As cybercriminals continue to get better at penetrating systems, it is becoming increasingly clear that companies need to step up and move from a compliance-driven approach to an optimized risk management security program. Since IBM i is often the most critical system, it’s important to monitor all user activities within it properly.
Investigating IBM i
Your best bet to catch the bad guys hiding in the noise is to monitor those transactions with the added context of what is happening outside the IBM i. Those logs should be sent to a security intelligence platform to detect and fully contextualize scenarios such as the very realistic one provided below.
- An individual guesses a user password on the IBM i.
- The same individual who successfully logged in as a basic user — with sufficient rights to run simple application tasks, but no command line or special authorities — finds a way to gain additional rights using nonconventional methods.
- The same user then gains access to the IBM i and steals or changes critical data.
AJLIB is the interface provided as is by IBM for an external system to connect to the IBM i world. From a security information and event management (SIEM) perspective, this interface comes with some important challenges, which for the time being include:
- AJLIB does not natively support Syslog, only Log file Protocol.
- The log cycle is fixed at 15 minutes and cannot be changed, so the logs do not reach the SIEM in real time.
- The system audit journal is the only source available. Other sources of information should be monitored, such as database changes recorded in database journals, activities captured by exit programs, etc.
- There is no filter available to remove the noise and no option to select the fields that should be included in the logs sent to the SIEM. Due to the sizable amount of data generated by the IBM i, filtering and enriching this information becomes crucial.
- Customers who tried to use this interface reported several performance challenges.
A Sound Alternative
The good news is that there are excellent alternatives to using AJLIB that can help overcome those challenges. One of them is Cilasoft’s security and compliance software solutions for IBM i environments. Cilasoft’s QJRN/400 enriches and filters audit data generated by the IBM i. The data set it produces allows you to focus on what really matters.
A combined QJRN/400 and IBM QRadar solution improves security, boosts security operations center (SOC) efficiency and productivity, and delivers value within hours, not weeks or months.
IBM Security QRadar is the world’s leading security intelligence platform because it has the right foundation and integrations to help clients turn a pile of point solutions into a finely tuned prevention, detection and response system that protects against advanced threats. QRadar consolidates all security information, including the prefiltered and enriched events generated by Cilasoft’s QJRN/400, into a single, web-based user interface using a customizable dashboard approach designed to pinpoint a client’s top threats, attacks, risks and vulnerabilities.
Interested in getting more info about IBM i? You can:
- Learn more about Cilasoft’s solution.
- Learn more about IBM Security QRadar.
- See the full demo of the combined solution.