MEAS Modernization Guide

MEAS is a software product designed to forward z/OS events to Security Information and Event Management (SIEM) systems. It captures events occurring on the z/OS platform and transmits them to other platforms for centralized security monitoring and analysis. This allows organizations to gain visibility into z/OS security events within their broader security landscape.

MEAS is best described as middleware. It acts as an intermediary, collecting data from the z/OS system and forwarding it to other systems, specifically SIEM solutions. It is not an end-user application or a development framework, but rather a component that facilitates communication between systems.

Organizations that rely on the z/OS platform for critical applications and data, and that also use a SIEM solution for security monitoring, are the best fit for MEAS. This includes large enterprises in industries such as banking, finance, insurance, and government. Any organization needing to integrate z/OS security events into a centralized security monitoring platform should consider MEAS.

A company should consider using MEAS when they need to integrate z/OS security events into their existing SIEM infrastructure. If an organization wants to gain a comprehensive view of its security posture, including events occurring on the mainframe, MEAS provides a solution for forwarding those events to a centralized SIEM platform.

Alternatives to MEAS include other z/OS event forwarding solutions, such as IBM Z Operational Log and Data Analytics, Type80 Syslog, Ironstream, and potentially custom-built solutions. The key difference often lies in the specific features, ease of integration with particular SIEM platforms, and the level of support provided.

MEAS runs on the z/OS platform and is z/OS dependent. It operates within an LPAR (Logical Partition) and requires access to z/OS subsystems to capture the necessary event data. It is not a standalone product and must be deployed within a z/OS environment.

MEAS requires a z/OS environment with the necessary subsystems and security configurations in place. It also requires a SIEM solution on another platform to receive the forwarded events. Network connectivity between the z/OS system and the SIEM platform is essential for proper operation.

The exact syntax for basic operations depends on the specific configuration and interfaces provided by MEAS. However, common operations involve configuring event filters, defining target SIEM servers, and starting/stopping the event forwarding process. Configuration files are typically used to define these parameters.

The main system components of MEAS include the event capture module, the data transformation module, and the communication module. The event capture module intercepts z/OS events, the data transformation module formats the events for the SIEM, and the communication module transmits the events to the SIEM platform.

MEAS solves the business problem of integrating z/OS security events into a centralized security monitoring platform. Without MEAS, organizations would have limited visibility into security events occurring on their mainframes, potentially missing critical security incidents. This can lead to delayed incident response and increased security risks.

If an organization did not use MEAS, they would lack centralized visibility into z/OS security events. This could result in a fragmented view of their security posture, making it difficult to detect and respond to security incidents effectively. They would need to rely on other methods for monitoring z/OS security, which may be less efficient and comprehensive.

MEAS integrates with enterprise ecosystems by forwarding z/OS events to SIEM platforms. This allows organizations to correlate z/OS security events with events from other systems, providing a more holistic view of their security landscape. It enables them to leverage their existing SIEM infrastructure to monitor and manage z/OS security.

MEAS supports various authentication methods, including those provided by z/OS security subsystems such as RACF, ACF2, and Top Secret. It leverages these existing security mechanisms to authenticate users and control access to its functions.

MEAS uses an access control model based on z/OS security mechanisms. It leverages RACF, ACF2, or Top Secret to control access to its functions and data. This allows organizations to manage access to MEAS using their existing z/OS security infrastructure.

MEAS encrypts sensitive data during transmission to the SIEM platform. The specific encryption algorithms used depend on the configuration and capabilities of both MEAS and the SIEM solution. Common encryption protocols such as TLS/SSL are typically supported.

MEAS provides audit and logging capabilities to track user activity and system events. These logs can be used to monitor security-related actions and investigate potential security incidents. The logs are typically stored in z/OS datasets and can be integrated with SIEM solutions for centralized analysis.

Implementing MEAS requires technical expertise in z/OS, security, and networking. Personnel need to understand z/OS security subsystems, SIEM integration, and network protocols. Ongoing operational requirements include monitoring the health of the MEAS system, maintaining network connectivity, and managing user access.

Common implementation challenges include configuring event filters correctly, ensuring network connectivity between z/OS and the SIEM platform, and managing the volume of event data being forwarded. Careful planning and testing are essential for a successful implementation.

Administrative interfaces for MEAS typically include a command-line interface (CLI) and potentially a web-based console. The CLI is used for configuring and managing the system, while the web console provides a graphical interface for monitoring and administration.

User management in MEAS is handled through z/OS security subsystems such as RACF, ACF2, or Top Secret. These subsystems are used to define user accounts, assign permissions, and control access to MEAS functions. This ensures that user management is integrated with the existing z/OS security infrastructure.