Skip to main content

Detect and Eliminate Malware in Your Mainframe Systems

Seldom a day goes by when we don’t hear about the latest ransomware attack. This is the current scourge of the internet, and mainframes are not exempt. Spreading malware—or if you are an insider, even “renting” malware as a service—is as easy as a trip to the web. Attack vectors that include cryptomining executables, encrypting databases, planting multiple backdoors and time bombs are all delivered via malware. z/OS professionals must constantly be on guard.

Attackers are increasingly resourceful about malware distribution and maximizing damage. Until now, the mainframe has benefited through a “security by obscurity” stance. But the clock is ticking, and the mainframe is seen by today’s cyber criminals as big game—a way to make much more money in a single or multipronged attack. In this heightened threat environment, are you confident that your organization is doing enough to detect malware and avert potentially damaging ransomware attacks? To eliminate this risk, you really only have two options: an immense amount of manual effort or using new tools that deliver ongoing vigilance.

File integrity monitoring (FIM) has emerged as one of the most effective ways to detect and so eliminate malware from your mainframe systems. Let’s explore this technique in more detail.

FIM: Detecting Malicious Changes

FIM has been a common practice on open systems like Linux and Windows for years, enabling organizations to detect tampering with critical system components, parameters and log files. But IBM mainframes weren’t invited to the party until recently. Conventional wisdom was that FIM was simply too hard to accomplish in a mainframe environment, and several attempts were made but eventually abandoned. With the advent of learning systems and hashing capabilities built into modern mainframe solutions, these early problems have been overcome. With next to no administrative effort, high efficiency and built-in false positive avoidance, FIM has come of age. The detection of malicious software before damage occurs was simply not possible before. But with modern tools you can gain access to knowledge that allows you to accurately discern malicious from approved changes.

Because there was no good solution, people tended to ignore the problem. The fact is that preventing a problem from occurring is the simplest form of resiliency available. Once you are in recovery, you are already in a world of pain.

The Need For Prevention and System Recovery

Yet, prevention is only part of the solution. You must be prepared for rapid situational analysis and recovery if your organization becomes a victim of malware. Getting back on the air requires both data recovery and system recovery. The first step is accepting you have a problem to begin with.

In the distributed world, you can say, “Let’s throw out the hardware, throw out the software, rebuild the system from scratch, then we know it’s safe again.” That’s not a viable approach for mainframes. We’ve been doing data recovery successfully in the mainframe world for more than 50 years. But if all you do is reload and forward recover your data, modern attackers will simply use the additional backdoors or timebombs they placed. If you don’t recover the compromised components correctly and remove all the malware, the minute you come back on the air they simply attack again.

I’m still surprised that many in the cyber resiliency field don’t understand that surgical restoration of the correct software and parameters is equally as important as getting your business data back.

I think there’s been a culture of denial fueled by the fact that the worst hasn’t happened (yet) and no one has gone over the cliff edge—and by the myth that the mainframe is intrinsically secure. A historic lack of investment by companies in their mainframe systems and staffing is another problem. Finally, the mistaken premise that the mainframe is going away seems to be receding, but we have a major skills shortfall globally, with not enough younger people coming through to replace an aging and retiring workforce.

Real cybersecurity requires a multivendor approach, with automated solutions coupled together to capitalize on the opportunities presented. FIM is part of this continuum, helping to modernize mainframes in the same manner as IBM’s own investments in Z processors and storage.

Thwart the Malware Merchants

The FIM software that’s available now can enable mainframe organizations to detect and combat malicious changes made to system software, applications, parameters, JCL and other components. Alerts in near-real-time mean you can better protect your environment and recover your systems—not just your data—with confidence and be sure that you won’t fall prey to the same malware attack that shut you down in the first place. Gaining access to advanced detection techniques and an end-to-end forensics process is an opportunity to improve your cyber resilience and secure your systems. Such a solution should meet several important prerequisites, including:

  • It needs to be accessible and easily operated by all, rather than only being understandable (and usable) by only 30-year mainframe veterans.
  • It must integrate with existing enterprise security tools and to provide more comprehensive support to response teams.
  • It should also be a learning solution, capturing desired changes going through your approved deploy processes, while detecting and reporting on the malicious changes on an ongoing basis. By knowing the compromised components, advanced tools can also guide people through the required recovery steps. It’s not something you do in exclusion.

If properly implemented, an approach like this can actively prevent problems from occurring. And because you know where the malware is, you can recover your systems in a way that does not cause regression. Since you can differentiate between the malicious updates and desired changes, the steps necessary to recover just the bad ones should be auto generated.

Is anybody actually doing this? The answer is yes. FIM tools are now running in production every day, ferreting out malicious changes; theory has become reality. We’ve worked with major financial services companies that needed to improve mainframe cyber resiliency. The client had implemented immutable backups to capture active databases but also recognized the need for more advanced detection, forensics and recovery capabilities to protect against advanced persistent threats like ransomware. This organization can now restore both data and software infrastructure to their pristine states, eliminating any malicious changes along the way.

Although an isolated example, more widespread understanding of FIM benefits is now leading to wider industry adoption. The first step, as I’ve said, is acknowledging there’s an issue in the first place. So, the essential question is: Can you afford to do nothing?