INTRODUCTION

SF-Sherlock Smart Mainframe Monitoring for Splunk is specifically designed to provide a clear picture of your z/OS mainframes in real-time through the Splunk Enterprise platform. This Splunk app focuses on security as well as operational intelligence and visualization of critical mainframe infrastructure.

SIEM physics is simple: no input, no output.

Therefore SF-Sherlock differs from regular mainframe connectors available for Splunk by also providing integrity protection for z/OS. As the highly recognized 360 z/OS monitoring solution, supporting RACF, CA-TSS and CA-ACF2, SF-Sherlock comes into play when critical mainframe infrastructure requires both real-time event monitoring as well as vulnerability assessment and audit trail protection. SF-Sherlock covers all aspects of monitoring, such as security, compliance, fraud detection, auditing and operational issues. It also protects your systems in real time against critical scenarios, such as breaking the audit trail, suppressing or manipulating audit data, malicious code, security system bypassing, and other exploits. SF-Sherlock represents a highly comprehensive “z/OS SIEM & Big Data connector” for mission-critical mainframes.

Without such comprehensive audit trail protection and vulnerability scanning, a professionally performed z/OS attack would most likely result in your SIEM becoming "improperly fed," and all your smart correlations would simply be bypassed. Definitely not a SIEM success story for critical infrastructure!

As a next-generation mainframe SIEM, this Splunk app finally enables you to gain reliable real-time visibility and reporting around all security and operational issues on z/OS.

=====================================================================================

COMPREHENSIVE MAINFRAME MONITORING WITH SPLUNK

In cooperation with Splunk, SF-Sherlock

• collects all required mainframe events in real-time, such as SMF records, the SYSLOGs, JES spool output, application and server log files in the z/OS and USS environments, and much more
• allows plug&play mainframe log analysis by supporting all standard logs and formats as well as installation-defined log types
• takes data from all subsystems of your mainframes, including, but not limited to z/OS, USS, DB2, CICS, IMS, JES, MQ, TCP/IP, VTAM, WebSphere, Crypto, and much more
• performs constant security as well as operational assessments to report on vulnerabilities, weaknesses, operational risks (e.g. detected by its IPL simulation), configuration details, anomalies, and much more
• significantly lowers your mainframes' risks in connection with security and operation by offering early problem detection and forecasting
• securely forwards this data to Splunk Enterprise for real-time analysis and intelligence
• allows you to correlate both operational and security data from all your mainframes with events occurring on other platforms
• keeps your SIEM updated at all times on all mainframe configuration-related details, enabling you to identify more significant correlations (e.g. lists of all critical system libraries, administrators, and much more)
• protects your mainframe systems, alerts you to any attacks, and optionally initiates countermeasures; this is not limited to MVS, but also includes USS, DB2, and others
• creates a broad spectrum of best-practice reports and dashboards for all parties involved
• supports several reliable methods to transfer SF-Sherlock’s event and assessment data into Splunk (file, TCP, UDP etc.)

Please note that installing this Splunk app requires SF-Sherlock running on your z/OS mainframe. SF-Sherlock and this app are easy to install. Just use this app, in combination with the “SF-Sherlock 2 Splunk” connector which is part of the SF-Sherlock standard software package, to store, analyze and alert you to mainframe-related events within Splunk.

If you have any questions or problems please do not hesitate to contact us.

=====================================================================================

INSTALLATION PROCEDURE:

Installing this app is easy and requires just two steps:

A) Install this Splunk app and validate its installation via the included test data.
B) Enable the "SF-Sherlock 2 Splunk" connection on your mainframe.

That's all.

So, let's start.

A) Installation steps within Splunk:

A1) Download the app by asking our technical support team for a download link.

A2) Import the app within Splunk.

A3) The sampleData sub directory within the app's directory includes some sample knowledge data as well as assessment and event data for testing:

• SHERLOCK-SPLUNK-KNOWLEDGE.txt is a sample knowledge base describing all details of your mainframe infrastructure (see below). Within Splunk, you will use this knowledge file to create corresponding lookup csv files.
• SHERLOCK-SPLUNK-EVENT-LOG.txt is a sample set of events; before adding this file to Splunk, we recommend changing the "^dateTime=xxx yy 2016" timestamp to yesterday's date in order to generate current dashboard content.
• SHERLOCK-SPLUNK-ASSESSMENT-LOG.txt is a sample set of assessment results; before adding this file to Splunk, we recommend changing the "^dateTime=xxx yy 2016" timestamp to yesterday's date in order to generate current dashboard content.

Note: If you don't change the "^dateTime=xxx yy 2016" timestamp, the test data will be out of the dashboards' scope of time, and you won't see anything.

