MainTegrity FIM+ v2.0 delivers significant new functionality to allow customers to detect and recover from attacks launched by an insider threat. Although excellent access control and authentication are essential to mainframe security, both malicious insiders and external agents with stolen credentials can circumvent these protections. Forrester sums it up perfectly by saying “perimeter security has failed”.[1]
FIM+ was built specifically to catch malicious activity within your current defenses by verifying that every component and whole systems match the trusted state. MainTegrity honors this commitment by leveraging automation as much as possible to reduce administrative overhead.
New features in version 2 allow FIM+ to:
- Automate Forensic analysis by using integrity data to filter relevant accesses
- Recover the right components quickly with the new FIM+ Recovery Assistant
- Improve integration with existing security and DevOps tools
- Bring mainframe security to those less experienced in z/OS with an enhanced GUI
Version 2 adds many new functions to eliminate manual processes and provide answers when time is important. Deeper integration with existing security tools, allows correlation of different data sources to eliminate false positives and improve reliability.
How do the Key Features in V2.0 Help with Insider Threats?
Better Usability
New Feature! Change Analyzer – Analyze differences between the selected release and another version. This provides a review of changes before they are rolled into production and validates the actual change vs the request. With this feature, it doesn’t matter whether an attack comes from the outside or someone already inside the perimeter.
New Feature! Recovery Assistant – The FIM+ Recovery Assistant is designed to help you quickly recover from unwanted changes. Since FIM+ knows when the last time that each component was correct, now you can select and restore the correct version directly via GUI or 3270 interface). FIM+ creates a list of components that need to be restored and retrieves them from backup to a recovery staging area. FIM+ can then copy the retrieved components to their production location and automatically validate they are all correct.
Browser Enhancements – The browser-based interface (GUI) provides the ability to view FIM+ scan results and drill down into exceptions as desired. By fetching the relevant access records from SMF and change control information from ServiceNow or Remedy it creates an automated forensic analysis environment. Both experienced and newer security staff are presented with all the information required to take the right actions to verify and resolve security concerns.
Instream file compare – FIM+ now supports a side by side compare option for a text files where a change is detected. The compare option is available through the ISPF or Browser interface and allows color-coded comparison to highlight the actual line(s) changed.
Improving Automation
Resource Set Baselines – FIM+ will now allow you to create a “point in time” baseline for files at a specific level. Components can then be monitored against the baseline, as you roll changes across various LPARs.
Enhanced Zero-Admin and Auto-Discovery – The current auto-detects function of FIM+ finds system parmlibs, proclibs, jesparms, subsystem configuration datasets, and APF libraries. V2 extends this automatic detection to include non-APF libraries used by started tasks and SMF log datasets. The Zero-Admin initiative not only keeps FIM+ up to date dynamically, it also allows installation in one hour.
More Robust Integration with ServiceNow – Significant enhancements have been made in the FIM+ interface to ServiceNow. Currently FIM+ can create ServiceNow Incident records and search for related change requests. Tighter integration now adds:
- Update ServiceNow change requests – monitor registration and post deploy scan results.
- Track ServiceNow incidents against specific releases
- Populate FIM+ configuration information directly from ServiceNow data
- Create new ServiceNow configuration data from information discovered by FIM+
- Verify scheduled change requests have been implemented properly
- Display of ServiceNow change information via the FIM+ GUI
Locking and Certifying
Application Release Locking – FIM+ now allows you to lock files ensuring they remain unchanged. Any deviation continues to be reported until the issue has been fixed. This is ideal for production environments and system “freeze” periods to ensure no changes have taken place.
Application Release Certification – When an update has passed QA testing and is approved for deployment, designated staff can certify the whole application. This means the application is production ready by ensuring that all datasets exactly match the desired configuration.
The Result: More Effective Mainframe Security Monitoring and Higher Compliance Scores
Now you can identify real problems, including those from an insider threat, and have all the information at hand to make the right decisions in seconds instead of days. Want proof? Click here for a discussion or demo.
Recent Comments