Discovery, Data Collection, and Analysis

In this section you will learn how to perform basic discovery in order to identify existing authorized network activity, and how to analyze this data in preparation for configuring your security implementation.

Discovery

After you have activated Exit Point Manager it's time to monitor your system in order to identify the servers that are reporting current network traffic and then identify the specific transactions on those servers.

Identifying Network Activity

NOTE: If you are not using the Insite web UI, you do not have access to the Dashboard, and will need to identify network traffic by auditing your servers. Skip ahead to "Auditing Servers."

To identify network activity, you can first refer to the Exit Point Manager Dashboard. The Dashboard reveals all transactions that have passed through Exit Point Manager's active servers (see Activating Powertech Exit Point Manager). The activity reported on the Dashboard reveals which servers you may want to begin auditing.

Auditing Servers

To identify specific transactions you must configure Audit Flags to instruct Exit Point Manager to retain access information. After the access information has been collected, Exit Point Manager’s Reports can be used to identify the origin and other information about each transaction. This is the information that will be used to define access control rules.

Exit Point Manager’s default (*PUBLIC) User Rules apply to all (*ALL) Functions on all servers that permit remote access. Each is defined to inherit (*) the Audit (Aud) value from the product's global system values.

Data Collection

A common question is: “How long should I let data collection run, and how much is enough?” While auditing is never ‘complete,’ there does come a point when enough data has been collected in order to facilitate sound decisions. Because the stream of data collection may ebb and flow over time, determining the correct point in time is essential. The correct point for your organization will depend on your assessment of critical events that must be considered before audit rules can be put in place. Consider auditing over ranges of time that would show typical daily or weekly traffic patterns for your environment. It is also preferable to include periods of time with anomalies that may occur only, for example, on weekends or during month-end processing.

Audited Traffic Data for Reporting

Audit traffic is retained in Journal receivers. The default journal upon installation is the IBM-supplied journal QAUDJRN. However, you are not limited to using QAUDJRN.

Review your journal receiver retention policy. Removing the journal receivers will remove the ability to run audit reports for the date ranges the receivers cover. If the receivers are removed from the system, restoration from backups will be necessary to report over date range.

Recommendation – Use an alternate journal if QAUDJRN is not your preference. See IBM documentation for details.

Initial Data Review and Analysis

Reviewing Server Transactions

Now that your server summary has revealed the servers that are being used, you can review the transaction history on those servers to identify unauthorized activity or automated service profiles that do not require auditing.

NOTE: User profiles used for automated tasks can contribute to heavy volumes of traffic that do not represent human action or a security threat. Once identified, auditing for these profiles (or more efficiently, groups that include several or all of these profiles) can be turned off to reduce the ‘noise’ of automated activity, so that effort can be concentrated on dealing with activity from real users. The IBM-supplied user profiles beginning in “Q” (QSECOFR, QTCP) are usually service accounts (but not always). On reports, service accounts can often be identified by repetitive activity, or activity at regular intervals.