Webinar Q&A: z/OS Mainframe SIEM Data Overload! How to Cut Through The Noise! Sponsored by Software Diversified Services

Yesterday we had a great webinar hosted by Software Diversified Services. The webinar, titled “z/OS Mainframe SIEM Data Overload! How to Cut Through the Noise!” was led by Tom Wheaton and we discussed how to record activity on sensitive datasets, monitor updates to file systems, track user ids with special privileged access and track unauthorized access, to your z/OS mainframe. Below are some follow-up questions as well as the questions you all had for Tom during the session. We hope you all enjoyed this webinar and we hope to see you at our future webinars!

• There are many Type80 records, do you have a list of recommended Type 80 events we should consider.
  • Yes, we do and we can make that available to anyone who requests it from SDS – [email protected].
• I didn’t see DB2 on your list, do you monitor DB2 events?
  • Yes, we can monitor the DB2 SMF 102 record.
• Can you contrast VSA to IBM QRadar in terms of real-time threat detection?
  • VSA is a z/OS SIEM data collection agent. It runs as a started task on z/OS and collects data based on site specified filtering options. These data are then transmitted via TCP/IP to the SIEM reporting tool of your choice.  QRadar is one of those SIEM reporting tools.  VSA and QRadar work together to provide real-time threat protection.
• We have the SMA-RT connector product.  Is VSA the same product?  If not, what’s the difference?
  • Yes, they are the same product.  VSA acquired SMA-RT from Type80 in 2017 and now supports the product under the name VSA (VitalSigns SIEM Agent)
• You talk about monitoring console messages and SMF records, is there any time you would recommend console messages over SMF records?
  • If you are not currently collecting SMF records for an event and for some reason do not want to do that, then console messages would be the way to go.  But I would still recommend enabling the SMF records.
• Can I monitor telnet using a SIEM agent?
  • Yes. Telnet events, like FTP, are available via the Communications Server 119 SMF record which is supported by VSA.
• You mention type 80 for data set access would you consider monitoring the type 14 & 15 records for dataset access?
  • Only if you’re not collecting type 80 records for successful access to data sets and only then with very robust filtering options.  Otherwise, you’ll capture events for datasets you aren’t concerned about resulting in unnecessary data clutter on your SIEM reporting tool.

About Software Diversified Services Founded in 1982, Software Diversified Services (SDS) is a Minnesota-based company that provides business software solutions to hundreds of customers worldwide, including many Global 500 companies. Current customers represent industries including banking, finance, insurance, retail and government. Rated No. 1 by the prestigious IBEX Bulletin, SDS is noted for its industry-leading software, documentation and technical support. For more information, visit www.sdsusa.com/siem.