hohem Interesse, insbesondere der Sparten Cyber-Versicherung und IT-bezogene Haftpflicht.

Automated STIG-based mainframe assessment

With software level 091, SF-Sherlock supports the automated STIG compliance monitoring for z/OS. The new cross reference allows you an easy mapping of SF-Sherlock standard check and event IDs to your different security and compliance standards. STIG was just the kick-off. Further standards will be integrated soon, such as BSI Baseline Protection (“BSI Grundschutz”) and others.

WEBINAR for German speaking Switzerland on Data Privacy for Diagnostics and DSG

Erfahren Sie in dem WEBINAR „IT-Diagnose- und Protokoll-Daten – datenschutzrechtliche Anforderungen und technische Schutz-Massnahmen“ von einem führenden Datenschutz-Experten RA Dr. David Vasella, CIPP/E, CIPM, Walder Wyss AG, Zürich, unter welchen Voraussetzungen IT-Diagnose-Daten unter das Datenschutzgesetz fallen und welche Auflagen und Restriktionen sich daraus ableiten.

Informieren Sie sich bei diesem Online-Experten-Briefing am 27.9.2022 oder 30.11.2022, jeweils um 13.30-14.15 Uhr, über das für jeden IT-Betrieb wichtige Datenschutz- und Sicherheitsthema der IT-Diagnose-Daten.

Hier finden Sie weitere Details; auch gibt es eine zugehörige Pressemitteilung.

SF-Sherlock Continuous Delivery Level 089

Begin of april we launch SF-Sherlock’s Continuous Delivery Level 089. It provides a broad spectrum of new and innovative monitoring, protection and alerting capabilities. For example, the policy compliance checker contributes new “superpower” to the SF-Sherlock performance. This new level also supports your cost savings by adapting the SF-Sherlock workload to the “Tailored Fit Pricing.”

12/2021 – Happy Holiday!

Obviously the world needs to continue further with its highly disciplined „lifestyle.“ Let’s do it – for a good future. The entire team wishes you happy holiday and a successful 2022.

SF-Sherlock’s continuous software delivery level 088 includes the new and powerful system configuration compliance checker

SF-Sherlock’s software level 088, just released to make your mainframe‘s compliance automation ready for z/OS 2.5, also includes the latest update of our system configuration compliance checker. It allows you a highly individual and highly precise verification of your systems’ configurations via a fully automated procedure. It’s usable inside and outside of your constantly running SHERLOCK STC.

COVID-19 virus pandemic: great remote support experience thanks to Skype, MS Teams, etc.

The current COVID-19 virus pandemic represents a new level of personal and business experience. We hope that you, your loved ones, and your colleagues are safe and well. Now more than ever, we must do the right things and be prepared to take steps beyond what we’re typically required to do.

We are here to support your business continuity with cost efficiency, security and health in mind. As the COVID-19 virus pandemic continues, we want to contribute our part to help you navigate the challenges that will face us all. The last weeks have proven that Skype for Business, MS Teams, TeamViewer, FastViewer, and corresponding solutions, allow us to provide our premium support also from remote. This helps a lot to keep things rolling. Even our penetration testing and pre-audit deep-dive services are possible from remote.

Therefore, please do not hesitate in contacting us for receiving remote support or training as normally.

12/2019 – Happy Holiday!

Also this year definitely was exciting. Launching the non-mainframe version of SF-SafeDump enabled a breakthrough for our anonymization technologies. With SF-Sherlock’s new pervasive support of z/OS’s pervasive encryption we successfully targeted for you the next generation of mainframe risks, namely ransomware. Anyway, it’s Christmas time and the right moment to say “thank you” for cooperating with us. The entire team wishes you happy holiday and a successful 2020! See you next year.

Don’t miss our article in the German magazine KES about automatic reactions in a Security Operation Center (SOC)

KES is a leading security magazine in Germany and includes the official news of the BSI (“Bundesamt für Sicherheit in der Informationstechnik”) . At September 30, 2019 the new KES magazine becomes available (www.kes.de). You find our article “Auf dem Weg zu automatischen Reaktionen – Der SOCste Sinn – Gefahrenindikator „Objektivität“ am Beispiel BaFin-relevanter IT” at page 64; it also discusses the z/OS-specific topic “ACEE manipulations.”

