Despite this risk, 64% of organisations use the mainframe as a core repository of their most sensitive data and nearly three-quarters rely on log files to detect insider threats.
As a result, companies do not know what data is being accessed, who is accessing it, and how it is being used.
This approach is exposing organisations to a high risk of data breach, according to a report by Vanson Bourne based on a survey of 400 CIOs at large firms around the world.
“The mainframe has always been the most securable platform in the enterprise, which is why organisations continue to entrust their most sensitive data to it,” said John Crossno, product manager at mainframe software firm Compuware, which commissioned the survey.
“However, businesses still face the risk that privileged employees, or those who have acquired access illegally, will misuse mainframe data.”
Crossno said organisations must take steps to gain more visibility over who is accessing data and how they are using it.
The survey also revealed that the most common measures being used to overcome insider security risks include:
- Saving security log files for future reference (74%).
- Regularly scanning security logs for inconsistencies (68%).
- Using a SIEM system to perform security analytics using mainframe data (67%).
- Using a SIEM system to combine mainframe data with security data from other systems (58%).
However, just 1% of organisations monitor user and database activity to tackle insider threats on the mainframe.
“Most enterprises rely solely on disparate logs and system management data from security products such as IBM’s resource access control facility to piece together user behaviour,” said Crossno.
Read more about the insider threat
- Most organisations in Europe rely on outdated security technologies, exposing them to breaches by malicious or hapless insiders, a report reveals.
- Malicious employees are usually the focus of insider threat protection efforts, but accidents and negligence are often overlooked data security threats.
- This report from analyst group Quocirca looks at the challenges faced by organisations when it comes to the insider threat and the protection of sensitive information.
“Even those who are integrating that data into their SIEM aren’t getting the level of insight needed to identify a malicious insider.”
According to Crossno, organisations need deep insight into what data was viewed, by whom and which applications were used to access it.
This can be achieved only by directly capturing complete, start-to-finish user session activity data in real time and integrating it into a SIEM platform such as Splunk for deep analysis, he said.