Vanguard Enforcer™
Intrusion Detection and Management Solution for the Mainframe - a proven, state-of-the-art intrusion management solution that is the first intrusion detection solution for the mainframe to be awarded Common Criteria certification. The award-winning Enforcer solution protects critical data and other resources by ensuring that the standards, policies, rules and settings defined by an organization's security and compliance experts are in force and stay that way.
The array of cyber security threats, threat sources and risks grows more varied and sophisticated each passing month. At the same time, competition drives ever-increasing use of the Internet and the mean time to exploitation of vulnerabilities shrinks. In this world, failure to identify an attempted break-in, misuse of a resource, or unauthorized change in protection, can cause catastrophic results, costing an organization millions of dollars.
With Enforcer, organizations can be confident that its security management implementation is effectively protecting its critical resources and continuously adhering to "Best Practices" standards.
Like all intrusion detection solutions, Enforcer continuously monitors and analyzes security-relevant events and activities looking for potential intrusion scenarios. Enforcer, however, goes beyond event monitoring. Enforcer also finds vulnerabilities and actually prevents intrusions by and continuously inspecting the underlying security implementation itself with emphasis on the protection of critical information assets and system resources.
Enforcer compares the security measures currently in place to authorized security configuration baselines that are themselves based on the security policies of the organization. Enforcer also analyzes current security against "best practice" security rules. When a violation of any of these rules or the security configuration baseline is detected, Enforcer issues an alert via email to key security personnel. For more critical violations, Enforcer gives the option of automatically restoring the active security settings to the protection defined in the baseline.
This automated surveillance of the security implementation separates Enforcer entirely from other intrusion detection solutions and establishes Enforcer as an intrusion management solution as well.
Space Age Technology
Vanguard Enforcer is the ideal solution for security management on today's zSeries server. Enforcer technology has been actively protecting systems and data critical to maintaining life in manned space programs for over a decade. The technology was originally developed in response to system intrusions related to the National Aeronautics and Space Administration (NASA) space program, to protect systems and data critical to human life in the unforgiving and inhospitable environment of space.
Today, Enforcer is instrumental in maintaining NASA's highest level of security. Vanguard is very excited to have transformed this well-proven software system into a breakthrough security management product available to corporate users.
The Importance of EAL3+ Certification
Enforcer earned Common Criteria certification. Common Criteria certification is already a procurement standard for many government and military organizations, but is just becoming familiar to corporate IT security organizations. The Common Criteria (CC) for IT Security Evaluations, also known as ISO standard 15408, was developed by the national security organizations of the United States, Canada, the United Kingdom, France, Germany and The Netherlands. It defines evaluation criteria and methods for a wide range of commercial and nationally sensitive government-use IT security products.
An international team of software security experts closely examined and tested Enforcer to make sure it performs the security functions claimed and can be fully secured against attacks by hackers--and much, much more. The evaluation was validated by Bundesamt für Sicherheit in der Informationstechnik (BSI), the German CC certifying body that also certified z/OS 1.6.
The certification of Enforcer has strong significance to all organizations using mainframes in their critical computing infrastructure. It establishes Enforcer as a validated security and integrity assurance measure that defines a new best practice standard for mainframe security. CC certifying bodies will not undertake an evaluation until it is convinced the target of evaluation provides significant security functionality. Because Enforcer is the first of a new breed of security products, this validation is extremely important both to Vanguard and to organizations that are intent on providing the strongest security possible for their mainframes-where the lions' share of critical and sensitive data resides today just as it has for the past three decades.
Of course, the EAL3+ certification also means that Enforcer actually performs all of the security functions it claims. For additional information about Common Criteria and EAL3+ certification, go to http://www.commoncriteriaportal.org.
Quickly Identifying Risk
A critical part of risk management on mainframe systems and the IBM® Security Server (RACF®) is monitoring and analyzing events. Failure to identify an attempted break-in, misuse of a resource or unauthorized change in protection, can cause catastrophic results, costing an organization millions of dollars. The ability to identify existing or new security exposures is only the beginning. To avoid catastrophe, you must also have the ability to clarify and eliminate the true cause of a problem.
Vanguard Enforcer guides an organization in creating a security policy baseline that details access rules for critical data, user, and change administration policies. It then continuously and automatically monitors the system, instantly comparing current system settings against policy baselines and Best Practices security standards, identifying critical security-related exceptions, and managing program changes to the security database. Enforcer detects and identifies policy variances and violations in real time, logs them, issues e-mail notices to designated personnel and, where appropriate, takes corrective action. These proactive facilities are supported by analytic tools that gather all required information, identify problems and issues, recognize their importance, explain their significance, and guide the user to eliminate identified exposures.
Best Practices
To achieve Best Practices compliance, IT professionals must find ways to improve security and manage increased risk without increasing workload. Ideally, this is done with the automation of previously labor-intensive tasks. It is no longer enough to manage access and security functions the way they have been done in the past. Environments have grown too complex and are changing too rapidly. The number of transactions and users has grown to levels too high for traditional periodic point in-time assessment and control measures to work effectively. Dynamic, proactive automated solutions are required.
