Integrating Mainframe and Network Security Tools for a Stronger, Safer Mainframe

When you think about mainframe security, you probably think about RACF, ACF2, or Top Secret. But those security tools are just the tip of the iceberg when it comes to the potential security methodologies you could be using. The mainframe is not an isolated silo, existing in a different world from the breach events that you hear about in the news. Mainframers need to be concerned about insider threats as well as external breaches, and sometimes mainframe security tools alone are not enough.

The good news is that there a number of tools in the network world that can be used to help secure your mainframe. One major class of non-mainframe security tools are SIEM (security information and event management) software products and services, which provide real-time collection and analyses of security alerts generated by network hardware and applications.

Mainframers often don’t know what’s happening on the network side, however, especially when it comes to security. This is a big mistake, according to Charles Mills, Director of Advanced Projects for SIEM solutions provider CorreLog, Inc.

“In general, organizations are very siloed: There’s security and then there’s mainframe security,” Mills explained in a recent interview. “Hackers don’t see the world that way, though. Their effort is concerted and unified, and our effort to combat breaches is not.”

Siloed resources for mainframers also present a challenge when it comes to compliance. Regulations like HIPAA, PCI DSS, GDPR, and GLBA mandate how organizations handle data, especially when it comes to setting security standards to protect that data. But because mainframes are often separated from the network world, mainframers may be out of touch with compliance concerns auditors share with the network security team.

What are mainframers to do? Start by learning about network security tools your counterparts in distributed computing are leveraging, and find out how they can be integrated with your mainframe.


A number of network security offerings fall under the SIEM umbrella, and many of them come with useful tools, like real-time text or email alerts, powerful query and search, cross-platform correlation of suspicious events, service desk integration, and huge forensic archives.

MSSPs (managed security service providers) and DAMs (database activity monitors) are also essential for mainframers to know about. MSSPs are SIEMs deployed as a subscription service from the cloud. Similarly, DAM tools are a family of database-focused SIEMs. If you aren’t using these tools to help secure your mainframe, you’re fighting potential intruders with one hand tied behind your back, Mills said.

In the mainframe world, awareness of SIEMs is on the rise. At events, Charles likes to ask audience members to raise their hand if they have heard of SIEM. A few years ago, only 2 or 3 out of 50 people would raise their hands. Now, Charles estimates that about half of mainframers know about SIEMs. However, only a few of those people also know whether their organization actually has a SIEM, mainly because most organizations’ IT resources are so siloed.

Integrating Mainframes and SIEMs

Simply knowing what SIEM is does not reduce data risk, of course. Integrating mainframes with network security can be a challenge in and of itself. The mainframe does not have built-in support for a SIEM, because SIEMs were originally developed for UNIX systems. Plus, there are often three major challenges when it comes to integration. That’s where mainframe to SIEM/MSSP integration solutions come in.

First, mainframes tend to generate a wealth of data. How do you filter such a large volume of data to find the relevant log data you need for security event management? Second, many mainframe products are difficult to configure and install. Mainframe shops are generally constrained on budget and available people, so they really can’t afford to take a month to configure a product. And finally, not all vendors can retrieve the amount of SMF log data needed to give them a clear picture of user behavior on the mainframe.

Fortunately for mainframers, there are tools that try to address these concerns, making it easy to connect mainframes with the distributed network security tools that monitor user activity in real time. Products from various providers offer SMF enrichment and require minimal configuration and installation effort. This allows mainframers to integrate with network security and protect their systems, using some of the same tools already in use on the network side of the business.

Recent Stories
Young, the Mainframe Hacker: Breach Combers

IBM Systems Magazine: Editor's Picks for SHARE

Young, the Mainframe Hacker: Ob-Sec-urity