SF-Sherlock’s pervasive support for pervasive encryption on z/OS

With SF-Sherlock’s next PTF level 082 new powerful features are provided to intensively support your activities in the field of pervasively encrypting your data. The support’s scope ranges from monitoring, compliance and health checking up to “ransom” prevention. SF-Sherlock thus supports your teams from the beginning onwards in properly and securely implementing pervasive encryption on z/OS.

SF-Sherlock filter to detect bypassing mandatory usage of Privileged Account Security solutions, such as CyberArk

Privileged Account Security solutions, such as CyberArk, became almost mandatory for larger data centers – definitely in case of critical infrastructures. They support your compliance by managing the passwords of your privileged users, recording their screen while working on given systems, and by strict policies it’s only allowed for privileged users to work when their sessions are recorded.

In case of mainframes, in order to comply with this regulation, the 3270 emulation session has to be established from specific servers for guaranteeing the required recording; the same is true for any session via PUTTY, FTP, etc. Accordingly it has to be detected, such as via the given SIEM solution, if someone tries to bypass this session recording obligation by connecting from outside the Privileged Account Security solution’s surveillance scope. For properly detecting any bypassing a corresponding monitoring is required on the mainframe.

All SF-Sherlock users may now participate in our latest experience to establish such a bypass detection. A set of specialized filters has been developed to select and forward all required details to your SIEM solution – almost spoon-ready for an easy filter and correlation definition.

SF-SafeDump supports XML and JSON files

SF-SafeDump’s new PTF level 021 supports high-quality anonymization of log files in the XML and JSON formats. This new feature supports mainframe data centers providing XML- and JSON-based diagnostic and debug information to their software vendors or internal development departments. Please ask our support to receive SF-SafeDump’s latest update.

03/2019 – SF-SafeDump’s new PTF level 020 allows for the anonymization of stand-alone dumps within a reasonable amount of time

In scenarios where a given dump is almost too huge to process as one unit, such as in the case of a stand-alone dump, or if the analysis of a regular dump is particularly urgent, this new feature of SF-SafeDump now lets you easily split a given dump file so as to anonymize several or even all parts of it in parallel. This new feature also allows you to exploit all the zIIPs your organization has “worldwide” in order to cut down on the required elapsed time. Anonymizing such larger dumps is now an easy and totally automated process.

12/2018 – Happy Holiday!

This year definitely was exciting and a breakthrough for our SF-SafeDump technology. Therefore, thanks for cooperating with us so intensively. The entire team wishes you happy holiday and a successful 2019!

10/2018 – SF-DeepDive – new due diligence (DD) software package for mainframe outsourcers

When it comes to making decisions about the future of a mainframe, outsourcing is one option to consider. Of course, both sides involved in such a step have their own interests, and there is even tough competition among today’s outsourcing service providers.

The new SF-DeepDive due diligence (DD) software package provides exactly what a mainframe outsourcer needs to get a clearer insight into given systems in a short amount of time.
As an option, it can be combined with local assessment services from our company.

08/2018 – SF-SafeDump supports the integration of external confidential data scanner (CDS) and data leakage prevention (DLP)

Companies dealing with extremely sensitive data often use confidential data scanner (CDS) or data leakage prevention (DLP) applications to do a general scan of all documents before they may leave house. It’s important to emphasize that such CDS and DLP solutions do not perform anonymization, but instead scan documents (files) for possible sensitive content and create a corresponding report. With SF-SafeDump’s new PTF level 017 it’s easy to exploit the performance of any CDS or DLP, namely, to double-check any anonymized dumps and log files as regards possible “leftovers.” But we don’t want to give you the wrong impression: the principal quality check, which is highly comprehensive and fully sufficient, also happens within SF-SafeDump. This means that you are safe and covered without a CDS or DLP. You should also be aware of the fact that SF-SafeDump covers many more categories of sensitive information than a CDS or DLP solution.

