PowerTech's Interact product monitors critical security events in real time.
Let's face it; monitoring security events on IBM i servers probably isn't at the top of anyone's "bucket list." However, it's a critical process that every organization should perform to ensure that unauthorized activities don't occur unnoticed. Typically, there are two main issues with monitoring a system manually: 1) you have to deliberately (and repeatedly) check to see if something has happened, and 2) you are probably looking for the proverbial needle in a haystack of logged events.
PowerTech conducts hundreds of free compliance assessments each year and compiles many of the statistics into a published report. While performing these assessments, we frequently uncover user profiles that have been subjected to multiple invalid sign-on attempts. Ranked #1 in 2011 was a single profile with over 700,000 invalid attempts logged against it! That's amazing, but still not the all-time leader; that dubious honor is bestowed on a user from 2010 whose attempts surpassed the one million mark. What makes these stunning statistics worse is that the security team was oblivious to these activities and therefore clueless about the cause. I challenge whether they'd be more concerned if they discovered that the profile in question was QSECOFR. Sure, the profile might have been disabled after the first few attempts, but perhaps this is the one and only red flag warning of unauthorized activity against the system. Financial giant Citigroup reportedly received a $500,000 fine recently for not acting on red flags about unauthorized insider activities.
PowerTech Compliance Monitor is one of the most popular tools on the market for simplifying complex audit-related tasks, including the forensic analysis of audit journal data. With Version 3, you can schedule hundreds of audit reports in batch and make the results available as .xls and PDF files. The product can even place the completed reports in the IFS or distribute them as email attachments—encrypted, of course!
Security officers and auditors like to know the instant that something unexpected occurs on the system. If you prefer to have your IBM i system escalate critical system events as they happen, then you should look at PowerTech Interact. Installed quickly as a small IBM i agent, Interact is like a security camera for your system. Interact aids your security team by escalating three types of events:
- Critical system messages from QSYSMSG or QSYSOPR
- IBM security audit journal (QAUDJRN) entries
- PowerTech product events from Network Security and Authority Broker
Configuration couldn't be easier. Simply supply the IP address of your syslog or ISS security console and start the monitor job. If you don't maintain a Security Information Event Management (SIEM) environment—such as ISS, ArcSight, LogRhythm, or TriGeo—you can choose to send a notification to a message queue that is monitored by a messaging tool, such as Help/Systems' Robot/CONSOLE and Robot/ALERT or Bytware Messenger.
Interact comes with almost 600 event filters predefined (see Figure 1), and you can specify thousands more.
Figure 1: Interact helps you monitor hundreds of events easily. (Click images to enlarge.)
The filters define which events should be escalated and which should be ignored (see Figure 2). They also indicate how critical the event is to help the remote console differentiate between important events and simple notifications.
Figure 2: Interact allows you to specify the criteria used to filter events.
Interact sees events as they occur, formats the data, and then sends it to the remote console. The vast majority of SIEM monitoring solutions can process the events without modification due to the industry-standard syslog format used by Interact. This means you can spend less time configuring and more time monitoring. No more surprises when an audit uncovers system values that are out of compliance or profiles that have been targets of invalid signon attempts. Of course, Interact also detects events generated by other PowerTech products, including users switching to alternate profiles in Authority Broker, and important network events, such as ODBC connections, IFS activities, and FTP file transfers in Network Security.