A4) Perform a quick app test by adding the test data to Splunk:

• First you add the SHERLOCK-SPLUNK-KNOWLEDGE.txt file to Splunk's index by using the already defined custom sourcetype "sf_splunk_knowledge." For this test the host name is of no real importance, and you may use anything you like.
• Afterwards you may check the knowledge via the "SF Knowledge - Lookup Tables" dashboard. You should see content in all lookup tables.
• Now the app is ready to create the required 5 lookup tables. Just execute the pre-defined "Create Lookup Table - xxx" reports, one after another. Each one creates an individual lookup csv file in the app's lookups subdirectory. While creating the lookup tables, you may ignore any error messages regarding missing xxx.csv files. When all lookup tables are created, please restart Splunk to guarantee proper usage of the newly created lookup csv files.
• After this restart the Splunk app is ready to receive event and assessment data for this "test world." That means you may add the SHERLOCK-SPLUNK-EVENT-LOG.txt and SHERLOCK-SPLUNK-ASSESSMENT-LOG.txt files to the index after having globally adapted the "^dateTime=Jan 05 2016" timestamp (see above).
• Once you add event and assessment data, enjoy your dashboards coming to life.

A5) Establish a TCP- or UDP-based data import within Splunk for "feeding" Splunk with mainframe events in real-time. Select the proper port and provide the Splunk server's IP address and port number to your mainframe system programmer who is responsible for the SF-Sherlock installation. SF-Sherlock's standard software delivery includes test jobs for sending test data to Splunk.

A6) In order to effectively set up your Splunk app, you will have to ask your mainframe system programmer for the following details about your company's mainframe infrastructure:

• names of all LPARs
• names of all sysplexes (a sysplex represents a group of systems; for example, all production LPARs belong to a common sysplex; regularly sized installations have 1 test, 1 development and 1 production sysplex, for example)
• names of all important applications identified by their address space names, and optionally in combination with a userId; maybe you are able to identify dedicated groups of address spaces via name patterns based on wildcards
• names of all important and critial user IDs, especially those of your various administrators, critical processes (e.g. TWS) and more
• in case your systems and users are spread around the planet you may also ask for their geo location (latitute and longitude); for example, if your developers reside in India and other users are based at your New York or Berlin headquarters, then geo-based Dashboards provide great transparency when "irregular" activities happen in specific locations
• later, when implementing more detailed operational monitoring, you will identify further event data patterns that will help you recognize operational problems and security incidents for your individual IT infrastructure; most likely these patterns have already been defined within SF-Sherlock, depending on how long your company has been using it already

And don't worry, some of this information will be generated automatically by SF-Sherlock.

B) Installation steps within SF-Sherlock:

B1) Install the "SF-Sherlock 2 Splunk" connection kit provided with the SHERLOCK.SSHKSAMP file. It includes the UMODSK01 and UMODSK02 SMP/E user modifications.

B2) Enter the Splunk server connection details (IP address and port) in the SPLUNKSE init-deck member.

B3) Test the "SF-Sherlock 2 Splunk" connection "offline" first, i.e. outside of the SF-Sherlock started procedures' runtime context. You can easily do this using the SPLNKTST batch job.

B4) When everything is working fine, simply update the xxx.SHRLCK.SSHKLOAD runtime load library by copying the two modules SPLNKAPI and SPLNKSHR (don't copy the entire target library).

B5) Update the SPLUNK00 and SPLUNK01 init-deck members, which select the spectrum of event and assessment data that will be sent to Splunk. Furthermore, enable both members within the $BUILD00 init-deck member via corresponding ADD statements.

B6) Refresh or recycle the SHER-MONITOR started procedure.

Congratulations! SF-Sherlock will now send its data to Splunk.

=====================================================================================

IMPORTANT SECURITY AND COMPLIANCE ISSUES WHEN CONNECTING YOUR MAINFRAMES TO SPLUNK:

In order not to violate your company's data protection and privacy policies, or even legal requirements, please review the following:

1) Decide explicitly which information will be sent from your mainframe to Splunk:

• Should we send event data?
• Should we send assessment data, i.e. information on our mainframes' vulnerabilities?
• Should we send data that has already been anonymized, or will Splunk anonymize the data?
• Which system categories will be included? Test, development and/or production systems?
• How can we limit or reduce the data volume sent to Splunk to reduce costs?
• ...

2) How long will this data be stored in Splunk?

3) The assessment-related information is most sensitive. Who may access this data within Splunk? Who gets reports? Who will have administrator rights within Splunk, or be authorized to access this information? Does Splunk protect this information in accordance with the mainframe access regulations?

4) Which kinds of correlations are intended? Are they allowed?

It's smart to clarify that in advance.

=====================================================================================

KNOWLEDGE MAINTENANCE

The knowledge provided to the Splunk app allows for a highly precise classification of all mainframe event and assessment data that was delivered from SF-Sherlock in real-time. Proper knowledge implementation and maintenance is key to successful correlation within your mainframe infrastructure. Splunk is the champions league solution to identifying everything and anything via deep data analyses. So, it's worth investing some time to set up the knowledge properly. No worries, it's easy.

Note: Implementing the knowledge in form of a log file allows you to create and deliver the knowledge from any external source. In the beginning, it's best to work manually with a "master file" that is set up by using the provided template.

=====================================================================================

Legal Notes:

CA, CA-ACF2, CA-TSS and CA-Top Secret are trademarks of Computer Associates International, Inc.; CICS, DB2, IBM, IMS, MVS, MQ, MQSeries, MVS, RACF, TWS, USS, VTAM, WebSphere and z/OS are trademarks of IBM; SF-Sherlock is a trademark of Dr. Stephen Fedtke, Enterprise-IT-Security.com.