Overall, the integration of a given CDS or DLP solution into SF-SafeDump is fully optional. On the other hand, it’s a nice feature, since a CDS/DLP scan may increase a company’s internal level of compliance and promote good feelings while applying the “golden rule” of mandatory document scanning fully effectively to in fact any document, i.e. even to dump and log files originating from the mainframe. We will definitely support any such scenario and won’t take it “personally” if users extend the already powerful quality assurance provided by SF-SafeDump through additional review capabilities. We are confident about this, since SF-SafeDump learns from the results of the CDS or DLP. Just to be clear: it’s still the goal and duty of SF-SafeDump to leave all CDS or DLP reports empty.

With PTF Level 017, everything is provided for such an integration of a CDS or DLP application and even to fully automate the related procedures; the tools provided also solve all problems of best practice that occur within such an integration. The new PTF level 017 is now released and ready for download.

 

07/2018 – SF-Sherlock’s new PTF level provides performance improvements for environments with massive amounts of event data (SIEM, Splunk, etc.)

SF-Sherlock, and thus also SF-NoEvasion, has passed additional intensive performance reviews – driven by z/OS installations that process huge amounts of event data within their z/OS-SIEM, log archive, or Splunk integration. Larger amounts of event data easily result from the monitoring of DB2, CICS, MQ, Webshpere as well as other subsystems.

We achieved these great results by using the latest machine instructions supported by System Z machines as well as by further improving SF-Sherlock’s “event consolidation” feature supported by the real-time sniffer. Especially if your SIEM, log archive, or operational intelligence solution is  licensed by the data volume it receives the event consolidation feature is of great benefit and will help you to reduce costs by not wasting your licensed data volume on redundant event data.

The new PTF level 080 is now released and ready for download.

01/2018 – Are you aware of the important date for your data center of May 25th 2018?

 In only five months, the new General Data Protection Regulation, known in brief as GDPR, in German “EU-Datenschutz-Grundverordnung,” will come into effect. This will have a deep impact on the utmost technical and least transparent processes of the daily operations within your data center.

Concretely, the matter at hand is the transfer of system dumps and logs to software vendors by the operational teams of your data center for the purpose of any necessary error analysis, and the new cost-intensive risks given from May 25 onwards resulting from violating the GDPR by simply continuing this old best practice.

We allow ourselves to point toward SF-SafeDump, our top-performing, patented and fully- automatically working system dump and log anonymization solution, to sustainably solve this problem. The proven, current Version 5.1 contains everything you need for a secure anonymization of all diagnosis files, and works in an extremely cost-effective fashion (on the z/OS mainframe, for example, for up to 95% and more the CPU time is offloaded to zIIP; in total this means “no” CPU costs).

11/2017 – Splunk is a leading platform when it comes to implementing a SOC.

Splunk is a leading platform when it comes to implementing a SOC. One reason is given with the Enterprise Security App based on Splunk’s Common Information Model (CIM).

To simplify a harmonious, effective and efficient SOC integration of the mainframe SF-Sherlock now also supports Splunk’s CIM. This allows you to directly “feed” corresponding SOC apps in Splunk with the corresponding vulnerability, event monitoring and intrusion detection results from z/OS. Since false-positives in a SOC context significantly more challenge your organization, compared to a classic and more isolated audit or IDS environment, it’s even more important that SF-Sherlock gives you full control on contributing the right “mainframe topics” to your SOC, step-by-step and in the right dose.

These are great news for all companies implementing a SOC. Running a real cross-platform SOC by also including the z/OS mainframe has never been easier.

08/2017 – SF-NoEvasion for DB2

Mainframe users currently (have to) focus on DB2 security and compliance real-time monitoring. Since we recognized a peak of interest in a solution exclusively focusing on DB2, we decided to offer such a mission-specialized package. With “SF-NoEvasion for DB2” we provide a powerful solution allowing you to implement the required security and compliance real-time monitoring for DB2in a cost-effective and efficient way. It will be available from August 2017 onwards.

07/2017 – The implementation of an SOC

The implementation of an SOC is the current trend, often also connected with the goal of overarching synergies, with the various auditing and monitoring goals or tasks and requirements in the future being realized through just 1 central division and optimal in terms of personnel and cost thanks to the synergy.

