PRODUCT DATASHEET CORRELOG.COM

1

The interoperability of CorreLog agent-based security solutions for both mainframe and distributed systems is a key component to our success over the past eight years. For simplifying the complexities of a Splunk deployment, CorreLog SIEM Correlation Server (CorreLog SIEM) facilitates as a log collector between enterprise IT assets and Splunk, filtering out unneeded event messages. For viewing IBM z/OS event messages in your Splunk Enterprise system, CorreLog provides both mainframe SIEM and Splunk apps through the Splunkbase platform.

Reduce the amount of log data flowing through Splunk Enterprise: CorreLog SIEM agent’s high-speed indexing and filtering power provide clients using Splunk the ability to intercept, filter and correlate event messages in a highly efficient manner before sending the pertinent log data over to Splunk Enterprise. Because CorreLog provides unlimited data consumption at no additional charge, Splunk Enterprise only receives the most relevant data for security and compliance auditing. The reduction in consumption of event logs means your investment in CorreLog comes with a fast ROI, generally realized in just a few months.

CorreLog zDefender® for z/OS allows users to view mainframe RACF, ACF2, Top Secret, and Db2 events in real-time, alongside security events from Windows, UNIX, Linux, routers, firewalls, and other IT assets in the Splunk ESM. This not only provides companies with the best possible security in real-time, but also helps ensure regulatory compliance.

Additionally, zDefender converts a myriad of additional mainframe security events including TSO Logons, Production Job ABENDs, TCP/IP and FTP Connections. For ease of deployment, CorreLog’s zDefender has certified integrations with IBM® Security QRadar®, HP ArcSight, and strategic partnership with Compuware, Micro Focus/Serena and McAfee. The ability to view cross-platform security event log data in real-time is a ground-breaking feature of the zDefender. Our real-time z/OS agent provides IT security personnel with a more inclusive view of system-wide threat data for a higher level of monitoring user and system accesses related to network

zDEFENDER FOR SPLUNK ESMDELIVER IBM z/OS RACF, ACF2, & TOP SECRET USER AND DB2 ACCESS DATA TO SPLUNK

ENTERPRISE SECURITY MANAGEMENT IN REAL TIME

For many large organizations, one or more IBM z/OS mainframes constitutes a strategic capital investment for the most mission-critical applications, processes and data. With security information and event management (SIEM) software platforms existing

predominantly in distributed environments, the CorreLog zDefender® for z/OS allows organizations to include mainframe event log data for a unified, multi-platform view of enterprise security event data in a single Splunk Instance.

CORRELOG CERTIFIED INTEGRATIONS

z/OS

PRODUCT DATASHEET CORRELOG.COM

2

intrusion. zDefender facilitates compliance requirements set forth by PCI DSS, HIPAA, IRS Pub. 1075, GLBA, SOX, FISMA, NERC and many other standards.

CorreLog zDefender installs quickly, uses minimal resources, and does not require extensive training, ongoing maintenance or administration. zDefender also monitors IBM Db2 utilizing CorreLog dbDefender™, which delivers up-to-the-second database activity monitoring (DAM) for Db2. DAM capabilities in dbDefender™ include privileged-user monitoring, recording invalid access attempts, auditing creation/deletion of system-level objects and other attempts to alter the secure state of Db2, down to the SQL statements.

Your IBM z/OS platform is the most strategic data asset in your enterprise network. It is constantly generating messages that tell you how users and programs are accessing the system, but if you are not receiving these messages in your Splunk ESM in real time, you are putting your data at risk. You can leverage this live mainframe security data within your existing Splunk ESM Tool, expanding your IT security visibility outside of your distributed systems. With the zDefender, you have the capability to monitor the following mainframe activity in real-time:

• RACF, zVM for RACF

• CA ACF2™, Top Secret messages

• Db2 and IMS

• CICS, MQ

• File Accesses

• System Status

• FTP, TCP/IP

• IND$FILE

• BMC Logs and Events

• JES, App Logs

• Console Messages

• Compuware

• Micro Focus

• SYSLOG and Other Log Files

HOW zDEFENDER FOR SPLUNK WORKSzDefender for z/OS resides in an LPAR (or multiple LPARs) and converts RACF, ACF2, Top Secret and other user data related to mainframe security, and in real time, sends the data as standard RFC 3164 Syslog to your distributed Splunk ESM. The messages leave z/OS ready-formatted for Splunk ESM and no further processing is required. CorreLog zDefender is also compatible with the latest IBM z System, the z14 mainframe.

dbDEFENDER™ FOR DB2 FOR SPLUNKCorreLog zDefender™ for z/OS also has an option for real-time Db2 monitoring with CorreLog dbDefender™. Any organization with PCI DSS or other industry standard considerations needs this up-to-the-second database activity monitoring (DAM) of Db2 to ensure compliance. Specifically, dbDefender provides the following DAM capability:

• Privileged user monitoring

• Auditing invalid logical access attempts

• Auditing creation and deletion of system-level objects

• Additional auditing of Db2 Utilities, DDL statements, Db2 console commands, Db2 object access, and other user activity linked to Db2

• dbDefender supports both static and dynamic SQL.

