Post on 21-Jan-2022
Real-Time Alerting, Monitoring External Security Monitor (ESM) Control Options with CA Compliance Event Manager Security Essentials
JIM BROADHURST, PRODUCT MARKETING ENGINEER (PRODUCT OWNER)
JAMES.BROADHURST@BROADCOM.COM
1.19.2020
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights
and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software
product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current
information and resource allocations as of 13th October 2020 and is subject to change or withdrawal by CA at any time without
notice. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole
discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this
presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such release
may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-available
basis. The information in this presentation is not deemed to be incorporated into any contract.
Copyright © 2020 Broadcom. All rights reserved. The term “Broadcom” refers to Broadcom Inc. and/or it’s subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA Technologies logo are among the trademarks of Broadcom.
THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. Broadcom assumes no responsibility for the accuracy or
completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, BROADCOM PROVIDES THIS DOCUMENT “AS IS”
WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will Broadcom be liable for any loss or damage, direct or
indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost
data, even if Broadcom is expressly advised in advance of the possibility of such damages.
Disclaimer
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
About Me
3
The Importance of Monitoring ESM Control Options
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
The Importance of Monitoring ESM Control Options
• Changes to control options could weaken or
completely compromise your security posture
• Such changes could be human error or malicious
intent
• Insider Threat
• An employee that has permissions to
access data, but uses that access for
personal gain or nefarious purposes.
Difficult to access because behavior is often
normal for their role.
• Vulnerabilities
• prerequisites, software updates or
components that are found to provide a
pathway to access or increased
permissions to a resource
5
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
ESM Control Options Monitoring
6
Establish Baseline Following
Best Practices
Define Change Control Process
Setup Continuous Monitoring
Monitor for
Changes
Periodic Review, Adjustments and Improvements
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Establishing a Baseline
• CA Mainframe Resource Intelligence Security
Assessment
• Security Assessments can help you better understand the
level of risk in your mainframe environment.
• System Settings – Key system configuration and
settings and parameters
• Bypass Privileges – Review bypass privileges and flag
any which violate security best practices
• Password Controls – Examine the password controls &
requirements, highlight vulnerabilities
• Unix System Services (USS) – Identify key security
related issues related to USS
• And many more – this just represents some of what this
assessment will evaluate.
• Security Technical Implementation Guides
(STIGs)
• A set of recommended best practice for systems settings
including mainframe ESM control option settings.
7
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Mainframe Resource Intelligence Security Assessments
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Technical Implementation Guides
9
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Technical Implementation Guides
CA Compliance Event Manager and Predefined Security Essentials Policy
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
12
Best Practices Protection Throughout the Entire Security Lifecycle
Advance Your Mainframe Protection with Modern Mainframe Security
12
CA Advanced Authentication
Mainframe / ESM
CA Trusted Access
Manager for z
CA Data Content
Discovery
CA Compliance Event Manager
CA Cleanup
10010101
Leverage new technology & controls
for Modern Mainframe Security
Locate and protect
sensitive data from
mainframe to mobile
Proactively identify
and respond to
security risks faster
Manage 24x7
privileged user
access with ease
Handle constant change
and reduce security
management load
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Predefined Policy - Documentation
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Predefined Policy - Documentation
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Predefined Policy Sets
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Predefined Policy Statements
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Predefined Policy Statements
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Predefined Policy Actions
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Predefined Policy Actions
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
User-Defined Variables – A Prerequisite!
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Predefined Policy Email Actions
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Defining the Security Essentials Email Recipients
• The only site specific values needed for the predefined Policy Actions are email recipients
• The Email recipients in the email actions use User Defined Variables specified in a configuration file
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Activating the Predefined Policy Sets
• To activate usage of the predefined Policy Sets you update the POLICYSET= value in the parmfile
member for each listener
• CEMLPRM – Logger
• CEMAPRM – Alert
• CEMMPRM – Monitor
• CEMWPRM – Warehouse
Security Essentials Email Alerts
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Example Security Essentials Email Alerts – TSS
• TSS MODIFY(MODE(WARN)) will generate two alerts
• One from a “Security System Modify” event
• One from ESM Monitor
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Example Security Essentials Email Alerts – TSS
• This is the alert for a TSS Modify command
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Example Security Essentials Email Alerts – TSS
• Here is the alert from the ESM Monitor
• Note 1: the before and after ESM option values are not currently available as substitution variables in the alert. This
functionality is currently planned
• Note 2: ESM Monitor can detect changes asserted from TSS parmfile changes across IPLs. In this case there would only
be one alert since no MODIFY command would have been issued
Security Essentials Reporting through the UI
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Reporting through the UI
• At this time we do not ship predefined reports. The steps to create are extremely simple and
documented.
• I have created one report for ESM Monitor and another for MODIFY commands
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Report From ESM Monitor
The UI report shows the before and after values. Here we see some very
suspicious activity.
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Sample Report for TSS Modify Commands
Security Essentials Batch Reporting
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Batch Reporting
We provide template JCL for batch reporting
for Datacom/AD. Your reporting tool of choice
could be used with DB2
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
We provide sample queries for Security Essentials batch reporting. This
is the sample query for Modify commands.
Security Essentials Batch Reporting
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Batch Reporting
This is the sample query for ESM Monitor.
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Batch Reporting
• You can copy the template JCL and create a single job using both sample queries.
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Batch Reporting
• The job currently sends both reports to SYSOUT. The output could be sent to a data set (e.g. a
GDG)
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Batch Reporting
• Here is sample output from the report for Modify commands
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials Batch Reporting
• Here is the output from the ESM Monitor report
Predefined Policy – The Details
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Event-Based vs ESM Monitor
41
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Event-based Types Pertinent to Monitoring ESM Options
42
• For all three ESMs we will monitor
for Security System Modify events
• For ACF2 we will additionally need to
monitor for Other Administration
events
• For every event we will take the
following actions
• Generate an Email Alert
• Generate a WTO Alert
• Include in Warehouse
• Include in Logger
• Include in Data Mart
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Security Essentials ESM Monitor Statements
• The ESM Monitor Statements are simple and specify to monitor for changes to any option for
each ESM
43
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Security Essentials for IBM RACF Event-based Statements
• RACF is the simplest. System Security Modify will catch any SETROPTS commands
44
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Security Essentials for CA TSS Event-based Statements
• For TSS we aren’t interested in TSS MODIFY(STATUS) commands so these need to be filtered out
45
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Security Essentials for CA ACF2 Event-based Statements
• ACF2 is the most complex as the options can be changed but are not active until a
subsequent Refresh command is issued
46
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Security Essentials for CA ACF2 Event-based Statements
• We use Other Administrative type events for the Change, Delete or Insert commands that
could affect ACF2 options. We could use a single statement for GSO, CPF and LDS
Infostorage records. But we separate them to allow for more granularity in the email
action alert text.
• Below is the Statement for GSO
47
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Security Essentials for CA ACF2 Event-based Statements
• For CPF
48
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Security Essentials for CA ACF2 Event-based Statements
• For LDS
49
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Security Essentials for CA ACF2 Event-based Statements
• Here is the Statement for the System Security Modify event and we have the check for
REFRESH as part of the test conditions.
50
Thank You
Now, please join us for a live Question and Answer discussion. Click the meeting link at the bottom of the Session Description to join us.
This is your opportunity to connect with the presenter(s) and your peers, ask
questions, and share information related to this topic.