The missing link in your SOC: Secure the mainframe

How confident are you that your security visibility covers every critical corner of your infrastructure? A good SIEM solution will pull data across firewalls, servers, routers, and endpoint devices. But what if there is even one gap—one piece of equipment that can’t be monitored but contains business critical data? That sounds like a glaring hole in the vision of your SOC, doesn’t it? Especially if it can be exploited by hackers, malicious insiders, or simply by accident.

secure the mainframe

I know, I know. I’m preaching to the choir here. You already know your SOC needs to have immediate access to all of your key infrastructure to ensure a fast and effective response to any incident. But I’ll bet that I’m right in saying there is a gap in many of your enterprises that comes down to a single question—is your mainframe protected by the same level of best practices and automation as your servers? I’d wager the answer is either no, or that you simply don’t know.

Consider the mainframe

Let’s discuss the mainframe for a minute. You know, that computer that accounts for 68 percent of IT production workloads and is the backbone of your entire enterprise?

For ages, the mainframe was like macOS – considered natively secure and not at risk of attack or compromise. Because of that, it was ignored by most security engineers who either subscribed to this belief or simply didn’t understand it and couldn’t challenge that notion.

The reality is that the mainframe is securable, but it is definitely not guaranteed to be secure. An attacker inside your network can access it from the same Windows or Linux platform as your administrators, gain elevated privileges, and gather sensitive data. Once they gain initial access, there are several common methods they can use to initiate privilege escalation. Using those elevated privileges, they are able to run a number of harmful scripts to take control over it and hide their tracks.


It’s time to start treating the mainframe as just another computer on your network. This means that it’s time to synchronize the mainframe’s information and event logging into your SIEM in real-time. And if you are one of the few who already have real-time mainframe visibility, you may still lack the knowledge and expertise to successfully leverage and respond to it. For example, if acronyms like RACF and ACF2 are foreign to your security team, how will they distinguish between a false positive and a devastating incident? The data must be both visible and actionable.

So, what is the answer? Most security analysts need more training to put the security knowledge they already possess into practice to better understand and secure the mainframe. But it won’t take long for the mainframe and its alerts to become part of their battle rhythm. To jumpstart this process, successful companies have generally taken a few key actions:

  • Hired individuals with a mainframe background and interest in security
  • Leveraged training programs to learn penetration testing and secure the mainframe
  • Consulted with a mainframe-managed services provider

Hiring the right person

Simply hiring the right person may seem obvious but hiring talent with either mainframe or cybersecurity skills is getting harder as job openings far outpace the number of knowledgeable and available people. And even if your company is able to compete with top dollar salaries, finding the unique individual with both of these skills may still prove to be infeasible. This is where successful organizations are investing in their current resources to defend their critical systems.

This often takes the form of on-the-job training through in-house education from senior technicians or technical courses from industry experts. A good example of this is taking a security analyst with a strong foundation in cybersecurity and teaching the fundamentals of the mainframe.

The same security principles will apply, and a talented analyst will quickly be able to understand the nuances of the new operating system which in turn will provide your SOC with the necessary skills to defend the entire enterprise, not just the Windows and Linux systems that are most prevalent. Training and investing in your staff will pay off dividends not only in the caliber of your security operations but in the loyalty of the employees who execute it.

If your current staff is unable to broaden their skills expertise due to a shortage of time and bandwidth, you may want to consider a mainframe-managed security service. Offloading the security and responsibility to experts who specialize in defending the mainframe will ensure that you are adequately protected from losing your critical mainframe server. Security is the application of business risk reduction and this will often be the fastest way to meet that goal. Fortunately, this can be done on a temporary, on-demand basis while you ramp up your own staff to integrate the security function back into your SOC.

As part of a wider autonomous digital enterprise framework, securing the mainframe isn’t exclusively a security or operations need, it’s a business need for adaptive security. A successful and adaptive cybersecurity program necessitates having well-trained domain experts that can establish the proactive security functions to automatically sense, detect, and respond to security incidents. When you consider how essential the mainframe is to the critical functions of the organization, you simply can’t afford to make security assumptions about it.

Don't miss