PRODUCT DATASHEET CORRELOG.COM

3

There are many reasons why zDefender for z/OS is the right choice for your Mainframe Security & Compliance initiatives.

Standards compliant: Converts z/OS events to RFC 3164-compliant Syslog messages that work with any standards-based SIEM or Syslog collection software

Investment protection. Compatible with all of your existing software. Freedom of choice: select CorreLog or any other SIEM system

Collects mainframe security events from RACF® , ACF2, and Top Secret, TCP/IP, FTP, CICS, MQ, File Accesses, IND$FILE, Syslog, and other Log files.

Complements your existing mainframe security software

Collects audit events from Db2 and IMS Know who accessed what data and when. Key for PCI DSS, HIPAA, SOX, FISMA, GLBA and other compliance standards

Collects events from APP Logs, JES, Console Messages, BMC, Compuware, and Micro Focus events

Complements your existing IT systems investment

Extensive yet straightforward UI configuration. Decide which events and fields you want to see.

Get the data you need without unnecessary system overhead

Collects TSO logons and logoffs Know who accessed what data and when. Key for PCI DSS, HIPAA, SOX, FISMA, GLBA and other compliance standards

Collects z/OS job and started task terminations including ABENDs

Know what’s working and what’s not working in real time in your z/OS production system

Uses only a few seconds of CPU time per day Thrifty use of mainframe resources. Does not contribute to escalating software costs

Installs in less than 2 hours. Compatible with IBM z13 system.

You are up & running, and protected with a very fast turnaround to implementation

Capacity for millions of Syslog messages per day Will keep up with the pace of your business

Also Compatible with the CorreLog SIEM correlation engine or any competing SIEM

Correlate related security events from mainframe and Windows®, Linux and UNIX® sources

No impact on existing operations No training time, no down time, no maintenance required

FEATURE BENEFIT

1004 Collier Center Way, 1st Floor, Naples, Florida 34110 | 1-877-267-7356 Toll-free (US only) | +1-239-514-3331 International | info@CorreLog.com

PRODUCT DATASHEET CORRELOG.COM

THE FOLLOWING ARE THE SIX CORRELOG APPS AVAILABLE ON SPLUNKBASE:

CORRELOG zDEFENDER® z/OS RACF®

The CorreLog zDefender z/OS RACF® dashboards provide a set of RACF-derived visualizations using events from the CorreLog zDefender for z/OS Data Handler. These dashboards provide an overview of user and system activity – including privileged users – that facilitates Security Information and Event Management (SIEM) on IBM z/OS.

CORRELOG zDEFENDER® FOR z/OSThe CorreLog zDefender for z/OS performance Dashboards provide a set of performance-derived visualizations using events from the CorreLog zDefender for z/OS Data Handler. These dashboards provide an overview of system performance data based on SMF 30 records.

CORRELOG zDEFENDER® FOR z/OS CICSThe CorreLog zDefender for z/OS CICS dashboards provide a set of CICS-derived visualizations using events from the CorreLog zDefender for z/OS Data Handler. These dashboards provide an overview of CICS (SMF 110) activity that facilitates Security Information and Event Management (SIEM) on IBM z/OS.

CORRELOG zDEFENDER® z/OS CA ACF2TM

The CorreLog zDefender z/OS CA ACF2 dashboards provide a set of ACF2-derived visualizations using events from the CorreLog zDefender for z/OS Data Handler. These dashboards provide an overview of user and system activity – including privileged users – that facilitates Security Information and Event Management (SIEM) on IBM z/OS.

CORRELOG zDEFENDER® z/OS Db2

The CorreLog zDefender z/OS Db2 dashboards provide a set of Db2-derived visualizations using events from the CorreLog zDefender for z/OS Data Handler. These dashboards provide an overview of Db2 activity that facilitates Security Information and Event Management (SIEM) on IBM z/OS.

CORRELOG zDEFENDER® z/OS SPLN DATA HANDLERThe CorreLog zDefender z/OS SPLN Data Handler allows Splunk to handle SPLN formatted messages received from CorreLog zDefender. Incoming messages are assigned a Source Type, Event Types, and CIM mapping based on the message contents. Dashboards are included provide an overview of the data handled by Splunk. CorreLog has several additional Splunk App’s that provide detailed dashboards based on the messages processed by the Data Handler to facilitate Security Information and Event Management (SIEM) on IBM z/OS.

CorreLog also has a standalone version of zDefender. For more info on this and other CorreLog standalone mainframe security products, please visit www.correlog.com/mainframe. CorreLog mainframe SIEM solutions are highly interoperable and, in addition to Splunk, we have certified integrations and field integrations with nearly every other SIEM system on the market.