Adlumin Adds IBM i Support to SIEM

March 31, 2021 Alex Woodie

Banks that run their core banking software on IBM i servers will be interested to hear that Adlumin is now ingesting IBM i security log data into its cloud-based security information and event management (SIEM) solution, giving them another way to detect unauthorized activity from hackers and malicious users.

Adlumin was founded five years ago with the goal of providing a low-cost SIEM and compliance solution to small and midsize banks and credit unions. The Washington, DC-based company started out by collecting log data from Windows and Linux devices, but it soon found out that customers wanted support for core banking solutions running on Unix and IBM i systems.

“Initially when we launched, we had an agent for Windows PCs and for Linux servers, but we were not doing anything in the core banking space,” says Dan McQuade, the company’s Director of Application Development. “You can keep an eye on what everyone is doing on their personal workstations and all the servers. But if you’re not monitoring that core banking activity, you’ve got this big blind spot and it just happens to be a blind spot with some of your most crucial network data.”

McQuade says about 10 percent of Adlumin’s customers are running IBM i-based core banking systems from vendors like Jack Henry and Associates, Fiserv, and FIS. The company developed a Java-based agent for IBM i that collects data from all the relevant logs, including the security log, the audit log, and system activity logs.

“Essentially, every log on the system, we’re collecting,” McQuade tells IT Jungle.

Adlumin gathers data from all the relevant systems — including PCs, laptops, servers, firewalls, network security devices, and even IoT sensors — and moves it over an encrypted connection to its cloud-based SIEM offering. Once the data is in Adlumin’s cloud, the company uses data science and machine learning techniques to detect anomalous activity that could be a sign of unauthorized access.

When a client signs up for Adlumin’s service and the company starts collecting log data, it analyzes the data in an attempt to form a baseline. “We’ll try to establish what normal behavior looks like,” McQuade says, “and then over time, we’ll try to look for deviations from that normal behavior, and we start to alert on what we determine to be anomalous activity.”

Examples of anomalous behavior include users who log into systems at odd times of the day or from new locations. “Maybe they’re VPN-ing in from a source IP that we haven’t seen before, from a different location,” McQuade says. “That has become particularly big over the past year.”

Adlumin also keeps an eye on IBM i user profiles, and for sudden changes to the authorities granted in them. “If someone was granted new privileges, we’ll be able to send you an alert on that,” McQuade says.

The IBM i server can be a prolific generator of log data, but Adlumin can help users minimize the amount of log data sent if it becomes overwhelming.

“Some clients only want to look at security log. Some clients want to look at security logs plus system events — malfunctions and IT operations failures — and depending on the verbosity of what the client looking for, we can fine tune that,” McQuade says.

It’s worth noting that the company’s software engineers spent some time familiarizing themselves with the IBM i platform, which was necessary in order to understand what the log data coming from the system means.

“We’re not looking to be experts” in IBM i security, McQuade says. “But at the end of the day, we want to support this platform in a meaningful way. We want our clients to feel like, if they deploy the software, they’re actually going to get value out of it. It’s not just going to be sitting on the system doing nothing. The goal is to give you some insight that you didn’t have before.”

The company has carved out a comfortable niche in the market with smaller financial services organizations. Ease of use and affordability are advantages that it touts as it goes up against SIEM offerings from larger vendors, such as Splunk, Securonix, or LogRhythm.

“Let’s say you’re a bank or a small credit union. If you were to go to any other platform in the market, to get what you need out of it, first of all, you’d have to write custom queries, which often times requires someone who’s well-versed in that platform,” McQuade says. “Those type platforms are not the easiest to just dive into head-first. We pride our platform on ease of use.”

The base price for Adlumin’s SIEM solution starts at $13,000. That includes support for 100 end-points, one of which can be an IBM i server. The company holds onto customers’ log data for 90 days, and can hold onto it for longer than that for an additional fee. For more information, see the company’s website at www.adlumin.com.