It’s Time to End the Myth of Untouchable Mainframe Security.

By Al Saurette, CEO, MainTegrity,

Most large organizations, including 70% of Fortune 500 companies, rely extensively on mainframes for managing their business and IT infrastructure.

However, despite the significant role mainframes play, the conversation of how to best secure mainframes security does gets relatively little attention. Considering today’s cyberthreat landscape mainframes have never been more vulnerable to attacks. Cyberattackers are becoming bolder, stronger and more innovative by the day.

The timing couldn’t be worse. A large cohort of senior, experienced security professionals are set to retire in the coming years, further exacerbating the ongoing skills shortage and exerting more pressure on remaining professionals. As the complexity of threats increases, their jobs become tougher. Short-staffed security teams will tend to prioritize their time and mobilize their efforts to reactively address the most obvious issues, which often means mainframe security falls to the bottom of the priority list.

It is critical for mainframe security to re-enter the cybersecurity conversation, and that starts with doing away with commonly held misconceptions. First is the mistaken belief that due to their mature or streamlined architecture with fewer vulnerabilities, mainframes are virtually impervious to hackers. There is the misconception that they exist in isolation within the enterprise IT framework, disconnected from the external world where genuine threats lurk. And then there’s the age factor. People newer to the profession have relatively little experience with mainframe systems when compared to their more experienced counterparts and will tend to not question their viewpoints or approaches of their leaders or senior team members.

This state of affairs can’t continue. In the contemporary landscape, modern mainframes are routinely accessed by employees and are intricately linked to applications that encompass a wide array of functions, ranging from processing e-commerce transactions to facilitating personal banking services.

The implications of a breach can’t be overstated. Given the substantial financial toll of a data breach, estimated to be USD $9.48 million on average, it’s imperative to swiftly detect any potential threat to the mainframe.

To counter this threat to mainframes, security teams must look at two key areas: encryption and early warning.

Encryption is now a weapon, and must be treated accordingly

Encryption is a double-edged sword in today’s IT environment. On one hand it serves as a crucial defense mechanism against cyberattacks targeting sensitive data. On the other, encryption can be manipulated by unscrupulous individuals, disgruntled employees, or even rogue state actors. It has emerged as a favored attack vector among hackers due to its remarkable speed on modern mainframes and its susceptibility to reversal. Consequently, malicious actors often follow a straightforward modus operandi: infiltrate a system, initiate malicious encryption, and then attempt to sell the decryption key back to the victim.

It is paramount to proactively halt encryption before it causes substantial harm. The primary challenge lies in establishing a reliable method for detecting encryption in progress, while preventing the support staff from being overwhelmed with an avalanche of alerts. This is especially important in large business and government settings, where the routine exchange of encrypted files is common. A glut of alerts can lead to a desensitized response, ultimately leaving the system no more secure than it was.

To address this, an immediate response, ideally within seconds, is imperative. Unfortunately, relying solely on human intervention falls short of achieving the required speed. The solution lies in the deployment of a specialized tool capable of swiftly detecting the initiation of encryption and promptly initiating corrective measures.

Achieving near real-time encryption monitoring

IBM Security’s 2023 Cost of a Data Breach Report highlights a troubling reality: it takes an average of 204 days to detect a breach, followed by an additional 73 days to recover. During this prolonged period, malicious actors are free to infiltrate systems, discreetly establish backdoors for future access, compromise backup systems, encrypt data, and potentially issue a ransom demand.

For numerous mainframe operators, a significant portion of these nefarious activities occur behind the scenes, escaping detection until it’s too late. It’s not only a matter of prudence but also a fundamental aspect of business and security strategy for these sites to mitigate risk and attendant damage with early detection.

To address this, a method for identifying malicious encryption as soon as it starts and providing instantaneous reaction is required. One approach involves having the system compile a whitelist of authorized encryption processes. Whenever a new process emerges, updating the whitelist becomes a logical step. However, relying on human intervention for whitelist updates can be risky.

An emerging and more efficient approach – one that our team is pioneering – involves triggering a real-time alert when software detects a rogue process. Whitelist processing can be invoked to determine if the actions are malicious or desired. If it is desired the process is simply resumed, eliminating unnecessary alerts. Otherwise, it’s understood to be a malicious attack.

To remove the dependance on human reaction time, the offending process must be suspended, so that no further damage occurs, while support staff investigate the situation. As a result, ensuing damage can be dramatically mitigated, often by several orders of magnitude.

Our very way of life is dependent on the smooth and continuous operation of this critical piece of business and government infrastructure. The lesson for mainframe operators is clear. What may have worked in the past can’t be relied on for the future. Now’s the time to ask hard questions, break out of a culture of complacency, and embrace innovative new monitoring technologies

About the Author

Al Saurette, the CEO of MainTegrity.  With deep experience in mainframes, hybrid cloud platforms, open systems and mobile computing, Al Saurette is recognized as a thought leader in cyber security, compliance and cyber resilience solutions for banks, insurers, transport and government clients in North America, Europe and around the world. Currently, Al is CEO of mainframe cyber security provider MainTegrity Inc. providing next-generation threat detection, advanced file integrity monitoring, automated forensics, and recovery solutions.

Al can be reached online at  [email protected] and LinkedIn https://www.linkedin.com/in/al-saurette/

and at our company website https://maintegrity.com/