Enabling Event Analysis to Spot Unusual Access Patterns With DTS Software’s ACC Monarch

The Direct Access Device Space Manager (DADSM) handles key functions in z/OS that dictate much of what happens to a dataset during its lifecycle. Creation and deletion are the most obvious, but this component can also extend a dataset to a new volume, release unused space using the partial release function, rename the dataset, and more. Just as on any other platform, datasets on z/OS have a largely predictable use pattern, which is why it’s a good idea to investigate when usage defies expectations. With the right solution in place, anomalies in the typical pattern of events can provide valuable insights to system administrators.

All DADSM events go through a system exit point or control point such as IDGPRE00 and IDGPOST0, at which point DTS Software’s ACC Monarch product can take control with automation and perform an array of actions. Using a policy rules language, ACC Monarch relies on IF statements to take action based on user-defined dataset characteristics. If the specified condition is met, the Dynamic Install Facility (DIF) started task performs the action.

A basic example of an action might be updating system control blocks, but actions could also include analysis operations such as writing records to DASD, writing records to a log file, or writing reports. These resources can be created using an arbitrary, user-defined record that isn’t necessarily an SMF record, and they can also be written directly to TCP/IP for analysis by Splunk or any other SIEM system. By enabling this kind of thorough analysis during the dataset lifecycle, organizations can spot unusual access patterns that could indicate a threat — and they can do it without the need to know assembler coding.

For more information about how storage event awareness can contribute to security, we encourage you to view our recent webinar on TechChannel, “Aggregation without Aggravation: When Putting More Log Data in Your SIEM is a Good Thing.” DTS Software CTO Steve Pryor and veteran mainframe expert Reg Harbeck offer insights into how you can leverage dfSMS events in conjunction with your existing SIEM data to build a more complete picture of the threats facing your organization.