Therefore, the topic of SOC is of increasingly greater importance, connected with the new requirements, such as – among other things – the

> Implementation of the SOC: Decision about “internal or external?”, “Europe or even Bangalore?”
> Operation of the SOC: Cost-optimal SOC team without the CSOs, CIOs and other leadership levels having to be awakened at night to clarify irrelevancies or false alarms,
> Fulfillment of content-related hopes and expectations of everything, namely factual effectiveness on a top level for the protection of the company, since in future your SOC will be the only one that is watching, as well as
> Fulfillment of all regulatory expectations.

Overall, the SOC development is no easy task when the result may not be a “paper tiger,” but rather professional attacks and offensives, policy violations, etc. have to be factually recognized and alerted, and all regulatory authorities will be satisfied at their next onsite visit.

Where does the high responsibility come from? Through the above-outlined merge of departments, at one and the same time redundancy which before now had led to a sufficient detection quota is eliminated; had the one division not noted it, the other division might have been in a position to do so. If there is only the 1 SOC, it will be the Achilles’ heel of all company-wide security measures, and the company is reliant on its 200% effectiveness.

Openly expressed SOC requirements are thus:

> You have to know what is important and even critical.
> You must have sustainably understood ALL of your platforms.
> You must be in a position to crack the complexity sustainably of all important detailed topics so that the SOC team can work optimally or sensibly, in particular when it is located offshore.

You’re asking yourself with which partner you can be sure of mastering thez/OS-related SOC topics? With us! We know the mainframe inside out, we have developed unique far-reaching monitoring solutions, have coupled our solutions to all leading SIEM solutions, and we master the “intellectual requirement” in the SOC context for the mainframe on the “FF”.

Feel free to contact us when searching for an experienced partner to accompany your SOC implementation if this also includes the mainframe.

06/2017 – Real-time DB2 auditing and event monitoring without SMF and cost burdens.

Industries “particularly plagued by regulations” are currently confronted by a challenging overall task in the area of DB2:
a) Activation of the audit traces; for many it is even a “dreaded first activation after decades,”
b) Monitoring of access to chosen critical tables through the activation of table auditing, although the number of accesses and thus of SMF records can potentially be high and cannot be exactly foreseeable in advance, and
c) a real-time delivery of the SIEMs with the corresponding events.

Large installations that fulfill their regulatory tasks with efficiency with SF-Sherlock have influenced the current further development of SF-Sherlock in the context of these requirements. It was a clear goal to do away with or remove special DB2 add-ons in the form of additional products and thus to be able to further reduce the total cost of the auditing and event monitoring.

The order is now fulfilled, and the result lies in SF-Sherlock’s functional, sustainably expanded real-time sniffer: 1) Chosen SMF records can now be excluded from recording in the SMF archiving as desired; that means that the event reaches SF-Sherlock and thus the event monitoring or SIEM, but is no longer written in the SMF file or the SMF log stream. 2) In the case of DB2 SMF records 100 to 102, high-volume events, such as IFCID 143 (table-update audit) and 144 (table-read audit), can now be excluded from the SMF archiving analog to the exclusion of entire record types, and “only” reach SF-Sherlock’s event monitoring. In total, all involved parties are satisfied, because everything is audited, the SIEM with events is provided, but the SMF archiving medium is not further “distended.”

That means that, thanks to SF-Sherlock, regulatory conditions in the area of DB2 can now be fulfilled cost-neutral with “standard tools.”

05/2017 – Fully automatic SF SafeDump operation

Fully automatic SF SafeDump operation. In companies acting professionally and legally safe when it comes to system dumps and logs, SF SafeDump was established as a firm component of the daily mainframe IT operation. In most cases all processes are even taking place fully automated in a 24×7 operation. A completely autonomous running dump- and log-anonymization operation made special operational features necessary that are now available: a) the zIIP-offload self-monitoring, b) the support of modify system commands, and c) the opportunity to automatically circumvent CPU peak load times through so-called “avoid-time intervals.”

Thanks to SF SafeDump, mainframe users can fulfill the strong regulatory data protection requirements relevant to system dumps and logs with minimal time and costs – everything runs completely automatically and with a zIIP-offload rate of up to 95%. The risks associated with the transfer of dumps and logs to third parties and service providers cannot be eliminated in a more efficient and cost-effective way.