A corporation's IT security expertise is best employed developing and improving security policies and seeking ways to reduce vulnerabilities. Therefore, any task that can be done via automation, such as system integrity and security monitoring, frees scarce technical resources and budget dollars for other purposes.
Vanguard Enforcer is designed to solve the problems associated with monitoring and ensuring the integrity of your enterprise's security. Enforcer continuously meets the challenge of Best Practices that measure your organization's security and vulnerability.
The Nature of Intrusion Detection
According to the Purdue University Computer Science Laboratory, an intrusion can be defined simply as someone attempting to break into or misuse a system. An intrusion detection system (IDS) attempts to detect an intruder breaking into a system, or a legitimate user misusing system resources. The IDS will run constantly on a system, working in the background, and only issuing notification when it detects something it considers suspicious or illegal. IDS consistently identifies any set of actions or changes that, generally speaking, can compromise the integrity of a system, erode its confidentiality, and/or interfere with the availability of resources.
Intrusion Detection systems are classified in one of two ways:
- Host-Based - detecting intrusions through audit data from a single or multiple host computers (i.e., mainframes);
- Network-Based - detecting intrusions through network traffic data and audit data from host(s).
The detection methodology used by the IDS is characterized as:
- Anomaly Based - identification of intrusion through activity that differs from a user's or system's normal behavior;
- Misuse Based - identification of intrusion through activity that corresponds to known intrusion techniques, signatures or vulnerabilities.
Almost all of the intrusion detection programs available today are anomaly or limited misuse-based. Only one solution is host-based and fully utilizes misuse detection: Vanguard Enforcer.
Understanding the Difference
Vanguard Enforcer as an Intrusion Management Solution
Vanguard Enforcer represents the next level of protection against system intruders. It is a true and unique Intrusion Management solution. Only Vanguard Enforcer can do all of the following:
- Continuously monitor and manage security on a mainframe system
- Automatically protect critical data and other resources on a mainframe on a 24x7x365 basis
- Guide client companies in creating a security policy baseline that details access rules for critical data, user and change administration policies
- Compare current system settings against policy baselines and Best Practices security
- Identify critical security-related exceptions
- Issue notice on variances and violations
- Take corrective action, automatically returning the system to its original baseline settings within moments of detecting and recording an intrusion
Vanguard Enforcer provides the ability to:
- Automatically and continuously protect the most valuable data resources as defined by management
- Allow security administration to better focus resources on supporting individual users, groups, and departments to achieve better levels of response and customer support
- Automatically implement and adhere to Best Practices security standards
- Respond effectively to the reality of diminished security awareness in a distributed and open environment
- Manage and control the change process inherent with complex security access administration
- Detect potential unauthorized system libraries, preventing unsanctioned code execution or bypass methods
Meeting Objective Tests of Intrusion Management
Independent research, conducted at Purdue University into the nature, purpose and requirements for intrusion detection and management, has determined that an intrusion system should address eight specific issues.
- The program must run continually without human supervision. The system must be reliable enough to allow the program to run in the background of the system being observed. However, it must not be a "black box" and its internal working should be examinable from the outside.
- It should be fault tolerant in the sense that it must be able to survive a system crash and not require rebuilding of its knowledge base or baseline at restart.
- It must resist subversion and be able to monitor itself to ensure that it has not been subverted.
- Its software should impose only minimal overhead on the system, and not slow the operation of the computer.
- It must observe deviations from normal behavior.
- It must be able to be easily tailored to the system in question. Every mainframe system has a different usage pattern, and the defense mechanisms should adapt easily to these patterns.
- The solution must cope with changing system behavior over time, as new applications are added. The system profile will change over time, and the intrusion solution must be able to adapt.
- The intrusion system must be difficult to circumvent.
An analysis of each of these eight characteristics as applied to Vanguard Enforcer reveals that Vanguard's Intrusion Management solution is the most comprehensive product offering in the marketplace.
Intrusion Management - or a Firewall?
If a company has a strong firewall in place on its network, should it also implement the Vanguard Enforcer Intrusion Management solution? Without doubt, the answer is 'yes.' A firewall is the security equivalent of a chain-link fence around a piece of property and a guard post at the front gate. While it can effectively keep outsiders on the outside for the most part, it cannot detect or report on what is going on inside.
Unfortunately, it is estimated that over half (and almost as high as 70 percent) of unauthorized accesses now come from inside the firewall. Therefore, the firewall is ineffective as a defense mechanism in the second most common security breach, unauthorized internal intrusions. The Vanguard Enforcer Intrusion Management solution effectively protects against both internal and external security issues. As such, it is an indispensable partner to firewall technology.
Enforcer and the Concept of Inheritance
In the world of information technology, "compatibility" is sometimes an issue. New software releases often do not work with earlier versions or with similar product offerings. Evidence of Vanguard's commitment to customer care can be seen in the Vanguard Concept of Inheritance. Most Vanguard security solutions work together. Because many of the solutions are fully integrated, each product automatically inherits the benefits of its "lineage."
Though powerful in its own right, Vanguard Enforcer also serves as a critical part of the complete Vanguard Security Solution™. This software solution fully integrates the formerly independent functions of security administration, reporting, assessment and monitoring into a single solution - a concept unprecedented in mainframe security.
