Does WannaCry have Your Organization in Tears?

August 8th, 2017

Ken Gross
Mainframe Software Specialist

As I meet with executives, it is evident that one of the top priorities being discussed in organizations is how to protect their Infrastructure and data. Ransomware attacks are a reality and are not going away. With names, such as WannaCry and Petya, affecting today’s businesses, corporate strategies are changing from “how to deal with Disaster Recovery because of Mother Nature” to proactive disaster prevention and infrastructure barrier hardening.

In this series, we are going to highlight concepts and solutions that can help begin to identify the path to proactively identifying and hardening our infrastructure environment. It’s not all-inclusive, by any means, but it is meant to spur awareness, discussions and be part of an ongoing journey.

Even though the initial Ransomware attacks have targeted Intel-based platforms, there is no discrimination against any of the platforms that an Enterprise utilizes. The threats are no longer physical security threats. The decade old questions still holds true today: Who, When, Where, What and Why? The 5-W’s.

Today, we will begin by looking at the IBM Mainframe, and how can we begin to proactively address the 5-W’s.

In this business-use case, we want to address the following goal:

  • Establish a means to proactively safeguard critical resources and sensitive data

The CA Technologies product, Compliance Event Manager (CEM), specifically allows you to monitor your mainframe events and interrogate the 5-W’s, as well as establish policies and deeper insights that will ultimately provide you with real-time alerting, to help you be a step closer to hardening that IT perimeter.

The CEM product follows a simple strategy of Alert, Inspect and Protect.

ALERT: Bring Real-time Awareness of Critical MF Security Issues

  • Monitor Security details direct from ESM and control points in z/OS
  • Monitor critical security system PDS changes for security issues 

  • Detection of security system changes and policy violations 

  • Built for high-volume security events (router sends events to various components, lightening load on system and ESMs) proven at millions of events 


INSPECT: With Comprehensive Auditing and Forensics Support 


  • Policy-based filtering and real-time recording of critical security for actions
  • Reporting for analytical analysis and visualizations
  • Provides ability to ‘replay’ all security events, supporting forensic analysis of security situations with high-volume raw security data recording 

  • Search, filter and analyze recorded historical data, with automatic tape retrieval and load 


PROTECT: Ensure Mainframe Integrity and Bring Data Centric Awareness

  • Designed for Security: Immune from Exits placed in SMF and configuration files, meant to hide activity, and uses ‘superset’ of SMF Security data
  • 



  • Real-time monitoring of critical z/OS configuration files to detect potentially malicious changes before IPL executes them
  • 



  • Analyze users accessing critical sensitive and regulated datasets, via integration with Data Content Discovery

In the follow-on write up, we recognize that many tools exist for analyzing Security Information & Event Management (SIEM). We will highlight the integration between Mainframe events and the open systems events through the integration of a leading SIEM vendor called SPLUNK. Stay tuned.

If you’re interested in having Mainline assist you in evaluating this or any other technology, please contact your Mainline Account Executive, or contact Mainline directly.

Submit a Comment

Your email address will not be published. Required fields are marked *