What is NetWatch?
NetWatch is the network-focused module of CSF. It monitors network connections to prevent data theft (exfiltration) —detecting when trusted network nodes change behavior or when data is being transferred to unauthorized destinations.
NetWatch answers the question: "Is someone stealing my data through network connections?"
Why is NetWatch important?
Your Only Defense:
Stop the attack before it gets started
OR
OR
React so quickly that very little data escapes
Once the data is stolen there is NO WAY BACK.
Once it is gone, it is gone forever.
The damages are so immense.
In cases when mainframe data was stolen, costs have been in the billions of dollars and affected millions of customers.
No amount of backup will help you recover.
You can restore encrypted files from SafeGuarded Copy. You cannot un-steal stolen data.
It is so hard to detect.
Data exfiltration often looks like normal workload from a trusted source—but there are telltale signs if you are vigilant.
No amount of backup will help you recover.
Real-world consequences of data exfiltration:
- Anthem Health: ~$1 billion in costs over 10 years
- United Healthcare: $3 billion write-down, couldn't determine scope for months
- Countless breaches begin with "unusual network activity" noticed too late
Data Exfiltration Defense Capabilities
Endpoint Monitoring — 24/7 (Inbound)
- Discover z/OS attached networks — See your complete network footprint
- Display nodes that attach, by LPAR / Application / IP address — Know exactly what's connected
- Learn what is normal for transfer jobs and device behavior — Establish behavioral baselines automatically
- Alert on abnormal usage patterns and data thresholds — Catch deviations from normal behavior
- No agents required on partner systems. CSF monitors from within z/OS—you don't need to install software on external devices.
Data Breach Protection
- Detect data transfer to unknown IP address — Flag transfers to destinations not in your baseline
- Detect data transfers exceeding thresholds (TSO & batch) — Catch unusual volume or speed
Stop Attacks Instantly
- Real-time suspend of offending data transfers — Freeze suspicious activity immediately
- Improved network knowledge & investigation — Forensics browser shows transfer details
- Revoke offending user IDs to lock out other attacks — Prevent attackers from using same credentials elsewhere
How Attacks Happen
These attacks against mainframes are perpetrated by insiders:
- Internal staff that has gone rogue, OR
- Formerly trusted nodes inside your network that have been compromised
Failing network nodes may belong to partner companies, where security may be susceptible to attack. Then it is a simple task to move laterally from an attached device and start infiltrating mainframe defenses.
The attack could involve:
- Embedding malware, OR
- Simply siphoning off more data than usual
You need to protect against both.
Spend Millions on Backup Tools But Nothing on Prevention?
In the words of many CEOs after a major breach: "We identified some unusual network activity."
Unfortunately, only after weeks or months of data leakage.
NetWatch vs. Other CSF Products
| If you need to... | Use... |
|---|---|
| Stop data leaving your mainframe | NetWatch |
| Detect file changes and ransomware | FIM+ |
| Catch attackers in recon/exploit phase | Early Warning |
| Verify vendor software before install | Supply Chain |