04/2017 – The so-called “total costs” of today’s SIEM systems are hard facts in terms of cost accounting

The so-called “total costs” of today’s SIEM systems are hard facts in terms of cost accounting, not only then when licenses are based on volume.

In addition to the license costs, there are “intellectual costs” in the form of the required configuration of the SIEM through the SIEM team in charge. For example, in order to classify the events as well as their access-related segregation. If the SIEM team does not have any mainframe know-how, integrating the mainframe to the SIEM easily becomes tedious. This is especially true if there are suddenly more mainframe users accessing the SIEM individually with their own spontaneous searches, evaluations and queries. Automatically supplied and predefined “standard reports” not always make specialists directly happy in all their complex situations. There are many reasons potentially preventing a “SIEM success story”.

We followed this thought, and with the new SF Sherlock Update Level 074, which will be released at the beginning of April, the following new features for a cost-effective SIEM integration will be available:

» Sherlock’s own “event world model”, which classifies and describes events in a “comprehensible manner” to non-mainframe specialists, now also lets you “enrich” events with additional installation-defined information. This feature is particularly useful for a “content-based comprehension optimization”, for example, to support your SOC team in directly better understanding the given situation caused by an incident.

» The z/OS Productivity Warehouse was further improved due to our customers’ request. It’s now much more intuitive, and defining installation-defined queries became much more easy. Localized on the mainframe, it’s potentially available to even more mainframe users as a cost-effective and valuable instrument when searching for errors, reasons, etc. It thus helps you to fill the SIEM even more limited and thus cost-effectively, and this lets you reduce the SIEM’s operational costs. Overall, it will provide the mainframe teams with more productivity during daily operations, such as troubleshooting, auditing, forensic investigations, etc., and thus also boosts your mainframe’s availability.

With that, SF Sherlock has further expanded its position as a mainframe SIEM connector that provides optimum performance at optimal costs.

02/2017 – The real world shows clearly the possible disturbance and wrong decision that can be created by deliberately “injected” false reports.

So-called “fake news” or “alternative facts” are a daily topic. The real world shows clearly the possible disturbances and wrong decisions that can be created by deliberately “injected” false reports.

The same risk also applies to SIEM systems. These solutions are used to “form an opinion” by filtering, correlating, and evaluating incoming events, and if necessary, deriving alerts and decisions on what to do.

Deliberately created “fake events,” e.g. as part of a professional attack, are able to distract an SIEM from, for example, its own actions, or to blame others or non-involved employees, to trigger alerts or implemented automations. In addition to suppressed events, fake events create a parallel risk, in particular, for critical infrastructures.

Our leading z/OS security and compliance solution, SF-Sherlock, is already trained for these “audit trail breaks”, and we would like to inform you that our upcoming updates will have the “fake events” topic as a sustainable focus for supplementary measures.

Therefore, SF-Sherlock is one of the most powerful and high-quality SIEM real-time connectors for z/OS, and supports all SIEM solutions available on the market. SF-Sherlock covers, in particular, all event sources, such as z/OS, RACF, DB2, CICS, IMS, MQ, SMF, Syslog, TCP/IP, WebSphere, USS, VTAM, etc.

Our high SIEM project competence makes us the ideal partner for your SIEM team during the SIEM implementation and integration of the mainframe. We know exactly what and how to monitor, correlate and alert to ensure that your SIEM becomes a “success story”, and complies with today’s compliance requirements (Bafin, SOX, PCI, …).

Join our newsletter list

Worldwide toll-free phone number

+800 - 37 333 853
or simply dial:
+800 - DRFEDTKE

Alternatively:
+41 (0)41 710 7444

(+ represents the prefix for international calls; in most countries it is 00, and you have to dial 00800-37333853; in the U.S. it corresponds to 011, and you have to dial 011-800-37333853)

Find Us

Headquarters

Seestrasse 3a, 6300 Zug, Switzerland

Visitors & Training

Dammstrasse 19, 6301 Zug, Switzerland

Social Media

Xing → Linkedin →

Write Us

Marketing
marketing@enterprise-it-security.com
copy the address

Technical support and hotline
hotline@enterprise-it-security.com
copy the address

Legal and compliance
legal@enterprise-it-security.com
copy the address

error: Content is protected!