How Mainframe Vulnerability Scanning Fits into an IT security Strategy

May 9, 2019

An IT security strategy at large enterprises needs to encompass a lot of systems, and help the organization prepare for many kinds of risks. With lots of different teams managing different systems, there’s always one main goal in mind – ensuring the security of all enterprise IT systems.

For companies that rely on the mainframe – a whopping 71 percent of Fortune 500 companies – that IT security strategy needs to encompass this crucial system. And for financial services companies especially, protecting the mainframe and preventing a breach is mission-critical.

So, where does mainframe vulnerability scanning fit into a larger IT security strategy? We caught up with a mainframe engineer at a multinational financial services company – here’s a quick look inside their IT strategy, and the essential role that vulnerability scanning plays. 

Benefits of vulnerability scanning

Financial services companies tend to be a step ahead of the rest when it comes to mainframe security, due to the highly sensitive nature of their business, and their heavy reliance on these systems. Did you know that 92 of the world’s top 100 banks rely on mainframes to process customer transactions? In fact, 87 percent of all credit card transactions are processed via mainframes, totaling nearly $8 trillion payments a year.

When you’re handling other people’s money, you need to be confident that you’re keeping it safe at all times. The mainframe engineer we spoke to said that his company has made automated zero-day vulnerability scanning a routine part of their work. To handle scans, the company uses a mix of traditional enterprise security managers paired with z/Assure VAP from Key Resources. The idea is to maximize coverage and catch as many vulnerabilities as possible.

“I have a tool bag of things I wouldn’t want to leave home without, so to speak,” he explained. “z/Assure VAP is one of those tools, because of its innovative approach. Even if you have an existing tool that you’re happy with, this will often find things other tools can’t.”

z/Assure VAP differs from other vulnerability scanning tools because it actually tests running code for zero-day vulnerabilities. By testing and monitoring this code, z/Assure VAP is able to uncover important details that other security software solutions can’t pick up, the engineer said. That unique approach has led to immediate benefits: in their first scan, z/Assure VAP identified four specific integrity vulnerabilities, three of which were significant gaps that their mainframe software vendor had not already identified.

“That told us that maybe the vendor isn’t doing as much testing as they led us to believe, or the nature of the testing was such that we found what they didn’t,” he explained.

Putting in a process

Importantly, the company has implemented a process for keeping key stakeholders through the business informed of mainframe security risks, along with policies on how to act upon gaps when they are found.

When zero-day vulnerabilities are found, they are communicated to the organization’s vulnerability management team, which includes both technical and executive staff. That brings two major benefits. Most important, it allows the organization to address vulnerabilities quickly for improved security. Secondly, it also gives management the confidence and peace of mind that the mainframe team is ahead of the game with spotting vulnerabilities and making it harder to break into their IT systems.

On top of that, the company reports zero-day vulnerabilities to the vendor so they can create a patch, helping the whole community stay safer in the process.

Overall, z/Assure VAP has helped to introduce transparency into what is normally an opaque aspect of IT security.

“In mainframe, there is not much publicly available information with regard to breaches, so we rely on the results of the KRI tool to report on vulnerabilities internally and with the community,” he explained. “The biggest advantage of using the tool is I can be ahead of the game. It’s a never-ending battle but we have to stay ahead of the threats that are out there.”