Mainframe Blog

Staying Ahead of Ransomware, Part 3: Sensitive Dataset Access and Deception

Staying Ahead of Ransomware, Part 3: Sensitive Dataset Access and Deception
2 minute read
Edward Shim

When monitoring sensitive datasets, our customers commonly ask, “What else should I be monitoring on my mainframe?”

Some of the “usual suspects” to monitor are:

  • Enterprise service management (ESM) datasets
  • Encryption keys
  • Authorized program facility (APF)-authorized libraries

Users often have a general idea of what to monitor. However, a fundamental question is who should be allowed to read this data. The default access to datasets should not be READ—it should be NONE, unless there is a business requirement for it.


A practical and effective security strategy is to use ALLOW lists instead of BLOCK lists. The latter is often hard to maintain manually, and if someone is not on the BLOCK list, they are immediately allowed. What if a nefarious user elevates their privileges and attempts to access the above datasets? With a BLOCK list, there would be no mechanism to stop them. With an ALLOW list, only specified users will be able to access the dataset and any unauthorized attempts should generate an alert.

Canaries and Honeypots

Another effective defensive tactic is canaries and honeypots. Canaries (inspired by the “canary in a coal mine”) are datasets that, under normal circumstances, should never be touched or altered and serve as a warning mechanism for suspicious behavior. One example is a canary partitioned data set (PDS) such as “SYS1.USERDATA” placed as a decoy for any potential intruder because, to an attacker not familiar with the native environment, it looks like it might be a sensitive dataset. What’s more, the value of canaries isn’t just limited to intruders. Canaries can help detect threats from insiders looking for data in places they should not be.

Honeypots are also deception techniques aimed at tricking adversaries into exploring data or regions of your system they otherwise shouldn’t be. So, then, what exactly is the difference between a honeypot and a canary?

Honeypots and canaries are often conflated terms, though they should be distinguished. Historically, the primary purpose of a honeypot was to observe adversary behavior in a decoy environment over time versus serving as an immediate alerting or warning mechanism like a canary. Therefore, a more appropriate comparison might be a “honeypot LPAR”—where attacker tactics, techniques, and procedures (TTPs) and behavior can be observed over time in a mock environment—with “canary datasets” that serve as warning mechanisms when triggered.

While there are many other ways to monitor sensitive data, the above are some quick wins BMC AMI Security can help implement in your environment today. Sometimes, the most effective detection and response tools aren’t the fanciest and shiniest new things available, but are the ones immediately available to use within the environment.

In the next part of our series, we’ll discuss how Privileged User Monitoring can help you stay ahead of the ransomware threat!

Check out part 1 of this blog: Initial Access and part 2: Privileged Access Management and Zero Trust.

Access the 2023 Mainframe Report

The results of the 18th annual BMC Mainframe Survey are in, and the state of the mainframe remains strong. Overall perception of the mainframe is positive, as is the outlook for future growth on the platform, with workloads growing and investment in new technologies and processes increasing.

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing

Business, Faster than Humanly Possible

BMC works with 86% of the Forbes Global 50 and customers and partners around the world to create their future. With our history of innovation, industry-leading automation, operations, and service management solutions, combined with unmatched flexibility, we help organizations free up time and space to become an Autonomous Digital Enterprise that conquers the opportunities ahead.
Learn more about BMC ›

About the author

Edward Shim

Edward Shim is the Senior Product Owner for BMC AMI Security. Prior to BMC, he helped lead the Security Operations Center (SOC) for one of the largest universities in California, specializing in incident response, SIEM engineering, and security operations. Edward holds several certifications to include the Certified Information Systems Security Professional (CISSP) and SANS GIAC certifications such as the GSEC, GCIH, GPEN, GMON, and GDAT. Edward also served in the United States Army and United States Peace Corps.