Raz-Lee Feeds IBM i Data into RSA SIEM

March 18, 2011 Alex Woodie

RSA Security recently certified IBM i security software from Raz-Lee Security to feed log data into its enVision security information and event management (SIEM) offering. The integration gives IBM i shops a proven way to keep one of the security world’s most adopted and well-respected SIEM devices in tune with events occurring on the IBM i server.

Earlier this month, Raz-Lee announced that RSA had certified iSecurity version 11.4 to translate IBM i data into the Syslog format, and feed it into the enVision SIEM, an enterprise-class security device that’s been adopted by about 1,600 customers. The integration involves various components of iSecurity, including AP-Journal, Audit, Anti-Virus, Firewall, and Authority on Demand.

As a result of the integration, several security events on the IBM i server can now be detected in real time via the SIEM, including: attempts to hack into the server through network exit points; attempts to change user authority levels; the presence of viruses on the IFS; and attempts to edit or delete IBM i application objects and data files.

The integration satisfies demand from RSA customers to include the IBM i server within the scope of protection provided by the enVision SIEM device. IBM i event information can now be included in standard security and compliance reports generated by enVision. Most importantly, customers can now correlate any unusual activity detected on the IBM i server with activity detected in other computer systems and networks. This is the crux of the SIEM, and enables organizations stay on top of the latest blended threats that cyber criminals are using to pilfer corporate IT systems for data and money.

Internal networks are used to send IBM i event information from iSecurity to envision. Users can send the data via several means, including the IBM i message queue (MSGQ), short messaging service (SMS), simple network management protocol (SNMP), and even the Twitter messaging service, according to an RSA implementation guide. Raz-Lee added automatic generation of Twitter messages to its products last year at the COMMON conference in Orlando, Florida.

According to the RSA brochure, iSecurity can use Twitter to send IBM i security information at speeds of up to 1,000 lines per second. Messages can also be sent under different severity ratings, including emergency, alert, critical, error, and warning.

Raz-Lee touts one of the largest insurance companies in Israel as one of the first iSecurity customers to start sending IBM i data to enVision. According to a customer brief from Raz-Lee, the company was able to stop storing IBM i event data on the IBM i server itself after it started sending them to enVision, which saved a considerable amount of disk space, as well as I/O overhead.

The company also discovered what many other security experts have been saying for years: that the IBM i server can be somewhat chatty when it comes to logs and message queues. It was generating so much IBM i log data that it overwhelmed enVision, and the company was forced to use filters to scale back the number of events it sent over the wire.

iSecurity is not the only IBM i security tool that can feed data to enVision, which was originally developed by a company called Network Intelligence that was acquired by EMC around the same time that EMC bought RSA in 2006. Raz-Lee doesn’t have formal partnerships in place with other SIEM vendors, but a company spokesman says it’s easy to support other SIEMs. Raz-Lee does have a partnership with Imperva, which focuses on database security.

The integration supports Raz-Lee iSecurity version 11.4 and higher running on i5/OS V5R3 through IBM i 7.1. For more information, see the vendors’ websites at www.rsa.com and www.razlee.com.