Skip to main content
MainTegrity Cyber Security Framework (CSF)
MainTegrity Cyber Security Framework (CSF)
End-to-End Cyber Security for IBM z/OS

What is NetWatch?

MainTegrity CSF cyber security suite for z/OS CSF FoundationFIM+EarlyWarningNetWatchSupplyChain
Suite Overview ›

NetWatch is the network-focused module of CSF. It monitors network connections to prevent data theft (exfiltration) —detecting when trusted network nodes change behavior or when data is being transferred in excess of client determined thresholds.

NetWatch answers the question: "Is my data being STOLEN?"

No amount of backup will help you recover.

Data theft is the preferred attack vector because criminals know they can extort the most ransom and cause the most pain. 

Ransomware insertion and file encryption can be reversed. But when data leaves your control, no amount of backup will retrieve it.

Once stolen, data is gone and can not be retrieved - ever. It can be published, sold, or weaponized indefinitely.

You Have Nothing Today

There are no native z/OS tools to detect or stop data theft in progress. None. Data exfiltration looks like normal workload from a trusted source — batch jobs, file transfers, and network connections that appear entirely legitimate.

Without dedicated monitoring, attacks go undetected for weeks or months. Discovery happens only in hindsight, when leadership announces they "identified some unusual network activity".
By then the damage is done and the data is long gone.

NetWatch was built to minimize this risk.

Protect Against Lateral Network Attacks

Along with encryption, data exfiltration is a favored attack vector for modern criminals. First network devices based on Windows & Linux, or network software Apache or VPNs are compromised then IBM notes lateral movement to the mainframe can take place..

Failing network nodes often belong to partner companies where security may be weaker.  The attack might involve embedding persistent malware for future access, or simply siphoning off more data than usual while appearing to perform normal file transfers.

You need to protect against both.

No amount of backup will help you recover.

Backups won't un-steal your data!
You can restore encrypted files but can never get your data once it's gone, even after you pay the ransom.

Data theft is invisible

There are no z/OS tools to detect or stop a theft in progress. Data  exfiltration looks like normal workload from a trusted source—but there are telltale signs if you have NetWatch.

Your Only Defense

Stop the attack before it gets started OR react so quickly that very little data escapes - NetWatch does both!

NetWatch Capabilities

No network agents required.  CSF monitors from within z/OS so you don't need to install software on external devices you may not own.

Endpoint Monitoring — 24/7 

  • Automate Vigilance - People can't monitor thousands of network nodes manually. Netwatch can.  
  • Integrate with the CSF UI - allow rapid recovery or system wide revoke
  • Filter real-time network messages for significance and display in CSF browser
  • Learn what is normal for transfer jobs and device behavior — Establish baselines automatically

Data Breach Protection

  • Identify any connection that is not encrypted on production systems
  • Detect transfers exceeding data thresholds.  Look for excessive volume changes in network characteristics
  • Monitors multiple kinds of data transfer tools TSO, batch, FTP, SSH, IND$FILE
  •  Disallow secondary links in TSO to avoid users copying to an external link

Stop Attacks Instantly

  • Real-time suspend of offending data transfers — Freeze suspicious activity immediately
  • Improved network knowledge & investigation — Forensics browser shows z/OS relevant information
  • Revoke offending user IDs to lock out other attacks — Prevent attackers from re-using same credentials

What Happens When NetWatch Finds Something

NetWatch is the network-focused module of MainTegrity's Cyber Security Framework.
When a transfer exceeds its behavioral threshold, NetWatch provides the intelligence to understand what is happening — which user, which datasets, which destination, how much data, and when it started.

What happens next is handled by CSF Foundation, the platform's reaction engine.
NetWatch runs on CSF Foundation, which provides the real-time reaction engine, user ID revocation, forensics interface, alert routing, and Recovery Assistant capabilities referenced on this page.*

NetWatch Sees What Others Don't

NetWatch monitors z/OS-attached network endpoints — without requiring agents on partner systems. Because monitoring runs entirely on z/OS, you gain visibility into your own devices but also nodes owned by partners where you can't install software. z/OS centralized monitoring is your only option

What is network awareness and what does it look for?

  • A network node that normally requests 10k of data suddenly asks for gigabytes — the classic exfiltration signature. 
  • Messages from IBM Comm server and other network tools go unnoticed because there is no automated alerting.  
  • An endpoint that is misconfigured to allow unencrypted transfers goes unnoticed for months. 
  • A user opens a secondary TSO link — a simple attack that allows the user data to be copied to a secondary location.
  • User ids behind the transfer are often invisible. This leaves the site open malicious actions by the compromised user id.

Every one of these nodes is trusted by default. Otherwise it would not have access to your data. NetWatch verifies that trusted sources continue to behave as approved.