Real-Time Protective Actions for iSeries Security
iSecurity Action is an essential part of the IDS (Intrusion Detection System) that includes real-time alarms and protective response mechanisms for IBM i servers. These warnings can be sent in multiple formats including email, MSGQ, SMS, Syslog, SNMP and even Twitter. User sessions can be
terminated or blocked, applications activated or reactivated and file names changed via a CL script generator.
iSecurity Action Key features
- Identification of security breaches and intrusions with automatic, immediate warning notifications to the relevant parties.
- Simple, intuitive mechanism for defining potential security breaches and critical system related events.
- Real-time alerts sent via e-mail, MSGQ, SMS, Syslog, Twitter, SNMP, etc.
- Alert messages can be event-specific, including replacement variables or standard alert messages
- Activation of automatic, immediate responses to security events, Audit Log events, and computer status and operator messages.
- CL Script Generator which defines corrective responses.
Action is a powerful IBM i security enhancing solution that intercepts security breaches and other events in real-time and immediately takes appropriate informative and corrective action. Actions may include sending alert messages to key personnel and/or running command scripts or programs that take corrective steps.
Action alerts can be sent as Syslog messages to any SIEM system, SMS, SNMP, e-mail, MSGQ or Twitter messages.
Raz-Lee’s Syslog capabilities are “RSA Certified” for enVision, providing an RSA-support integration between the RSA enVision and iSecurity.
In today’s business environment, it is not enough to discover and report on a security problem after it occurs. Traditional audit software provides useful historical data after the fact but often lacks state-of-the-art functionality to provide relevant managers with alerts and enable corrective specific corrective actions.
Action provides a comprehensive, easy-to-use solution. For example, if a user attempts to copy a critical ﬁle, Action can send an SMS message to the security ofﬁcer’s mobile phone and automatically sign off and disable the offending user. Scripts can even initiate actions that execute if an appropriate response does not occur within a speciﬁed period of time!
Action real-time detection continuously monitors the system for a wide variety of security and other system events, including:
- Events detected by Audit real-time auditing
- Transactions detected by Firewall network security rules
- Viruses detected by Anti-Virus, suspicious data changes by AP-Journal and more
- Active job status and checking for jobs that are not active
- Current system and memory pool status
It is extremely easy to deﬁne rules and actions with the Action Rule Wizard feature. Rules trigger actions and alerts based on one or more parameters associated with a particular event. Examples of selection parameters include user, date, time, job, workstation, library, object name, IP address, command, job name, etc.
Rule criteria use many different boolean operators such as: equal/not equal, greater than /less than, like/not like, “contained in list”, “starts with”, etc., and even Group/Item. For example “NE ALLUSERS/MANAGER” would filter events which were initiated by a non-manager! No other security alert/action system offers such power and ﬂexibility.
Action includes additional security features such as automatic disabling of inactive users, restricting user access during planned absences and control over creating and running programs that use adopted authority.
- Alert messages sent via Syslog, SNMP, e-mail, SMS, MSGQ or Twitter
- Automatically takes corrective actions by running command scripts or programs
- Rule Wizard makes deﬁnition process simple for non-technical users
- Rules can use many different selection criteria
- Built-in command script interpreter with replacement variable support
- Responds to events detected by Audit, Firewall, AP-Journal, Anti-Virus, Authority on Demand, etc.
- Responds to current system status parameters and active jobs
- Restrict user access during vacations, holidays and other planned absences
- Automatically disables inactive user proﬁles
- Tight control over authority adoption
- Specially designed for use by non-technical users such as auditors, managers and administrators
- Alerts keep security ofﬁcers and administrators informed about security breaches in real-time
- Automatic corrective actions minimize damage from security breaches and prevent recurrence
- You determine exactly what will happen, when it will happen, and under what conditions
- User access control features ensure that authorized users have access to the system only at appropriate times
- Adopted authority control prevents users from bypassing system security
- Superior human engineering ensures security implementation quickly, efﬁciently, and without requiring expensive security consultants